Detect Standard Encoding in CrowdStrike LogScale
Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. Malware families including SideTwist, Fysbis, Latrodectus, SeaDuke, Chaes, and Flagpro have all used Base64-encoded C2 traffic, making this one of the most prevalent C2 obfuscation techniques observed in the wild.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1132 Data Encoding
- Sub-technique
- T1132.001 Standard Encoding
- Canonical reference
- https://attack.mitre.org/techniques/T1132/001/
LogScale Detection Query
#event_simpleName = ProcessRollup2
| CommandLine != null
| eval(cmd = lower(CommandLine))
| eval(img = lower(ImageFileName))
| eval(parent = lower(ParentBaseFileName))
| eval(ExplicitBase64 = if(cmd =~ /frombase64string|tobase64string|base64\s+-d\b|base64\s+--decode/, 1, 0))
| eval(CertutilEncoding = if(img =~ /certutil\.exe/ AND cmd =~ /-decode|\/decode|-encode|\/encode|-urlcache|\/urlcache/, 1, 0))
| eval(PowerShellEncoded = if(img =~ /(powershell|pwsh)\.exe/ AND cmd =~ /-encodedcommand|-enc\s+|-ec\s+|frombase64string/, 1, 0))
| where ExplicitBase64 = 1 OR CertutilEncoding = 1 OR PowerShellEncoded = 1
| eval(ChainedWithExec = if(cmd =~ /invoke-expression|iex\(|\biex\s/, 1, 0))
| eval(ChainedWithDownload = if(cmd =~ /downloadstring|net\.webclient|invoke-webrequest|\biwr\s/, 1, 0))
| eval(SuspiciousParent = if(parent =~ /wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|winword\.exe|excel\.exe|outlook\.exe/, 1, 0))
| eval(RiskScore = if(ExplicitBase64 = 1 AND ChainedWithExec = 1, 95,
if(PowerShellEncoded = 1 AND ChainedWithExec = 1, 95,
if(CertutilEncoding = 1 AND SuspiciousParent = 1, 90,
if(CertutilEncoding = 1, 80,
if(PowerShellEncoded = 1, 75,
if(ExplicitBase64 = 1 AND SuspiciousParent = 1, 80, 70)))))))
| eval(Branch = if(CertutilEncoding = 1, "CertutilEncoding",
if(PowerShellEncoded = 1, "PowerShellDecode", "ExplicitBase64")))
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Branch, ExplicitBase64, CertutilEncoding, PowerShellEncoded, ChainedWithExec, ChainedWithDownload, SuspiciousParent, RiskScore])
| sort(field = RiskScore, order = desc)CrowdStrike LogScale detection for T1132.001 Standard Encoding C2 using ProcessRollup2 telemetry from the Falcon sensor. Mirrors the three-branch KQL/SPL detection logic: CertutilEncoding (certutil -decode/-encode/-urlcache LOLBin abuse), PowerShellDecode (PowerShell -EncodedCommand/-enc/-ec), and ExplicitBase64 (.NET FromBase64String/ToBase64String calls). Risk scoring (70-95) escalates for IEX/Invoke-Expression chains, download behaviors (WebClient/Invoke-WebRequest), and suspicious parent process origins matching known Office/script interpreter parents.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon Real Time Response (RTR) sessions executing encoded PowerShell commands as part of automated remediation runbooks or analyst-triggered investigation and containment workflows
- Enterprise software packaging tools (Advanced Installer, InstallShield, WiX Toolset) invoking certutil during silent install routines for certificate trust store modification or BITS-based content download staging
- Remote IT management platforms (Kaseya VSA, ConnectWise Automate, NinjaRMM) delivering encoded PowerShell agent update or configuration scripts as part of scheduled maintenance windows
Other platforms for T1132.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Base64 Encode and Decode Round-Trip
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'FromBase64String', and 'IEX'. PowerShell ScriptBlock Log Event ID 4104 will capture the decoded content 'hostname; whoami'. Security Event ID 4688 (if command line auditing enabled) with full command line.
- Test 2certutil Base64 Decode to File
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-decode' and file paths. Sysmon Event ID 11: File Create events for both %TEMP%\encoded.b64 and %TEMP%\decoded.txt. Security Event ID 4688 with certutil command line (if auditing enabled).
- Test 3Base64 Encoded C2 Beacon Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'Net.WebClient', and 'UploadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (will fail — no listener). PowerShell ScriptBlock Log Event ID 4104 capturing the full encoding + upload script.
- Test 4Linux Base64 C2 Exfil Simulation via curl
Expected signal: Linux auditd or Sysmon for Linux: process creation events for 'base64' and 'curl' with command line arguments. Syslog: process execution entries. Network: outbound connection attempt to 127.0.0.1:9999 from curl.
References (9)
- https://attack.mitre.org/techniques/T1132/001/
- https://en.wikipedia.org/wiki/Binary-to-text_encoding
- https://en.wikipedia.org/wiki/Base64
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md
- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
- https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus
- https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
Unlock Pro Content
Get the full detection package for T1132.001 including response playbook, investigation guide, and atomic red team tests.