T1132.001

Standard Encoding

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. Malware families including SideTwist, Fysbis, Latrodectus, SeaDuke, Chaes, and Flagpro have all used Base64-encoded C2 traffic, making this one of the most prevalent C2 obfuscation techniques observed in the wild.

Microsoft Sentinel / Defender

kusto

// T1132.001 — Standard Encoding C2 Detection
// Detects processes invoking encoding utilities or embedding large Base64 blobs in command lines,
// and network activity where HTTP request/response bodies contain high-entropy encoded content.
let EncodingPatterns = dynamic([
  "[Convert]::FromBase64String",
  "[Convert]::ToBase64String",
  "[System.Convert]::FromBase64String",
  "[System.Convert]::ToBase64String",
  "FromBase64String",
  "ToBase64String",
  "base64 -d",
  "base64 --decode",
  "-encodedcommand",
  "certutil -decode",
  "certutil -encode",
  "certutil /decode",
  "certutil /encode"
]);
let SuspiciousParents = dynamic(["wscript.exe","cscript.exe","mshta.exe","regsvr32.exe","rundll32.exe","svchost.exe","explorer.exe","winword.exe","excel.exe","powerpnt.exe","outlook.exe"]);
// Branch 1: Process command lines with explicit encoding/decoding calls
let EncodingProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (EncodingPatterns)
| extend Branch = "ExplicitEncoding"
| extend RiskScore = case(
    ProcessCommandLine has_any ("certutil -decode", "certutil /decode", "certutil -encode", "certutil /encode"), 85,
    InitiatingProcessFileName has_any (SuspiciousParents), 80,
    ProcessCommandLine has "FromBase64String" and ProcessCommandLine has "Invoke-Expression", 90,
    ProcessCommandLine has "FromBase64String" and ProcessCommandLine has "IEX", 90,
    70
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
// Branch 2: PowerShell decoding combined with network or exec
let PowerShellDecode = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "-EncodedCommand" or ProcessCommandLine has "-enc "
| extend Branch = "PowerShellDecode"
| extend RiskScore = case(
    ProcessCommandLine has "IEX" or ProcessCommandLine has "Invoke-Expression", 95,
    ProcessCommandLine has "DownloadString" or ProcessCommandLine has "WebClient", 90,
    75
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
// Branch 3: certutil used as a decoder (frequent LOLBin abuse)
let CertutilDecode = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-decode", "/decode", "-encode", "/encode", "-urlcache", "/urlcache")
| extend Branch = "CertutilEncoding"
| extend RiskScore = case(
    ProcessCommandLine has "-urlcache", 85,
    InitiatingProcessFileName has_any (SuspiciousParents), 90,
    80
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
EncodingProcesses
| union PowerShellDecode
| union CertutilDecode
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate PowerShell scripts that decode Base64-encoded configuration data or credentials from secure vaults
certutil used by IT teams for certificate management and legitimate file encoding/decoding tasks
Software installers and package managers that use Base64-encoded embedded payloads during installation
Log management and SIEM agents that Base64-encode collected data before transmission to central servers
Web application developers testing encoding/decoding functions locally

