Detect Data Obfuscation in Google Chronicle
Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1001/
YARA-L Detection Query
// T1001: Data Obfuscation — Chronicle YARA-L 2.0 detection rules
// Two rules covering DNS entropy and HTTP encoding/beaconing vectors
// ============================================================
// Rule 1: High-entropy DNS subdomain labels
// Detects RDAT AES-in-subdomain, DNS tunneling, covert channel encoding
// ============================================================
rule t1001_data_obfuscation_dns_entropy {
meta:
author = "Argus Detection Engineering"
description = "Detects T1001 Data Obfuscation via high-entropy DNS subdomain labels (30+ Base64/hex chars). Matches RDAT AES ciphertext-in-subdomain and DNS-over-HTTPS tunneling C2 channel patterns."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1001"
mitre_attack_subtechnique = "T1001.002"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
$dns.metadata.event_type = "NETWORK_DNS"
// First DNS label is 30+ chars of Base64/hex alphabet
$dns.network.dns.questions.name = /^[A-Za-z0-9+\/=_\-]{30,}\./
// Exclude CDN GUID-style subdomains (CloudFlare, Akamai routing tokens)
not $dns.network.dns.questions.name = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
$dns.principal.hostname = $src_hostname
condition:
$dns
}
// ============================================================
// Rule 2: Base64-encoded URI path or non-browser HTTP beaconing
// Covers encoded C2 commands in URL segments and suspicious User-Agents
// ============================================================
rule t1001_data_obfuscation_http_encoding {
meta:
author = "Argus Detection Engineering"
description = "Detects T1001 Data Obfuscation via Base64-encoded blobs in HTTP request URI paths and non-browser User-Agent strings making outbound connections. Covers StrelaStealer XOR/Base64 POST patterns and TrailBlazer/Ninja C2 URI obfuscation."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1001"
mitre_attack_subtechnique = "T1001.003"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
$http.metadata.event_type = "NETWORK_HTTP"
(
// Vector A: 40+ contiguous Base64-alphabet chars in request URL path
(
$http.network.http.request_url = /[A-Za-z0-9+\/]{40,}={0,2}/
and not $http.target.hostname = /accounts\.google\.com|login\.microsoftonline\.com|windowsupdate\.com|cdn\.jsdelivr\.net|akamaihd\.net/
)
or
// Vector B: Non-browser / non-standard User-Agent on outbound web port
(
not $http.network.http.user_agent = /((?i)mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)/
and $http.target.port in [80, 443, 8080, 8443]
and $http.network.direction = "OUTBOUND"
and $http.network.http.user_agent != ""
)
)
$http.principal.hostname = $src_host
$http.target.hostname = $dst_host
condition:
$http
}Two Chronicle YARA-L 2.0 rules detecting T1001 Data Obfuscation. Rule 1 flags NETWORK_DNS events where the first DNS label contains 30+ consecutive Base64/hex-alphabet characters (RDAT AES-in-subdomain and DNS tunnel patterns), excluding GUID-style CDN subdomains. Rule 2 flags NETWORK_HTTP events with Base64-encoded blobs in request URI paths or non-browser User-Agent strings on outbound web ports.
Data Sources
Required Tables
False Positives & Tuning
- Azure AD tenant-specific SSO flows generate DNS queries for long subdomain chains under *.microsoftonline.com and *.azure.com that can match the 30-character entropy threshold in Rule 1
- Security endpoint agents (CrowdStrike Falcon, Carbon Black, SentinelOne) perform regular health-check HTTP callbacks with proprietary User-Agent strings that don't match the browser exclusion pattern in Rule 2
- Google reCAPTCHA v3 and Cloudflare Turnstile embed long Base64-encoded challenge tokens in HTTPS request paths during bot-verification flows, matching the URI encoding pattern in Rule 2
Other platforms for T1001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded C2 Data in DNS Subdomain Queries (RDAT Pattern)
Expected signal: Sysmon Event ID 22 (DNS Query): Three DNS queries where QueryName contains 30+ character Base64-alphabet subdomains prepended to test-canary.example.com. DNS server query logs (if forwarded to SIEM): same queries with NXDOMAIN responses. Windows DNS Client cache: ipconfig /displaydns will show the queried names.
- Test 2Obfuscated Cookie-Based C2 Simulation (Okrum Pattern)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connection from powershell.exe to 127.0.0.1:8888. stream:http (if full packet capture enabled): HTTP GET request with Cookie header containing 50+ character Base64 string and a non-standard User-Agent. Sysmon Event ID 1: powershell.exe process creation with the above command line.
- Test 3Block-Aligned HTTP POST Payload (AES-Padded C2 Response Pattern)
Expected signal: Sysmon Event ID 3: Four outbound connections from powershell.exe to 127.0.0.1:9090 with 3-second intervals. stream:http: POST requests to /update with content-type application/octet-stream; User-Agent 'Windows-Update-Agent/10.0' does not match standard Windows Update agent strings. Network bytes_out should reflect block-aligned sizes.
- Test 4Junk Data Padding in DNS TXT Record Queries (FunnyDream/Compression Pattern)
Expected signal: Sysmon Event ID 22: DNS TXT query for a 32-char random-prefix subdomain of junk-obfuscation-test.example.com. Sysmon Event ID 3: outbound HTTP connection from powershell.exe to 127.0.0.1:7777. stream:http: POST with Content-Type application/x-compress and base64-encoded deflate-compressed body — unusual content-type for browser-originated traffic.
References (11)
- https://attack.mitre.org/techniques/T1001/
- https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf
- https://www.welivesecurity.com/2019/07/08/okrum-ke3chang-targets-diplomatic-missions/
- https://unit42.paloaltonetworks.com/rdat-oilrig/
- https://www.cisa.gov/sites/default/files/publications/MAR-10303705-1.v1.WHITE.pdf
- https://www.kaspersky.com/about/press-releases/2022_toddycat
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001/T1001.md
- https://learn.microsoft.com/en-us/azure/sentinel/dns-solution
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkStream
Unlock Pro Content
Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.