T1132.001 Microsoft Sentinel · KQL

Detect Standard Encoding in Microsoft Sentinel

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. Malware families including SideTwist, Fysbis, Latrodectus, SeaDuke, Chaes, and Flagpro have all used Base64-encoded C2 traffic, making this one of the most prevalent C2 obfuscation techniques observed in the wild.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1132 Data Encoding
Sub-technique
T1132.001 Standard Encoding
Canonical reference
https://attack.mitre.org/techniques/T1132/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1132.001 — Standard Encoding C2 Detection
// Detects processes invoking encoding utilities or embedding large Base64 blobs in command lines,
// and network activity where HTTP request/response bodies contain high-entropy encoded content.
let EncodingPatterns = dynamic([
  "[Convert]::FromBase64String",
  "[Convert]::ToBase64String",
  "[System.Convert]::FromBase64String",
  "[System.Convert]::ToBase64String",
  "FromBase64String",
  "ToBase64String",
  "base64 -d",
  "base64 --decode",
  "-encodedcommand",
  "certutil -decode",
  "certutil -encode",
  "certutil /decode",
  "certutil /encode"
]);
let SuspiciousParents = dynamic(["wscript.exe","cscript.exe","mshta.exe","regsvr32.exe","rundll32.exe","svchost.exe","explorer.exe","winword.exe","excel.exe","powerpnt.exe","outlook.exe"]);
// Branch 1: Process command lines with explicit encoding/decoding calls
let EncodingProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (EncodingPatterns)
| extend Branch = "ExplicitEncoding"
| extend RiskScore = case(
    ProcessCommandLine has_any ("certutil -decode", "certutil /decode", "certutil -encode", "certutil /encode"), 85,
    InitiatingProcessFileName has_any (SuspiciousParents), 80,
    ProcessCommandLine has "FromBase64String" and ProcessCommandLine has "Invoke-Expression", 90,
    ProcessCommandLine has "FromBase64String" and ProcessCommandLine has "IEX", 90,
    70
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
// Branch 2: PowerShell decoding combined with network or exec
let PowerShellDecode = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "-EncodedCommand" or ProcessCommandLine has "-enc "
| extend Branch = "PowerShellDecode"
| extend RiskScore = case(
    ProcessCommandLine has "IEX" or ProcessCommandLine has "Invoke-Expression", 95,
    ProcessCommandLine has "DownloadString" or ProcessCommandLine has "WebClient", 90,
    75
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
// Branch 3: certutil used as a decoder (frequent LOLBin abuse)
let CertutilDecode = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-decode", "/decode", "-encode", "/encode", "-urlcache", "/urlcache")
| extend Branch = "CertutilEncoding"
| extend RiskScore = case(
    ProcessCommandLine has "-urlcache", 85,
    InitiatingProcessFileName has_any (SuspiciousParents), 90,
    80
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Branch, RiskScore;
EncodingProcesses
| union PowerShellDecode
| union CertutilDecode
| sort by RiskScore desc, Timestamp desc
high severity medium confidence

Detects standard encoding activity (Base64, certutil encode/decode) that is characteristic of C2 traffic obfuscation or payload staging. Three detection branches: (1) any process invoking explicit Base64 encode/decode APIs, (2) PowerShell using FromBase64String or EncodedCommand especially combined with IEX/download cradles, and (3) certutil.exe acting as a Base64 decoder or URL cache downloader. RiskScore escalates when encoding is chained with execution or download patterns.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate PowerShell scripts that decode Base64-encoded configuration data or credentials from secure vaults
  • certutil used by IT teams for certificate management and legitimate file encoding/decoding tasks
  • Software installers and package managers that use Base64-encoded embedded payloads during installation
  • Log management and SIEM agents that Base64-encode collected data before transmission to central servers
  • Web application developers testing encoding/decoding functions locally
Download portable Sigma rule (.yml)

Other platforms for T1132.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Base64 Encode and Decode Round-Trip

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'FromBase64String', and 'IEX'. PowerShell ScriptBlock Log Event ID 4104 will capture the decoded content 'hostname; whoami'. Security Event ID 4688 (if command line auditing enabled) with full command line.

  2. Test 2certutil Base64 Decode to File

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-decode' and file paths. Sysmon Event ID 11: File Create events for both %TEMP%\encoded.b64 and %TEMP%\decoded.txt. Security Event ID 4688 with certutil command line (if auditing enabled).

  3. Test 3Base64 Encoded C2 Beacon Simulation via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'ToBase64String', 'Net.WebClient', and 'UploadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (will fail — no listener). PowerShell ScriptBlock Log Event ID 4104 capturing the full encoding + upload script.

  4. Test 4Linux Base64 C2 Exfil Simulation via curl

    Expected signal: Linux auditd or Sysmon for Linux: process creation events for 'base64' and 'curl' with command line arguments. Syslog: process execution entries. Network: outbound connection attempt to 127.0.0.1:9999 from curl.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1132.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1132Data Encoding

Related Sub-techniques

T1132.002Non-Standard Encoding

Related Techniques

T1132Data EncodingT1132.002Non-Standard EncodingT1027Obfuscated Files or InformationT1027.001Binary PaddingT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1071Application Layer ProtocolT1071.001Web ProtocolsT1573.001Symmetric CryptographyT1059.001PowerShellT1140Deobfuscate/Decode Files or Information

Same Tactic: Command and Control

Popular Detections