Which SIEM platforms have a T1132.001 detection rule?

df00tech provides T1132.001 (Standard Encoding) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Standard Encoding (T1132.001)?

Detecting Standard Encoding requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1132.001 detection?

The T1132.001 detection is rated high severity with medium confidence.

What are common false positives for T1132.001?

Common false positives for T1132.001 include: Legitimate PowerShell scripts that decode Base64-encoded configuration data or credentials from secure vaults; certutil used by IT teams for certificate management and legitimate file encoding/decoding tasks; Software installers and package managers that use Base64-encoded embedded payloads during installation.

T1132.001 IBM QRadar · QRadar

Detect Standard Encoding in IBM QRadar

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. Malware families including SideTwist, Fysbis, Latrodectus, SeaDuke, Chaes, and Flagpro have all used Base64-encoded C2 traffic, making this one of the most prevalent C2 obfuscation techniques observed in the wild.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1132 Data Encoding
Sub-technique: T1132.001 Standard Encoding
Canonical reference: https://attack.mitre.org/techniques/T1132/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  QIDNAME(qid) AS "Event Name",
  "Process Name" AS "Process",
  "Command Line" AS "Command Line",
  "Parent Process Name" AS "Parent Process"
FROM events
WHERE
  CATEGORYNAME(category) IN ('Process Creation', 'Audit Process Creation', 'OS Changes')
  AND (
    LOWER("Command Line") ILIKE '%frombase64string%'
    OR LOWER("Command Line") ILIKE '%tobase64string%'
    OR LOWER("Command Line") ILIKE '%base64 -d%'
    OR LOWER("Command Line") ILIKE '%base64 --decode%'
    OR LOWER("Command Line") ILIKE '%-encodedcommand%'
    OR (
      LOWER("Process Name") ILIKE '%certutil%'
      AND (
        LOWER("Command Line") ILIKE '%-decode%'
        OR LOWER("Command Line") ILIKE '%/decode%'
        OR LOWER("Command Line") ILIKE '%-urlcache%'
        OR LOWER("Command Line") ILIKE '%/urlcache%'
        OR LOWER("Command Line") ILIKE '%-encode%'
        OR LOWER("Command Line") ILIKE '%/encode%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%powershell%'
      AND (
        LOWER("Command Line") ILIKE '%-enc %'
        OR LOWER("Command Line") ILIKE '%-ec %'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

IBM QRadar AQL detection for T1132.001 Standard Encoding C2 querying process creation events across Windows Security (EventID 4688) and Sysmon (Event 1) DSMs. Matches certutil LOLBin encoding abuse, PowerShell -enc/-ec short-form encoded commands, and explicit Base64 conversion calls. Requires 'Process Name' and 'Command Line' custom properties to be configured and extracted by the Windows Security or Sysmon DSM extension in your QRadar deployment.

Data Sources

Microsoft Windows Security Event Log DSM (EventID 4688)Microsoft Sysmon DSM (EventID 1 - ProcessCreate)Windows Universal DSM

Required Tables

events

False Positives & Tuning

PKI administrators running certutil.exe for certificate encoding, trust store updates, or BITS job creation as part of normal Windows PKI infrastructure operations
Enterprise endpoint management solutions (MECM/SCCM, BigFix, Tanium) delivering PowerShell management scripts using -enc to ensure safe cross-platform delivery of complex configuration payloads
Developer workstations running build tools or test runners that use Base64-encoded embedded resources or configuration values in MSBuild task invocations or CI agent scripts

Download portable Sigma rule (.yml)

Other platforms for T1132.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Base64 Encode and Decode Round-Trip
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'FromBase64String', and 'IEX'. PowerShell ScriptBlock Log Event ID 4104 will capture the decoded content 'hostname; whoami'. Security Event ID 4688 (if command line auditing enabled) with full command line.
Test 2certutil Base64 Decode to File
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-decode' and file paths. Sysmon Event ID 11: File Create events for both %TEMP%\encoded.b64 and %TEMP%\decoded.txt. Security Event ID 4688 with certutil command line (if auditing enabled).
Test 3Base64 Encoded C2 Beacon Simulation via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'Net.WebClient', and 'UploadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (will fail — no listener). PowerShell ScriptBlock Log Event ID 4104 capturing the full encoding + upload script.
Test 4Linux Base64 C2 Exfil Simulation via curl
Expected signal: Linux auditd or Sysmon for Linux: process creation events for 'base64' and 'curl' with command line arguments. Syslog: process execution entries. Network: outbound connection attempt to 127.0.0.1:9999 from curl.

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1132.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Standard Encoding in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1132.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1132.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox