Detect Junk Data in Microsoft Sentinel
Adversaries may add junk data to protocols used for command and control to make detection more difficult. By appending, prepending, or inserting random or meaningless data into C2 communications, adversaries prevent trivial signature-based detection. Examples include SUNBURST appending junk bytes to HTTP C2, P2P ZeuS adding junk data to UDP peer communications, Downdelph inserting pseudo-random characters between meaningful characters in C2 requests, and GoldMax generating decoy traffic to surround malicious traffic. This technique is primarily a network-level obfuscation method, making it challenging to detect purely through host-based telemetry.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Sub-technique
- T1001.001 Junk Data
- Canonical reference
- https://attack.mitre.org/techniques/T1001/001/
KQL Detection Query
// T1001.001 - Junk Data C2 Obfuscation Detection
// Approach 1: Detect unusually large HTTP payloads with low entropy content ratio (junk padding)
// Combines DeviceNetworkEvents with process context to identify suspicious beaconing patterns
let SuspiciousProcesses = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe"]);
let KnownC2Ports = dynamic([80, 443, 8080, 8443, 4444, 4445, 1080, 3128]);
// Detect high-frequency beaconing with consistent intervals (C2 with junk padding)
let BeaconingActivity = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| where RemoteIPType == "Public"
| where RemotePort in (KnownC2Ports)
| summarize
ConnectionCount = count(),
BytesSentTotal = sum(SentBytes),
BytesReceivedTotal = sum(ReceivedBytes),
UniqueRemoteIPs = dcount(RemoteIP),
ConnectionTimes = make_list(Timestamp, 500),
RemoteIPs = make_set(RemoteIP, 20),
RemotePorts = make_set(RemotePort, 20)
by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| where ConnectionCount >= 5
| extend AvgBytesSent = BytesSentTotal / ConnectionCount
| extend AvgBytesReceived = BytesReceivedTotal / ConnectionCount
// Flag processes with high volume outbound (possible junk padding) or very consistent small sends (beaconing)
| where (AvgBytesSent > 5000 and AvgBytesReceived < 500) or (ConnectionCount > 20 and AvgBytesSent between (100 .. 2000))
| project Timestamp = now(), DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
ConnectionCount, AvgBytesSent, AvgBytesReceived, UniqueRemoteIPs, RemoteIPs, RemotePorts;
// Approach 2: Detect DNS queries with unusually long or high-entropy labels (junk data in DNS C2)
let SuspiciousDNS = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsConnectionInspected" or ActionType == "DnsQueryResponse"
| where isnotempty(RemoteUrl)
| extend DomainLabel = tostring(split(RemoteUrl, ".")[0])
| extend LabelLength = strlen(DomainLabel)
| extend SubdomainDepth = array_length(split(RemoteUrl, "."))
// Long subdomains with random-looking characters are indicative of junk data padding in DNS C2
| where LabelLength > 20 or SubdomainDepth > 6
| where RemoteIPType == "Public"
| summarize
QueryCount = count(),
UniqueDomains = dcount(RemoteUrl),
SampleDomains = make_set(RemoteUrl, 10)
by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where QueryCount >= 3 or UniqueDomains >= 3;
// Combine both signals
BeaconingActivity
| union SuspiciousDNS
| sort by Timestamp descDetects potential junk data C2 obfuscation using two complementary approaches: (1) High-frequency HTTP/HTTPS beaconing from suspicious processes with asymmetric byte counts suggesting padding (large sends, small receives) indicative of junk data appended to C2 requests, and (2) DNS queries with unusually long labels or deep subdomain hierarchies characteristic of junk data inserted into DNS-based C2. Uses DeviceNetworkEvents from Microsoft Defender for Endpoint. Note: Direct detection of junk data content requires network inspection; this query focuses on behavioral indicators consistent with junk-padded C2.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software telemetry agents that send large amounts of diagnostic data to cloud endpoints with asymmetric request/response sizes
- CDN or streaming applications making many small HTTP requests with varying payload sizes that resemble beaconing patterns
- DNS-based load balancing or service discovery mechanisms that use long subdomains for routing (e.g., AWS, Azure service endpoints)
- Software update mechanisms that poll update servers frequently with small request payloads
- Security monitoring agents (EDR, DLP) that beacon home to management infrastructure on standard ports
Other platforms for T1001.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP C2 Simulation with Junk Data Padding
Expected signal: Sysmon Event ID 1: PowerShell process creation with command line containing 'Net.WebClient' and 'UploadString'. Sysmon Event ID 3: Multiple network connection attempts to 127.0.0.1:8080. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 showing the full beaconing script.
- Test 2DNS-Based C2 with Junk Subdomain Labels
Expected signal: Sysmon Event ID 22 (DNS Query): Multiple DNS lookup events with QueryName values containing long, random-looking subdomain labels (>20 characters) under c2sim.local. The labels will contain Base64-encoded content with interleaved junk characters. Sysmon Event ID 1 for the PowerShell process creation.
- Test 3Junk Data File Padding Simulation
Expected signal: Sysmon Event ID 11 (File Create): File creation event for junktest_sim.dll in %TEMP% with large file size (~50MB). Sysmon Event ID 1 for the PowerShell process. The file hash (SHA-256) will be recorded in the Sysmon event.
- Test 4Periodic Beaconing with Junk UDP Padding
Expected signal: Sysmon Event ID 3 (Network Connection): UDP connections from powershell.exe to 127.0.0.1:4444 (Sysmon may capture UDP connections depending on configuration). Sysmon Event ID 1 for process creation. Security Event ID 4688 if command line auditing is enabled.
References (15)
- https://attack.mitre.org/techniques/T1001/001/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.secureworks.com/research/p2p-zeus
- https://www.welivesecurity.com/2016/10/20/anatomy-of-attack-celebrity-malware-downdelph/
- https://www.cisa.gov/sites/default/files/publications/AA22-055A-MuddyWater.pdf
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RUSSIAN_INTELLIGENCE_BOT_SNAKE.PDF
- https://securelist.com/apt10-sophisticated-multi-layered-loader-romabt/101971/
- https://blog.trendmicro.com/trendlabs-security-intelligence/blacktech-espionage-tools-target-east-asia/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.kaspersky.com/about/press-releases/2021_apt-trends-report-q3-2021
- https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://www.welivesecurity.com/2025/02/12/evasive-zipline-group-targets-job-seekers/
Unlock Pro Content
Get the full detection package for T1001.001 including response playbook, investigation guide, and atomic red team tests.