T1132

Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. Real-world examples include BADNEWS converting encrypted C2 data to hexadecimal then Base64 before transmission, Ursnif embedding Base64-encoded data in HTTP URLs, H1N1 using an altered Base64 scheme for C2 traffic, and Linux Rabbit sending encoded payloads as URL parameters.

Microsoft Sentinel / Defender

kusto

let lookback = 24h;
let EncodingPatterns = dynamic([
    "base64", "-encode", "-decode", "FromBase64String", "ToBase64String",
    "b64encode", "b64decode", "binascii", "hexlify", "unhexlify",
    "zlib.compress", "gzip", "deflate", "urllib.parse.quote",
    "hex_codec", "btoa(", "atob(", "[Convert]::", "System.Convert"
]);
let NetworkPatterns = dynamic([
    "http://", "https://", "ftp://", "socket", "connect(",
    "urllib", "requests.", "Net.WebClient", "Invoke-WebRequest",
    "Invoke-RestMethod", "TcpClient", "UdpClient", "WebSocket",
    "curl ", "wget ", "UploadString", "DownloadString"
]);
// Branch 1: certutil used for encoding/decoding — classic LOLBin C2 helper
let CertutilEncoding = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-encode", "-decode", "-urlcache")
| extend DetectionBranch = "CertutilEncoding"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Scripting interpreter combining encoding + network primitives in same invocation
let ScriptingEncodeNetwork = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("python.exe", "python3.exe", "perl.exe", "php.exe", "ruby.exe", "node.exe", "nodejs")
| where ProcessCommandLine has_any (EncodingPatterns)
| where ProcessCommandLine has_any (NetworkPatterns)
| extend DetectionBranch = "ScriptingEncodeNetwork"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: PowerShell using Base64 conversion APIs with networking classes
let PSEncodeNetwork = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("FromBase64String", "ToBase64String", "[Convert]::", "System.Convert")
| where ProcessCommandLine has_any ("Net.WebClient", "Invoke-WebRequest", "Invoke-RestMethod",
                                      "TcpClient", "UdpClient", "UploadString", "DownloadString")
| extend DetectionBranch = "PSEncodeNetwork"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 4: curl or wget carrying suspiciously long Base64 or hex-encoded argument data
let EncodedNetworkUtil = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget")
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{60,}={0,2}"
      or ProcessCommandLine matches regex @"[0-9a-fA-F]{80,}"
| extend DetectionBranch = "EncodedNetworkUtil"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union CertutilEncoding, ScriptingEncodeNetwork, PSEncodeNetwork, EncodedNetworkUtil
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software deployment tools (SCCM, Intune, Ansible) that use certutil -decode or -urlcache to deliver installer payloads from internal distribution servers
Data science and DevOps pipelines (CI/CD agents, Terraform, configuration management) that Base64-encode credentials or configuration blobs before transmitting to APIs
Application monitoring agents (Datadog, Splunk UF, New Relic) that encode telemetry payloads before posting to SaaS collection endpoints
Web developers testing REST APIs with curl, passing Base64-encoded Bearer tokens or JSON payloads in request bodies
Security tooling including vulnerability scanners and SIEM forwarders that encode log data or signatures during transmission

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine)
| eval img=lower(Image)
| eval parent_img=lower(ParentImage)

`comment("Branch 1: certutil encoding/decoding LOLBin usage")`
| eval CertutilEncoding=if(
    match(img, "certutil\\.exe") AND match(cmdline, "(-encode|-decode|-urlcache)"),
    1, 0)

`comment("Branch 2: scripting interpreter combining encoding and network primitives")`
| eval ScriptEncodeNet=if(
    match(img, "(python[23]?\\.exe|perl\\.exe|php\\.exe|ruby\\.exe|node\\.exe|nodejs)")
    AND match(cmdline, "(base64|b64encode|b64decode|binascii|hexlify|unhexlify|zlib|gzip|btoa|atob|urllib\\.parse\\.quote|hex_codec)")
    AND match(cmdline, "(http://|https://|ftp://|socket|urllib\\.request|requests\\.|connect\\()"),
    1, 0)