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval Image=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval cmdline_lower=lower(CommandLine)
| eval img_lower=lower(Image)
`comment("Branch flags for encoding patterns")`
| eval ExplicitBase64=if(match(cmdline_lower, "(frombase64string|tobase64string|base64\s+-d|base64\s+--decode)"), 1, 0)
| eval CertutilEncoding=if(match(img_lower, "certutil\.exe") AND match(cmdline_lower, "(-decode|/decode|-encode|/encode|-urlcache|/urlcache)"), 1, 0)
| eval PowerShellEncoded=if(match(img_lower, "(powershell\.exe|pwsh\.exe)") AND match(cmdline_lower, "(-encodedcommand|-enc\s|-e\s|-ec\s|frombase64string)"), 1, 0)
| eval ChainedWithExec=if(match(cmdline_lower, "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval ChainedWithDownload=if(match(cmdline_lower, "(downloadstring|downloadfile|net\.webclient|invoke-webrequest|iwr\s)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe)"), 1, 0)
| eval RiskScore=case(
    ExplicitBase64=1 AND ChainedWithExec=1, 95,
    ExplicitBase64=1 AND ChainedWithDownload=1, 90,
    CertutilEncoding=1 AND SuspiciousParent=1, 90,
    CertutilEncoding=1, 80,
    PowerShellEncoded=1 AND (ChainedWithExec=1 OR ChainedWithDownload=1), 90,
    PowerShellEncoded=1, 75,
    ExplicitBase64=1 AND SuspiciousParent=1, 80,
    ExplicitBase64=1, 70,
    1==1, 0
  )
| where RiskScore > 0
| eval Branch=case(
    CertutilEncoding=1, "CertutilEncoding",
    PowerShellEncoded=1, "PowerShellDecode",
    ExplicitBase64=1, "ExplicitBase64",
    1==1, "Other"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Branch, ExplicitBase64, CertutilEncoding, PowerShellEncoded, ChainedWithExec, ChainedWithDownload, SuspiciousParent, RiskScore
| sort - RiskScore _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate PowerShell automation scripts decoding Base64-encoded secrets or configuration blobs
certutil used by IT for certificate operations and legitimate file transcoding
Software installers embedding Base64-encoded payloads during setup routines
Monitoring agents encoding collected telemetry data before forwarding
Build pipelines that encode/decode artifacts as part of CI/CD processing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  QIDNAME(qid) AS "Event Name",
  "Process Name" AS "Process",
  "Command Line" AS "Command Line",
  "Parent Process Name" AS "Parent Process"
FROM events
WHERE
  CATEGORYNAME(category) IN ('Process Creation', 'Audit Process Creation', 'OS Changes')
  AND (
    LOWER("Command Line") ILIKE '%frombase64string%'
    OR LOWER("Command Line") ILIKE '%tobase64string%'
    OR LOWER("Command Line") ILIKE '%base64 -d%'
    OR LOWER("Command Line") ILIKE '%base64 --decode%'
    OR LOWER("Command Line") ILIKE '%-encodedcommand%'
    OR (
      LOWER("Process Name") ILIKE '%certutil%'
      AND (
        LOWER("Command Line") ILIKE '%-decode%'
        OR LOWER("Command Line") ILIKE '%/decode%'
        OR LOWER("Command Line") ILIKE '%-urlcache%'
        OR LOWER("Command Line") ILIKE '%/urlcache%'
        OR LOWER("Command Line") ILIKE '%-encode%'
        OR LOWER("Command Line") ILIKE '%/encode%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%powershell%'
      AND (
        LOWER("Command Line") ILIKE '%-enc %'
        OR LOWER("Command Line") ILIKE '%-ec %'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log DSM (EventID 4688) Microsoft Sysmon DSM (EventID 1 - ProcessCreate) Windows Universal DSM

Required Tables

events

False Positives

PKI administrators running certutil.exe for certificate encoding, trust store updates, or BITS job creation as part of normal Windows PKI infrastructure operations
Enterprise endpoint management solutions (MECM/SCCM, BigFix, Tanium) delivering PowerShell management scripts using -enc to ensure safe cross-platform delivery of complex configuration payloads
Developer workstations running build tools or test runners that use Base64-encoded embedded resources or configuration values in MSBuild task invocations or CI agent scripts

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=endpoint*)
| where EventCode = "1" OR EventCode = "4688" OR EventID = "1"
| toLowerCase(CommandLine) as cmdline
| toLowerCase(Image) as img
| toLowerCase(ParentImage) as parent_img
| where cmdline matches /frombase64string|tobase64string|base64\s+-d\b|base64\s+--decode|-encodedcommand/
  OR (img matches /certutil\.exe/ AND cmdline matches /-decode|\/decode|-encode|\/encode|-urlcache|\/urlcache/)
  OR cmdline matches /\[convert\]::(from|to)base64string/
| if(img matches /certutil\.exe/ AND cmdline matches /-decode|\/decode|-encode|\/encode|-urlcache/, "CertutilEncoding",
    if(img matches /powershell\.exe|pwsh\.exe/ AND cmdline matches /-encodedcommand|-enc\s|frombase64string/, "PowerShellDecode",
      "ExplicitBase64")) as Branch
| if(cmdline matches /invoke-expression|iex\(|\biex\s/, 1, 0) as ChainedWithExec
| if(cmdline matches /downloadstring|net\.webclient|invoke-webrequest|iwr\s/, 1, 0) as ChainedWithDownload
| if(parent_img matches /wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|winword\.exe|excel\.exe|outlook\.exe/, 1, 0) as SuspiciousParent
| if(Branch = "ExplicitBase64" AND ChainedWithExec = 1, 95,
    if(Branch = "PowerShellDecode" AND (ChainedWithExec = 1 OR ChainedWithDownload = 1), 90,
    if(Branch = "CertutilEncoding" AND SuspiciousParent = 1, 90,
    if(Branch = "CertutilEncoding", 80,
    if(Branch = "PowerShellDecode", 75, 70))))) as RiskScore
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, Branch, ChainedWithExec, ChainedWithDownload, SuspiciousParent, RiskScore
| sort by RiskScore, _messageTime

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Windows Security Event Log via Installed Collector Sumo Logic Cloud SIEM Enterprise

Required Tables

windows/sysmon source category windows/security source category endpoint* source category

