Detect Data Obfuscation in CrowdStrike LogScale
Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1001/
LogScale Detection Query
// T1001: Data Obfuscation — CrowdStrike LogScale (CQL) detection
// Two saved queries: DNS entropy and HTTP beaconing vectors
// Run each independently or schedule as separate detection jobs
// ============================================================
// QUERY 1: High-entropy DNS subdomain labels
// Source: Falcon DnsRequest telemetry
// Detects RDAT AES-in-subdomain, DNS tunnel C2, covert channel encoding
// ============================================================
#event_simpleName=DnsRequest
| DomainName = /^[A-Za-z0-9+\/=_\-]{30,}\./
// Exclude GUID-style CDN and service-mesh subdomains
| DomainName != /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}/
// Aggregate: count queries per host+process+domain over session window
| groupBy(
[ComputerName, UserName, ContextBaseFileName, DomainName],
function=[
count(as=query_count),
min(timestamp, as=first_seen_ms),
max(timestamp, as=last_seen_ms)
]
)
// Require at least 3 queries to the same high-entropy domain (reduces single-lookup FPs)
| where query_count >= 3
| eval detection_vector = "HighEntropyDNSSubdomain"
| eval severity = "High"
| sort(query_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, DomainName,
query_count, first_seen_ms, last_seen_ms, detection_vector, severity])
// ============================================================
// QUERY 2: Non-browser process HTTP/HTTPS beaconing
// Source: Falcon NetworkConnectIP4 telemetry
// Detects junk-data C2 check-ins and obfuscated payload beaconing
// ============================================================
#event_simpleName=NetworkConnectIP4
| RemotePort in [80, 443, 8080, 8443]
// Exclude known browser, update, and security tool binaries
| ContextBaseFileName != /(?i)^(chrome|firefox|msedge|iexplore|opera|brave|slack|teams|outlook|onedrive|svchost|MsMpEng|MsSense|SenseIR|SenseCE|SenseNdr|zoom|dropbox|OneDrive|SearchApp)\.exe$/
// Aggregate connection behaviour per host+process+dest IP
| groupBy(
[ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4],
function=[
count(as=connection_count),
min(timestamp, as=first_conn_ms),
max(timestamp, as=last_conn_ms),
array(values=RemotePort, as=ports_used, limit=5),
uniqueCount(RemoteAddressIP4, as=unique_dest_ips)
]
)
// Minimum 10 connections to qualify as beaconing candidate
| where connection_count >= 10
// Calculate time span in minutes
| eval span_minutes = (last_conn_ms - first_conn_ms) / 60000
| where span_minutes > 0
// Calculate connections per minute
| eval conn_per_minute = round(connection_count / span_minutes, 2)
// Beaconing rate window: 0.1–4 conn/min (every 15 seconds up to ~10 minutes)
| where conn_per_minute >= 0.1 AND conn_per_minute <= 4.0
| eval detection_vector = "SuspectHTTPBeaconing"
| eval severity = "Medium"
| sort(connection_count, order=desc)
| table([ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4,
connection_count, span_minutes, conn_per_minute, ports_used,
first_conn_ms, last_conn_ms, detection_vector, severity])Two CrowdStrike LogScale (CQL) queries detecting T1001 Data Obfuscation. Query 1 uses DnsRequest events to identify high-entropy subdomain labels (30+ Base64/hex chars, 3+ queries to same domain) matching RDAT and DNS tunnel C2 patterns. Query 2 uses NetworkConnectIP4 events to flag non-browser/non-system processes exhibiting HTTP/HTTPS beaconing behaviour (0.1–4 connections/minute, 10+ connections), excluding known legitimate browser and security tool binaries.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft Intune management service and Windows Update orchestrator beacon periodically from svchost-adjacent processes (WaaSMedicSvc, UsoClient) to *.manage.microsoft.com at beaconing-like intervals — extend the exclusion list to cover these if needed
- Security telemetry collectors (Elastic Agent, Splunk Universal Forwarder, Cribl Edge) make regular network connections from non-browser processes at configured heartbeat intervals that match the 0.1–4 conn/min beaconing rate
- Internal Kubernetes and Consul service mesh DNS health-check patterns (e.g., sidecar proxies querying long hash-based service FQDNs) can trigger the high-entropy DNS query when running on Windows hosts with Falcon sensor
Other platforms for T1001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Encoded C2 Data in DNS Subdomain Queries (RDAT Pattern)
Expected signal: Sysmon Event ID 22 (DNS Query): Three DNS queries where QueryName contains 30+ character Base64-alphabet subdomains prepended to test-canary.example.com. DNS server query logs (if forwarded to SIEM): same queries with NXDOMAIN responses. Windows DNS Client cache: ipconfig /displaydns will show the queried names.
- Test 2Obfuscated Cookie-Based C2 Simulation (Okrum Pattern)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connection from powershell.exe to 127.0.0.1:8888. stream:http (if full packet capture enabled): HTTP GET request with Cookie header containing 50+ character Base64 string and a non-standard User-Agent. Sysmon Event ID 1: powershell.exe process creation with the above command line.
- Test 3Block-Aligned HTTP POST Payload (AES-Padded C2 Response Pattern)
Expected signal: Sysmon Event ID 3: Four outbound connections from powershell.exe to 127.0.0.1:9090 with 3-second intervals. stream:http: POST requests to /update with content-type application/octet-stream; User-Agent 'Windows-Update-Agent/10.0' does not match standard Windows Update agent strings. Network bytes_out should reflect block-aligned sizes.
- Test 4Junk Data Padding in DNS TXT Record Queries (FunnyDream/Compression Pattern)
Expected signal: Sysmon Event ID 22: DNS TXT query for a 32-char random-prefix subdomain of junk-obfuscation-test.example.com. Sysmon Event ID 3: outbound HTTP connection from powershell.exe to 127.0.0.1:7777. stream:http: POST with Content-Type application/x-compress and base64-encoded deflate-compressed body — unusual content-type for browser-originated traffic.
References (11)
- https://attack.mitre.org/techniques/T1001/
- https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf
- https://www.welivesecurity.com/2019/07/08/okrum-ke3chang-targets-diplomatic-missions/
- https://unit42.paloaltonetworks.com/rdat-oilrig/
- https://www.cisa.gov/sites/default/files/publications/MAR-10303705-1.v1.WHITE.pdf
- https://www.kaspersky.com/about/press-releases/2022_toddycat
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001/T1001.md
- https://learn.microsoft.com/en-us/azure/sentinel/dns-solution
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkStream
Unlock Pro Content
Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.