`comment("Branch 3: PowerShell Base64 conversion with network class usage")`
| eval PSEncodeNet=if(
    match(img, "(powershell\\.exe|pwsh\\.exe)")
    AND match(cmdline, "(frombase64string|tobase64string|\\[convert\\]::|system\\.convert)")
    AND match(cmdline, "(net\\.webclient|invoke-webrequest|invoke-restmethod|tcpclient|udpclient|uploadstring|downloadstring)"),
    1, 0)

`comment("Branch 4: curl or wget invoked with long Base64 or hex-encoded argument strings")`
| eval EncodedNetUtil=if(
    match(img, "(curl\\.exe|wget\\.exe|\\bcurl$|\\bwget$)")
    AND (match(cmdline, "[a-z0-9+/]{60,}={0,2}") OR match(cmdline, "[0-9a-f]{80,}")),
    1, 0)

| eval TotalScore=CertutilEncoding + ScriptEncodeNet + PSEncodeNet + EncodedNetUtil
| where TotalScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        CertutilEncoding, ScriptEncodeNet, PSEncodeNet, EncodedNetUtil, TotalScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software deployment tools (SCCM, Intune, Ansible) that use certutil -decode or -urlcache to deliver installer payloads from internal distribution servers
Data science and DevOps pipelines (CI/CD agents, Terraform, configuration management) that Base64-encode credentials or configuration blobs before transmitting to APIs
Application monitoring agents (Datadog, Splunk UF, New Relic) that encode telemetry payloads before posting to SaaS collection endpoints
Web developers testing REST APIs with curl, passing Base64-encoded Bearer tokens or JSON payloads in request bodies
Security tooling including vulnerability scanners and SIEM forwarders that encode log data or signatures during transmission

Elastic Security (EQL)

eql

sequence by host.id with maxspan=1m
[
  any where event.category == "process" and event.type == "start"
  and (
    /* Branch 1: certutil encoding/decoding LOLBin */
    (
      process.name : "certutil.exe"
      and process.args : ("-encode", "-decode", "-urlcache", "/encode", "/decode", "/urlcache")
    )
    or
    /* Branch 2: scripting interpreter combining encoding and network primitives */
    (
      process.name : ("python.exe", "python3.exe", "perl.exe", "php.exe", "ruby.exe", "node.exe", "nodejs")
      and process.command_line : ("*base64*", "*b64encode*", "*b64decode*", "*binascii*", "*hexlify*", "*unhexlify*", "*zlib*", "*gzip*", "*btoa*", "*atob*", "*urllib.parse.quote*", "*hex_codec*")
      and process.command_line : ("*http://*", "*https://*", "*ftp://*", "*socket*", "*urllib*", "*requests.*", "*connect(*")
    )
    or
    /* Branch 3: PowerShell Base64 conversion with network classes */
    (
      process.name : ("powershell.exe", "pwsh.exe")
      and process.command_line : ("*FromBase64String*", "*ToBase64String*", "*[Convert]::*", "*System.Convert*")
      and process.command_line : ("*Net.WebClient*", "*Invoke-WebRequest*", "*Invoke-RestMethod*", "*TcpClient*", "*UdpClient*", "*UploadString*", "*DownloadString*")
    )
    or
    /* Branch 4: curl/wget with long encoded arguments */
    (
      process.name : ("curl.exe", "curl", "wget.exe", "wget")
      and (
        process.command_line : "*=*"
        and (
          process.command_line regex~ "[A-Za-z0-9+/]{60,}={0,2}"
          or process.command_line regex~ "[0-9a-fA-F]{80,}"
        )
      )
    )
  )
]

high severity high confidence

Data Sources

Endpoint Windows Security Events Sysmon

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-*

False Positives

Developers or DevOps engineers running Python/Node.js scripts that legitimately encode data before API transmission (e.g., OAuth flows, webhook HMAC signatures)
IT administrators using certutil to download and verify file checksums or encode certificate data during PKI operations
Security tools and EDR agents that use curl or wget with encoded authentication tokens or API keys in their command lines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
         AND (LOWER("Command") LIKE '%-encode%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-urlcache%')
      THEN 'CertutilEncoding'
    WHEN LOWER("Process Name") SIMILAR TO '%(python[23]?\.exe|perl\.exe|php\.exe|ruby\.exe|node\.exe|nodejs)%'
         AND (LOWER("Command") LIKE '%base64%' OR LOWER("Command") LIKE '%b64encode%' OR LOWER("Command") LIKE '%hexlify%' OR LOWER("Command") LIKE '%binascii%' OR LOWER("Command") LIKE '%gzip%')
         AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%socket%' OR LOWER("Command") LIKE '%requests.%')
      THEN 'ScriptingEncodeNetwork'
    WHEN LOWER("Process Name") SIMILAR TO '%(powershell\.exe|pwsh\.exe)%'
         AND (LOWER("Command") LIKE '%frombase64string%' OR LOWER("Command") LIKE '%tobase64string%' OR LOWER("Command") LIKE '%[convert]%' OR LOWER("Command") LIKE '%system.convert%')
         AND (LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%invoke-restmethod%' OR LOWER("Command") LIKE '%tcpclient%' OR LOWER("Command") LIKE '%downloadstring%')
      THEN 'PSEncodeNetwork'
    WHEN LOWER("Process Name") SIMILAR TO '%(curl\.exe|wget\.exe|\bcurl|\bwget)%'
         AND (CHAR_LENGTH("Command") > 120)
      THEN 'EncodedNetworkUtil'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 215, 260, 369)
  AND devicetime > NOW() - 86400000
  AND (
    (LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-encode%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-urlcache%'))
    OR
    (LOWER("Process Name") SIMILAR TO '%(python%\.exe|perl\.exe|php\.exe|ruby\.exe|node\.exe|nodejs)%'
      AND (LOWER("Command") LIKE '%base64%' OR LOWER("Command") LIKE '%binascii%' OR LOWER("Command") LIKE '%hexlify%' OR LOWER("Command") LIKE '%gzip%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%socket%' OR LOWER("Command") LIKE '%requests.%'))
    OR
    (LOWER("Process Name") SIMILAR TO '%(powershell\.exe|pwsh\.exe)%'
      AND (LOWER("Command") LIKE '%frombase64string%' OR LOWER("Command") LIKE '%tobase64string%' OR LOWER("Command") LIKE '%[convert]%')
      AND (LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%downloadstring%'))
    OR
    (LOWER("Process Name") SIMILAR TO '%(curl\.exe|wget\.exe|\bcurl|\bwget)%'
      AND CHAR_LENGTH("Command") > 120
      AND (LOWER("Command") LIKE '%=%' OR LOWER("Command") LIKE '%//%'))
  )
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Windows Security Events Sysmon Endpoint Detection Logs

Required Tables

events

False Positives

Developers running Python or Node.js automation scripts that encode payloads for REST APIs, messaging platforms, or cloud services
Security scanning tools (Nessus, Qualys, Rapid7) that use certutil or scripting engines to test encoding-related vulnerabilities
Backup or monitoring agents using curl with long authentication tokens embedded as Base64 in request headers

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process
| json auto
| where EventCode = "1" OR event_type = "process"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| eval cmdline = toLowerCase(CommandLine)
| eval img = toLowerCase(Image)

// Branch 1: certutil encoding/decoding
| eval certutil_encoding = if(
    img matches "*certutil.exe*"
    AND (cmdline matches "*-encode*" OR cmdline matches "*-decode*" OR cmdline matches "*-urlcache*"),
    1, 0)

// Branch 2: scripting interpreter with encoding + network primitives
| eval script_encode_net = if(
    (img matches "*python*.exe*" OR img matches "*perl.exe*" OR img matches "*php.exe*"
     OR img matches "*ruby.exe*" OR img matches "*node.exe*" OR img matches "*nodejs*")
    AND (cmdline matches "*base64*" OR cmdline matches "*b64encode*" OR cmdline matches "*b64decode*"
         OR cmdline matches "*binascii*" OR cmdline matches "*hexlify*" OR cmdline matches "*unhexlify*"
         OR cmdline matches "*zlib*" OR cmdline matches "*gzip*" OR cmdline matches "*btoa*" OR cmdline matches "*atob*")
    AND (cmdline matches "*http://*" OR cmdline matches "*https://*" OR cmdline matches "*socket*"
         OR cmdline matches "*urllib*" OR cmdline matches "*requests.*" OR cmdline matches "*connect(*"),
    1, 0)

// Branch 3: PowerShell Base64 + network class combo
| eval ps_encode_net = if(
    (img matches "*powershell.exe*" OR img matches "*pwsh.exe*")
    AND (cmdline matches "*frombase64string*" OR cmdline matches "*tobase64string*"
         OR cmdline matches "*[convert]:*" OR cmdline matches "*system.convert*")
    AND (cmdline matches "*net.webclient*" OR cmdline matches "*invoke-webrequest*"
         OR cmdline matches "*invoke-restmethod*" OR cmdline matches "*tcpclient*"
         OR cmdline matches "*udpclient*" OR cmdline matches "*uploadstring*" OR cmdline matches "*downloadstring*"),
    1, 0)

// Branch 4: curl/wget with long encoded argument strings
| eval encoded_net_util = if(
    (img matches "*curl.exe*" OR img matches "*wget.exe*" OR img matches "*/curl" OR img matches "*/wget")
    AND (length(CommandLine) > 120)
    AND (cmdline matches "*=*"),
    1, 0)

| eval total_score = certutil_encoding + script_encode_net + ps_encode_net + encoded_net_util
| where total_score > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine,
         certutil_encoding, script_encode_net, ps_encode_net, encoded_net_util, total_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon Endpoint Process Events

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/process

False Positives

CI/CD pipeline agents (Jenkins, GitLab Runner) that use Python or Node.js to encode build artifacts and upload to artifact registries over HTTPS
System administrators using PowerShell with Invoke-WebRequest and Base64-encoded credentials for automation against REST APIs
Software deployment tools that invoke curl with large encoded payloads for configuration management (Ansible, Chef, Puppet)

Google Chronicle / SecOps

yaral

rule t1132_data_encoding_c2_communication {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1132 Data Encoding techniques used to obfuscate C2 traffic. Covers certutil LOLBin encoding, scripting interpreters combining encoding with network primitives, PowerShell Base64 conversion with networking classes, and curl/wget with large encoded argument blobs."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1132"
    mitre_attack_subtechnique = "T1132.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $proc_path

    (
      // Branch 1: certutil encoding/decoding LOLBin
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(-encode|-decode|-urlcache|/encode|/decode|/urlcache)`)
      )
      or
      // Branch 2: scripting interpreters with encoding + network primitives
      (
        re.regex($e.target.process.file.full_path, `(?i)(python[23]?\.exe|perl\.exe|php\.exe|ruby\.exe|node\.exe|nodejs)`)
        and re.regex($e.target.process.command_line, `(?i)(base64|b64encode|b64decode|binascii|hexlify|unhexlify|zlib\.compress|gzip|btoa|atob|urllib\.parse\.quote|hex_codec)`)
        and re.regex($e.target.process.command_line, `(?i)(http://|https://|ftp://|socket|urllib|requests\.|connect\()`)
      )
      or
      // Branch 3: PowerShell Base64 conversion with network class usage
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)`)
        and re.regex($e.target.process.command_line, `(?i)(FromBase64String|ToBase64String|\[Convert\]::|System\.Convert)`)
        and re.regex($e.target.process.command_line, `(?i)(Net\.WebClient|Invoke-WebRequest|Invoke-RestMethod|TcpClient|UdpClient|UploadString|DownloadString)`)
      )
      or
      // Branch 4: curl/wget with long Base64 or hex-encoded argument
      (
        re.regex($e.target.process.file.full_path, `(?i)(curl\.exe|wget\.exe|/curl$|/wget$)`)
        and (
          re.regex($e.target.process.command_line, `[A-Za-z0-9+/]{60,}={0,2}`)
          or re.regex($e.target.process.command_line, `[0-9a-fA-F]{80,}`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Endpoint Process Events Windows Sysmon via Chronicle Forwarder

Required Tables

process_launch UDM events

False Positives

DevOps automation pipelines that use Python scripts to Base64-encode configuration payloads before posting to REST APIs or configuration management services
Enterprise backup software that invokes certutil for certificate validation operations during scheduled backup jobs
Container orchestration health checks or init scripts using curl with long authorization tokens or JSON-encoded payloads

CrowdStrike LogScale (CQL)

cql

// T1132 Data Encoding — C2 Traffic Obfuscation Detection
// Covers certutil LOLBin, scripting encode+network, PowerShell Base64+net, curl/wget encoded args

#event_simpleName=ProcessRollup2

| eval cmdline = lower(CommandLine)
| eval img = lower(FileName)

// Branch 1: certutil used for encoding or decoding
| eval certutil_encoding = if(
    img = "certutil.exe"
    AND (cmdline = "*-encode*" OR cmdline = "*-decode*" OR cmdline = "*-urlcache*"),
    1, 0)

// Branch 2: scripting interpreter combining encoding + network
| eval script_encode_net = if(
    (img = "*python*.exe" OR img = "perl.exe" OR img = "php.exe"
     OR img = "ruby.exe" OR img = "node.exe" OR img = "nodejs")
    AND (cmdline = "*base64*" OR cmdline = "*b64encode*" OR cmdline = "*b64decode*"
         OR cmdline = "*binascii*" OR cmdline = "*hexlify*" OR cmdline = "*unhexlify*"
         OR cmdline = "*gzip*" OR cmdline = "*zlib*" OR cmdline = "*btoa*" OR cmdline = "*atob*")
    AND (cmdline = "*http://*" OR cmdline = "*https://*" OR cmdline = "*socket*"
         OR cmdline = "*urllib*" OR cmdline = "*requests.*" OR cmdline = "*connect(*"),
    1, 0)

// Branch 3: PowerShell Base64 conversion with network class invocation
| eval ps_encode_net = if(
    (img = "powershell.exe" OR img = "pwsh.exe")
    AND (cmdline = "*frombase64string*" OR cmdline = "*tobase64string*"
         OR cmdline = "*[convert]:*" OR cmdline = "*system.convert*")
    AND (cmdline = "*net.webclient*" OR cmdline = "*invoke-webrequest*"
         OR cmdline = "*invoke-restmethod*" OR cmdline = "*tcpclient*"
         OR cmdline = "*udpclient*" OR cmdline = "*downloadstring*" OR cmdline = "*uploadstring*"),
    1, 0)

// Branch 4: curl or wget carrying long encoded argument strings
| eval encoded_net_util = if(
    (img = "curl.exe" OR img = "wget.exe" OR img = "curl" OR img = "wget")
    AND len(CommandLine) > 120,
    1, 0)

| eval total_score = certutil_encoding + script_encode_net + ps_encode_net + encoded_net_util
| where total_score > 0
| table timestamp, ComputerName, UserName, FileName, CommandLine,
        ParentBaseFileName, ParentCommandLine,
        certutil_encoding, script_encode_net, ps_encode_net, encoded_net_util, total_score
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Falcon ProcessRollup2 Events

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate software deployment pipelines using PowerShell with Invoke-WebRequest and Base64-encoded configuration strings for automated provisioning tasks
Security researchers or red team operators on authorized engagements running encoding tests or proof-of-concept scripts in isolated environments
Package managers and language runtime installers (pip, npm, gem) that use curl or wget with long URLs containing encoded checksums or authentication tokens

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1132 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Encoding

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Command and Control

Popular Detections