T1001.001 IBM QRadar · QRadar

Detect Junk Data in IBM QRadar

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By appending, prepending, or inserting random or meaningless data into C2 communications, adversaries prevent trivial signature-based detection. Examples include SUNBURST appending junk bytes to HTTP C2, P2P ZeuS adding junk data to UDP peer communications, Downdelph inserting pseudo-random characters between meaningful characters in C2 requests, and GoldMax generating decoy traffic to surround malicious traffic. This technique is primarily a network-level obfuscation method, making it challenging to detect purely through host-based telemetry.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1001 Data Obfuscation
Sub-technique
T1001.001 Junk Data
Canonical reference
https://attack.mitre.org/techniques/T1001/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Approach 1: High-frequency beaconing from suspicious processes on known C2 ports
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  sourceip,
  destinationip,
  destinationport,
  sourceprocessname,
  COUNT(*) AS connection_count,
  SUM(LONG(eventpayload)) AS total_bytes_approx
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND LOWER(sourceprocessname) MATCHES '(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost).*'
  AND destinationport IN (80, 443, 8080, 8443, 4444, 4445, 1080, 3128)
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
  AND NOT INCIDR(destinationip, '127.0.0.0/8')
  AND starttime > (NOW() - 86400000)
GROUP BY sourceip, destinationip, destinationport, sourceprocessname
HAVING connection_count >= 5
ORDER BY connection_count DESC

UNION ALL

-- Approach 2: DNS queries with long junk-padded subdomains
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  sourceip,
  QIDNAME(qid) AS event_name,
  sourceprocessname,
  COUNT(*) AS query_count,
  COUNT(DISTINCT destinationip) AS unique_destinations
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) = 'Sysmon'
  AND QIDNAME(qid) LIKE '%DNS%'
  AND LENGTH(REGEXP_SUBSTR(destinationhostname, '^[^.]+')) > 20
  AND starttime > (NOW() - 86400000)
GROUP BY sourceip, sourceprocessname
HAVING query_count >= 3
ORDER BY query_count DESC
high severity medium confidence

QRadar AQL detection for T1001.001 Junk Data C2 obfuscation. Query 1 identifies high-frequency beaconing patterns from known LOLBin processes to common C2 ports on public IPs. Query 2 flags DNS queries with unusually long first-label subdomains indicative of junk data padding in DNS-based C2 channels.

Data Sources

QRadar SIEMWindows Security Event Log DSMSysmon DSMDNS log sources

Required Tables

eventsflows

False Positives & Tuning

  • Legitimate software update processes making periodic connections to vendor CDN infrastructure
  • Security scanners and vulnerability assessment tools generating high-frequency network connections
  • DNS-based load balancers using long CNAME chains with encoded tenant identifiers
  • Monitoring agents with heartbeat intervals producing consistent beaconing-like patterns
Download portable Sigma rule (.yml)

Other platforms for T1001.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP C2 Simulation with Junk Data Padding

    Expected signal: Sysmon Event ID 1: PowerShell process creation with command line containing 'Net.WebClient' and 'UploadString'. Sysmon Event ID 3: Multiple network connection attempts to 127.0.0.1:8080. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 showing the full beaconing script.

  2. Test 2DNS-Based C2 with Junk Subdomain Labels

    Expected signal: Sysmon Event ID 22 (DNS Query): Multiple DNS lookup events with QueryName values containing long, random-looking subdomain labels (>20 characters) under c2sim.local. The labels will contain Base64-encoded content with interleaved junk characters. Sysmon Event ID 1 for the PowerShell process creation.

  3. Test 3Junk Data File Padding Simulation

    Expected signal: Sysmon Event ID 11 (File Create): File creation event for junktest_sim.dll in %TEMP% with large file size (~50MB). Sysmon Event ID 1 for the PowerShell process. The file hash (SHA-256) will be recorded in the Sysmon event.

  4. Test 4Periodic Beaconing with Junk UDP Padding

    Expected signal: Sysmon Event ID 3 (Network Connection): UDP connections from powershell.exe to 127.0.0.1:4444 (Sysmon may capture UDP connections depending on configuration). Sysmon Event ID 1 for process creation. Security Event ID 4688 if command line auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (15)

Unlock Pro Content

Get the full detection package for T1001.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1001Data Obfuscation

Related Sub-techniques

T1001.002SteganographyT1001.003Protocol or Service Impersonation

Related Techniques

T1001Data ObfuscationT1001.002SteganographyT1001.003Protocol or Service ImpersonationT1071Application Layer ProtocolT1071.004DNST1132Data EncodingT1132.001Standard EncodingT1027Obfuscated Files or InformationT1568Dynamic ResolutionT1573Encrypted ChannelT1573.001Symmetric CryptographyT1102Web ServiceT1048Exfiltration Over Alternative Protocol

Same Tactic: Command and Control

Popular Detections