T1001 Sumo Logic CSE · Sumo

Detect Data Obfuscation in Sumo Logic CSE

Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden—though not necessarily encrypted—in an attempt to make content more difficult to discover or decipher and to reduce conspicuousness. Observed techniques include adding junk data to protocol traffic to frustrate pattern matching (T1001.001), embedding payloads in image or media files via steganography (T1001.002), and impersonating legitimate protocols to blend with normal traffic (T1001.003). Real-world examples include Okrum hiding C2 commands in HTTP Cookie and Set-Cookie headers, RDAT encoding AES ciphertext in DNS subdomain labels, FunnyDream sending zlib-compressed obfuscated packets, StrelaStealer XOR-encrypting HTTP POST payloads, Ninja modifying HTTP headers and URL paths to masquerade as legitimate services, and TrailBlazer disguising C2 traffic as Google Notifications HTTP requests.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1001 Data Obfuscation
Canonical reference
https://attack.mitre.org/techniques/T1001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
/* T1001: Data Obfuscation — Sumo Logic multi-vector C2 obfuscation detection
   Parses multiple DNS and HTTP/proxy log formats from common collectors */
(_sourceCategory=*network*dns*
 OR _sourceCategory=*network*http*
 OR _sourceCategory=*proxy*
 OR _sourceCategory=*web*filter*
 OR _sourceCategory=*zeek*
 OR _sourceCategory=*bro*)

// --- DNS field extraction (multiple format variants) ---
| parse field=_raw "query: *" as dns_query nodrop
| parse field=_raw "\"qname\":\"*\"" as dns_query nodrop
| parse field=_raw "QueryName=*" as dns_query nodrop

// Extract first DNS label (subdomain segment before first dot)
| parse regex field=dns_query "^(?<first_label>[^\.]{30,})\." nodrop

// --- HTTP/proxy field extraction ---
| parse field=_raw "cs-uri-stem=*" as request_url nodrop
| parse field=_raw "\"uri\":\"*\"" as request_url nodrop
| parse field=_raw "RequestURL=*" as request_url nodrop
| parse field=_raw "cs(User-Agent)=*" as user_agent nodrop
| parse field=_raw "\"http_user_agent\":\"*\"" as user_agent nodrop

// --- Detection vector evaluation ---

// V1: High-entropy DNS subdomain label
| eval v_dns = if(
    !isNull(first_label)
    AND length(first_label) >= 30
    AND matches(first_label, "^[A-Za-z0-9+/=_-]+$"),
    "HighEntropyDNSSubdomain",
    null
  )

// V2: Base64-encoded blob in HTTP URI path; exclude known-clean OAuth/CDN endpoints
| eval v_encoded_url = if(
    !isNull(request_url)
    AND matches(request_url, "[A-Za-z0-9+/]{40,}={0,2}")
    AND !matches(request_url, "accounts\\.google\\.com|login\\.microsoftonline\\.com|windowsupdate\\.com|cdn\\.jsdelivr\\.net|akamaihd\\.net"),
    "Base64EncodedURI",
    null
  )

// V3: Non-browser / non-standard User-Agent on HTTP/HTTPS traffic
| eval v_ua = if(
    !isNull(user_agent)
    AND !matches(user_agent, "(?i)(mozilla|chrome|safari|firefox|edge|curl|python-requests|wget|java|okhttp|axios|go-http-client)"),
    "SuspiciousUserAgent",
    null
  )

// Coalesce vectors — emit only events with at least one signal
| eval detection_vector = coalesce(v_dns, v_encoded_url, v_ua)
| where !isNull(detection_vector)

| fields _messagetime, _sourceHost, _sourceCategory,
         dns_query, first_label, request_url, user_agent, detection_vector
| sort by _messagetime desc
high severity medium confidence

Detects T1001 Data Obfuscation across three vectors in Sumo Logic with multi-format log parsing: high-entropy DNS subdomain labels (30+ Base64/hex chars — RDAT/tunneling), Base64-encoded blobs in HTTP request URI paths (encoded C2 command channels), and non-browser User-Agent strings on web traffic. Supports Zeek/Bro, Windows DNS, BlueCoat, Squid, and Zscaler log formats.

Data Sources

Proxy and web gateway logs (BlueCoat, Squid, Zscaler, Symantec WSS)DNS server logs (Windows DNS Event, BIND query log, Infoblox)Zeek/Bro network logs via Sumo Logic collectorNetwork IDS enrichment logs

Required Tables

_sourceCategory=*network*dns*_sourceCategory=*proxy*_sourceCategory=*web*filter*_sourceCategory=*zeek*

False Positives & Tuning

  • Content delivery networks (Akamai, Fastly, CloudFlare) use long tokenized subdomains for edge cache routing that regularly exceed the 30-character threshold and match Base64-alphabet patterns
  • Google Analytics, Adobe Analytics, and Segment.io tracking beacons embed long Base64-encoded event payloads in HTTPS beacon URLs that match the encoded URI vector
  • Enterprise backup and endpoint synchronization tools (Veeam, Acronis, Azure Backup Agent) make scheduled HTTP callbacks with non-browser User-Agent strings at beaconing-like intervals
Download portable Sigma rule (.yml)

Other platforms for T1001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Encoded C2 Data in DNS Subdomain Queries (RDAT Pattern)

    Expected signal: Sysmon Event ID 22 (DNS Query): Three DNS queries where QueryName contains 30+ character Base64-alphabet subdomains prepended to test-canary.example.com. DNS server query logs (if forwarded to SIEM): same queries with NXDOMAIN responses. Windows DNS Client cache: ipconfig /displaydns will show the queried names.

  2. Test 2Obfuscated Cookie-Based C2 Simulation (Okrum Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connection from powershell.exe to 127.0.0.1:8888. stream:http (if full packet capture enabled): HTTP GET request with Cookie header containing 50+ character Base64 string and a non-standard User-Agent. Sysmon Event ID 1: powershell.exe process creation with the above command line.

  3. Test 3Block-Aligned HTTP POST Payload (AES-Padded C2 Response Pattern)

    Expected signal: Sysmon Event ID 3: Four outbound connections from powershell.exe to 127.0.0.1:9090 with 3-second intervals. stream:http: POST requests to /update with content-type application/octet-stream; User-Agent 'Windows-Update-Agent/10.0' does not match standard Windows Update agent strings. Network bytes_out should reflect block-aligned sizes.

  4. Test 4Junk Data Padding in DNS TXT Record Queries (FunnyDream/Compression Pattern)

    Expected signal: Sysmon Event ID 22: DNS TXT query for a 32-char random-prefix subdomain of junk-obfuscation-test.example.com. Sysmon Event ID 3: outbound HTTP connection from powershell.exe to 127.0.0.1:7777. stream:http: POST with Content-Type application/x-compress and base64-encoded deflate-compressed body — unusual content-type for browser-originated traffic.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1001.001Junk DataT1001.002SteganographyT1001.003Protocol or Service ImpersonationT1071Application Layer ProtocolT1071.004DNST1132Data EncodingT1132.001Standard EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1568Dynamic ResolutionT1048Exfiltration Over Alternative ProtocolT1205Traffic Signaling

Same Tactic: Command and Control

Popular Detections