T1001 Microsoft Sentinel · KQL

Detect Data Obfuscation in Microsoft Sentinel

Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1001 Data Obfuscation
Canonical reference
https://attack.mitre.org/techniques/T1001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1001: Data Obfuscation — Multi-vector C2 obfuscation detection
// Covers three key patterns: high-entropy DNS labels, non-browser HTTP beaconing, and Base64-encoded proxy URIs
//
// VECTOR 1: High-entropy DNS subdomain labels (e.g., RDAT embedding AES ciphertext in subdomains)
let HighEntropyDNS = DnsEvents
| where TimeGenerated > ago(24h)
| where SubType == "LookupQuery"
| where isnotempty(Name)
| extend Labels = split(Name, ".")
| extend SubdomainLabel = tostring(Labels[0])
| where strlen(SubdomainLabel) >= 30
// Match Base64/hex-alphabet strings — typical of encoded C2 payloads
| where SubdomainLabel matches regex @"^[A-Za-z0-9+/=_\-]+$"
// Exclude common GUID/UUID patterns used by CDNs
| where SubdomainLabel !matches regex @"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-"
| project TimeGenerated, Computer, ClientIP, QueryName = Name,
         SubdomainLabel, SubdomainLength = strlen(SubdomainLabel)
| extend DetectionVector = "HighEntropyDNSSubdomain", Severity = "High";
//
// VECTOR 2: Non-browser HTTP/HTTPS beaconing from suspicious processes
// (junk data or obfuscated payloads in regular C2 check-ins)
let SuspectBeaconing = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe", "SearchApp.exe", "OneDrive.exe",
    "Teams.exe", "Outlook.exe", "slack.exe", "msteams.exe",
    "zoom.exe", "dropbox.exe", "svchost.exe", "MsMpEng.exe",
    "SenseCE.exe", "SenseIR.exe", "MsSense.exe"
  )
| summarize
    ConnectionCount = count(),
    UniqueDestIPs = dcount(RemoteIP),
    DestIPs = make_set(RemoteIP, 5),
    DestPorts = make_set(RemotePort),
    EarliestConn = min(Timestamp),
    LatestConn = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessId,
     InitiatingProcessCommandLine, AccountName
| where ConnectionCount >= 10
| extend SpanMinutes = datetime_diff('minute', LatestConn, EarliestConn)
| where SpanMinutes > 0
| extend ConnPerMinute = round(toreal(ConnectionCount) / toreal(SpanMinutes), 2)
// Beaconing range: 0.1–4 connections/min (every 15 seconds to ~10 minutes)
| where ConnPerMinute between (0.1 .. 4.0)
| project TimeGenerated = LatestConn, DeviceName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AccountName,
         ConnectionCount, UniqueDestIPs, DestIPs, ConnPerMinute
| extend DetectionVector = "SuspectHTTPBeaconing", Severity = "Medium";
//
// VECTOR 3: Base64 / high-entropy data embedded in HTTP proxy request URIs
// (characteristic of malware encoding C2 commands in URL path segments)
let EncodedProxyTraffic = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventCategory has_any ("proxy", "web-filtering", "URL")
| where isnotempty(RequestURL)
// 40+ contiguous Base64-alphabet characters in the URL path indicate encoded content
| where RequestURL matches regex @"[A-Za-z0-9+/]{40,}={0,2}"
// Exclude well-known OAuth/CDN endpoints that legitimately embed tokens in URLs
| where RequestURL !has "accounts.google.com"
    and RequestURL !has "login.microsoftonline.com"
    and RequestURL !has ".windowsupdate.com"
    and RequestURL !has "cdn.jsdelivr.net"
    and RequestURL !has "akamaihd.net"
| project TimeGenerated, DeviceName, SourceIP, DestinationHostName,
         RequestURL, RequestMethod, DestinationPort, SourceUserName
| extend DetectionVector = "Base64EncodedProxyURI", Severity = "Medium";
//
// Combine all vectors and surface results
union HighEntropyDNS, SuspectBeaconing, EncodedProxyTraffic
| sort by TimeGenerated desc
high severity medium confidence

Multi-vector detection for T1001 Data Obfuscation using three parallel approaches: (1) DnsEvents analysis for high-entropy subdomain labels (>= 30 chars of Base64/hex-alphabet characters) indicative of encoded C2 payloads embedded in DNS queries as seen in RDAT malware; (2) DeviceNetworkEvents beaconing analysis detecting non-browser processes making 10+ HTTP/HTTPS connections to public IPs at a regular rate (0.1–4/min), a pattern consistent with malware performing regular C2 check-ins with obfuscated or junk-padded payloads; (3) CommonSecurityLog proxy analysis detecting Base64-encoded strings (40+ characters) embedded in HTTP request URI paths. Results are unioned and sorted chronologically. Requires DNS Analytics solution for DnsEvents, MDE for DeviceNetworkEvents, and a CEF-forwarding proxy for CommonSecurityLog.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowProcess: Process CreationAzure DNS Analytics (DnsEvents)Microsoft Defender for Endpoint (DeviceNetworkEvents)Proxy/Firewall CEF logs (CommonSecurityLog)

Required Tables

DnsEventsDeviceNetworkEventsCommonSecurityLog

False Positives & Tuning

  • Legitimate software update clients (Windows Update, Chrome update, application auto-updaters) making regular HTTP check-in connections at predictable intervals — exclude by process name and destination domain allowlist
  • Cloud synchronization agents (OneDrive, Dropbox, Box, iCloud) establishing frequent HTTPS connections with encoded content in URLs — add to the excluded process list in Vector 2
  • CDN and authentication platforms (Akamai, Cloudflare, Azure AD) using long Base64 tokens in redirect URLs — extend the exclusion list in Vector 3 with known CDN domains
  • Security monitoring and endpoint agents (CrowdStrike, SentinelOne, Qualys) beaconing at regular intervals to management infrastructure — identify agent process names and exclude them
  • Internal DNS-based service discovery mechanisms or Kubernetes DNS with long service names — review high-entropy DNS alerts against internal DNS server IPs before escalating
  • Web application firewalls or DLP proxies that re-encode request URLs during forwarding — validate by checking SourceIP against known proxy infrastructure
Download portable Sigma rule (.yml)

Other platforms for T1001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Encoded C2 Data in DNS Subdomain Queries (RDAT Pattern)

    Expected signal: Sysmon Event ID 22 (DNS Query): Three DNS queries where QueryName contains 30+ character Base64-alphabet subdomains prepended to test-canary.example.com. DNS server query logs (if forwarded to SIEM): same queries with NXDOMAIN responses. Windows DNS Client cache: ipconfig /displaydns will show the queried names.

  2. Test 2Obfuscated Cookie-Based C2 Simulation (Okrum Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connection from powershell.exe to 127.0.0.1:8888. stream:http (if full packet capture enabled): HTTP GET request with Cookie header containing 50+ character Base64 string and a non-standard User-Agent. Sysmon Event ID 1: powershell.exe process creation with the above command line.

  3. Test 3Block-Aligned HTTP POST Payload (AES-Padded C2 Response Pattern)

    Expected signal: Sysmon Event ID 3: Four outbound connections from powershell.exe to 127.0.0.1:9090 with 3-second intervals. stream:http: POST requests to /update with content-type application/octet-stream; User-Agent 'Windows-Update-Agent/10.0' does not match standard Windows Update agent strings. Network bytes_out should reflect block-aligned sizes.

  4. Test 4Junk Data Padding in DNS TXT Record Queries (FunnyDream/Compression Pattern)

    Expected signal: Sysmon Event ID 22: DNS TXT query for a 32-char random-prefix subdomain of junk-obfuscation-test.example.com. Sysmon Event ID 3: outbound HTTP connection from powershell.exe to 127.0.0.1:7777. stream:http: POST with Content-Type application/x-compress and base64-encoded deflate-compressed body — unusual content-type for browser-originated traffic.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1001.001Junk DataT1001.002SteganographyT1001.003Protocol or Service ImpersonationT1071Application Layer ProtocolT1071.004DNST1132Data EncodingT1132.001Standard EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1568Dynamic ResolutionT1048Exfiltration Over Alternative ProtocolT1205Traffic Signaling

Same Tactic: Command and Control

Popular Detections