False Positives

Patch management and software distribution agents (WSUS, MECM) invoking certutil for BITS download staging or certificate operations as part of automated patch deployment cycles
Remote monitoring and management (RMM) tools such as ConnectWise Automate, Kaseya, or NinjaRMM delivering encoded PowerShell agent update or configuration scripts to managed Windows endpoints
Security testing and breach-and-attack simulation (BAS) platforms generating encoded command patterns during authorized purple team exercises or scheduled detection validation runs

Google Chronicle / SecOps

yaral

rule t1132_001_standard_encoding_c2 {
  meta:
    author = "df00tech"
    description = "Detects T1132.001 Standard Encoding C2: Base64 encoding/decoding in process command lines via certutil LOLBin, PowerShell -EncodedCommand, and .NET Base64 conversion calls."
    severity = "HIGH"
    technique_id = "T1132.001"
    tactic = "Command and Control"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1132/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)certutil\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(-decode|/decode|-encode|/encode|-urlcache|/urlcache)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(-encodedcommand|-enc\s+|-ec\s+|frombase64string)`)
      ) or
      re.regex($e.target.process.command_line, `(?i)(frombase64string|tobase64string|base64\s+-d\b|base64\s+--decode|\[convert\]::(from|to)base64string)`)
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Event Log ingestion Chronicle Sysmon UDM parser (EventID 1) Chronicle Windows Security UDM parser (EventID 4688)

Required Tables

UDM PROCESS_LAUNCH events from Windows and Sysmon log sources

False Positives

Software deployment automation (SCCM task sequences, Intune PowerShell scripts) using -EncodedCommand to safely transmit multi-line PowerShell over WMI or scheduled task XML without shell escaping issues
PKI lifecycle management scripts calling certutil with -decode or -encode for certificate format conversion (DER to PEM, CER to P7B) during enterprise CA operations
Backup and recovery agents using .NET Base64 conversion (FromBase64String/ToBase64String) for encryption key serialization or configuration blob handling in PowerShell management modules

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CommandLine != null
| eval(cmd = lower(CommandLine))
| eval(img = lower(ImageFileName))
| eval(parent = lower(ParentBaseFileName))
| eval(ExplicitBase64 = if(cmd =~ /frombase64string|tobase64string|base64\s+-d\b|base64\s+--decode/, 1, 0))
| eval(CertutilEncoding = if(img =~ /certutil\.exe/ AND cmd =~ /-decode|\/decode|-encode|\/encode|-urlcache|\/urlcache/, 1, 0))
| eval(PowerShellEncoded = if(img =~ /(powershell|pwsh)\.exe/ AND cmd =~ /-encodedcommand|-enc\s+|-ec\s+|frombase64string/, 1, 0))
| where ExplicitBase64 = 1 OR CertutilEncoding = 1 OR PowerShellEncoded = 1
| eval(ChainedWithExec = if(cmd =~ /invoke-expression|iex\(|\biex\s/, 1, 0))
| eval(ChainedWithDownload = if(cmd =~ /downloadstring|net\.webclient|invoke-webrequest|\biwr\s/, 1, 0))
| eval(SuspiciousParent = if(parent =~ /wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|winword\.exe|excel\.exe|outlook\.exe/, 1, 0))
| eval(RiskScore = if(ExplicitBase64 = 1 AND ChainedWithExec = 1, 95,
    if(PowerShellEncoded = 1 AND ChainedWithExec = 1, 95,
    if(CertutilEncoding = 1 AND SuspiciousParent = 1, 90,
    if(CertutilEncoding = 1, 80,
    if(PowerShellEncoded = 1, 75,
    if(ExplicitBase64 = 1 AND SuspiciousParent = 1, 80, 70)))))))
| eval(Branch = if(CertutilEncoding = 1, "CertutilEncoding",
    if(PowerShellEncoded = 1, "PowerShellDecode", "ExplicitBase64")))
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Branch, ExplicitBase64, CertutilEncoding, PowerShellEncoded, ChainedWithExec, ChainedWithDownload, SuspiciousParent, RiskScore])
| sort(field = RiskScore, order = desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection sensor telemetry Falcon Insight XDR process event stream CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2 Falcon event type

False Positives

CrowdStrike Falcon Real Time Response (RTR) sessions executing encoded PowerShell commands as part of automated remediation runbooks or analyst-triggered investigation and containment workflows
Enterprise software packaging tools (Advanced Installer, InstallShield, WiX Toolset) invoking certutil during silent install routines for certificate trust store modification or BITS-based content download staging
Remote IT management platforms (Kaseya VSA, ConnectWise Automate, NinjaRMM) delivering encoded PowerShell agent update or configuration scripts as part of scheduled maintenance windows

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1132.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Standard Encoding

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections