T1132.002

Non-Standard Encoding

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Non-standard encoding schemes diverge from existing protocol specifications — for example, modified Base64 using a custom alphabet, XOR encoding with a static or rolling key, character substitution (replacing '/' with '-s', '+' with '-p'), or custom binary serialization. Real-world examples include OceanSalt (NOT operation on bytes), Small Sieve (hex byte swapping), TONESHELL (XOR with 32/256-byte key), NightClub (modified Base64 in DNS subdomains), RDAT (Base64 with character substitutions in DNS), InvisiMole (modified Base32 in DNS subdomains), and Uroburos (custom Base62/Base32). Detection focuses on anomalous DNS subdomain lengths and entropy, unusual encoded patterns in network traffic, and scripting processes generating high-entropy outbound data.

Microsoft Sentinel / Defender

kusto

// Branch 1: DNS tunneling — long or high-cardinality subdomains suggesting encoded data
let DnsTunnelingIndicators =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsConnectionInspected" or ActionType == "NetworkSignatureInspected"
| where isnotempty(RemoteUrl)
| extend SubdomainParts = split(RemoteUrl, ".")
| extend SubdomainLabel = tostring(SubdomainParts[0])
| where strlen(SubdomainLabel) > 50
| extend HasBase64Chars = SubdomainLabel matches regex @"^[A-Za-z0-9+/=-]{40,}$"
| extend HasModifiedBase64 = SubdomainLabel matches regex @"[A-Za-z0-9_\-]{40,}"
| extend HasHexPattern = SubdomainLabel matches regex @"^[0-9a-fA-F]{40,}$"
| where HasBase64Chars or HasModifiedBase64 or HasHexPattern
| extend EncodingType = case(
    HasHexPattern, "HexEncoded",
    HasBase64Chars, "Base64Like",
    HasModifiedBase64, "ModifiedBase64",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, RemoteUrl, SubdomainLabel,
          EncodingType, InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 2: DNS queries with anomalous subdomain lengths via Sysmon-style telemetry
let DnsQueryAnomaly =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsConnectionInspected"
| where isnotempty(RemoteUrl)
| summarize QueryCount=count(), UniqueLabels=dcount(RemoteUrl), MaxLabelLen=max(strlen(RemoteUrl))
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 10m)
| where QueryCount > 20 and UniqueLabels > 15
| extend Indicator = "HighVolumeDNS_LikelyTunneling";
// Branch 3: HTTP/S connections with encoded path or query strings suggesting custom encoding
let EncodedHttpTraffic =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("HttpConnectionInspected", "ConnectionSuccess")
| where isnotempty(RemoteUrl)
| where RemoteUrl matches regex @"/[A-Za-z0-9_\-]{60,}(\?|/|$)"
    or RemoteUrl matches regex @"[?&][a-z]{1,4}=[A-Za-z0-9+/_%\-]{60,}"
| extend UrlLength = strlen(RemoteUrl)
| extend SuspiciousPath = RemoteUrl matches regex @"/[A-Za-z0-9_\-]{60,}"
| extend SuspiciousParam = RemoteUrl matches regex @"[?&][a-z]{1,4}=[A-Za-z0-9+/_%\-]{60,}"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          UrlLength, SuspiciousPath, SuspiciousParam,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 4: Scripting engines or uncommon processes making repetitive beaconing connections
let BeaconingWithEncoding =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("python.exe", "python3", "perl.exe", "ruby.exe",
        "wscript.exe", "cscript.exe", "mshta.exe", "powershell.exe", "pwsh.exe")
| where RemoteIPType == "Public"
| summarize ConnectionCount=count(), UniqueDestinations=dcount(RemoteIP),
            Ports=make_set(RemotePort), BytesSent=sum(SentBytes)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, 1h)
| where ConnectionCount > 10 and UniqueDestinations < 3
| extend Indicator = "RegularBeaconing_PotentialCustomEncoding";
union DnsTunnelingIndicators, EncodedHttpTraffic
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

CDN and cloud services that use long, base64-encoded tokens in URLs (AWS S3 presigned URLs, Azure SAS tokens, CloudFront signed URLs)
Legitimate DNS-over-HTTPS or DNS security products that may generate high-volume DNS query patterns
Monitoring and telemetry agents (Datadog, Dynatrace, New Relic) that POST encoded metrics to collection endpoints using long encoded query strings
Single-page applications and web APIs that encode state or session data in URL path components (JWT tokens, serialized objects)
Certificate transparency logs and OCSP responders that use base64-encoded certificate data in URLs

Splunk

spl

| union
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval QueryName=lower(QueryName)
  | eval LongestLabel=mvmax(split(QueryName, "."), len)
  | eval LabelLength=len(mvindex(split(QueryName, "."), 0))
  | eval FirstLabel=mvindex(split(QueryName, "."), 0)
  | eval IsLongSubdomain=if(LabelLength > 50, 1, 0)
  | eval MatchesBase64=if(match(FirstLabel, "^[a-z0-9+/=]{40,}$"), 1, 0)
  | eval MatchesModifiedBase64=if(match(FirstLabel, "^[a-z0-9_\-]{40,}$"), 1, 0)
  | eval MatchesHex=if(match(FirstLabel, "^[0-9a-f]{40,}$"), 1, 0)
  | eval EncodingType=case(
      MatchesHex=1, "HexEncoded",
      MatchesBase64=1, "Base64Like",
      MatchesModifiedBase64=1, "ModifiedBase64URLSafe",
      1=1, "LongSubdomain"
    )
  | where IsLongSubdomain=1 OR MatchesBase64=1 OR MatchesModifiedBase64=1 OR MatchesHex=1
  | eval DetectionBranch="DNS_LongEncodedSubdomain"
  | table _time, host, User, Image, QueryName, FirstLabel, LabelLength, EncodingType, DetectionBranch
]
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | stats count as QueryCount, dc(QueryName) as UniqueQueries, values(QueryName) as Queries
      by host, Image, CommandLine, span(_time, 600)
  | where QueryCount > 20 AND UniqueQueries > 15
  | eval DetectionBranch="DNS_HighVolumeTunneling"
  | table _time, host, Image, CommandLine, QueryCount, UniqueQueries, DetectionBranch
]
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
  | eval Image=lower(Image)
  | where match(Image, "(python|perl|ruby|wscript|cscript|mshta|powershell|pwsh)\.exe")
  | bucket _time span=1h
  | stats count as ConnCount, dc(DestinationIp) as UniqueIPs,
          values(DestinationPort) as Ports, values(DestinationIp) as DestIPs
      by _time, host, Image, CommandLine
  | where ConnCount > 10 AND UniqueIPs < 3
  | eval DetectionBranch="Beaconing_ScriptingEngine"
  | table _time, host, Image, CommandLine, ConnCount, UniqueIPs, DestIPs, Ports, DetectionBranch
]
[
  search index=* sourcetype="stream:http"
  | eval uri_path=urldecode(uri_path), uri_query=urldecode(uri_query)
  | eval HasEncodedPath=if(match(uri_path, "/[A-Za-z0-9_\-]{60,}(\?|/|$)"), 1, 0)
  | eval HasEncodedParam=if(match(uri_query, "[a-z]{1,4}=[A-Za-z0-9+/%_\-]{60,}"), 1, 0)
  | eval HasCharSubstitution=if(
      match(uri_path, "-s[A-Za-z0-9_\-]+") OR match(uri_path, "-p[A-Za-z0-9_\-]+"), 1, 0
    )
  | where HasEncodedPath=1 OR HasEncodedParam=1 OR HasCharSubstitution=1
  | eval DetectionBranch="HTTP_NonStandardEncodedPayload"
  | table _time, src_ip, dest_ip, dest_port, uri_path, uri_query, http_method,
          HasEncodedPath, HasEncodedParam, HasCharSubstitution, DetectionBranch
]
| sort - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Connection Creation Sysmon Event ID 22 (DNS Query) Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational stream:http

False Positives

CDN services and cloud storage pre-signed URLs (AWS S3, Azure Blob) with long base64-encoded authentication tokens in URL paths
Monitoring and observability agents (Datadog, New Relic, Dynatrace) making frequent scheduled metric collection calls to a fixed set of collector endpoints
Web applications using JWT tokens, SAML assertions, or encoded session state in URL query parameters
Security scanners and vulnerability assessment tools generating high-volume DNS queries during network enumeration
DNS-based load balancers or CDN health checks generating regular DNS query patterns that may resemble beaconing

Elastic Security (EQL)

eql

any where event.category == "network" and
(
  /* Branch 1: DNS — first subdomain label matches Base64, URL-safe Base64, or hex encoding (> 50 chars) */
  (
    network.protocol == "dns" and
    dns.question.name != null and
    (
      dns.question.name regex "^[A-Za-z0-9+/=]{50,}\\." or
      dns.question.name regex "^[A-Za-z0-9_\\-]{50,}\\." or
      dns.question.name regex "^[0-9a-fA-F]{50,}\\."
    )
  ) or
  /* Branch 2: HTTP/S — anomalously long encoded path segment or query parameter */
  (
    network.protocol in ("http", "https") and
    url.path != null and
    (
      url.path regex "/[A-Za-z0-9_\\-]{60,}(/|\\?|$)" or
      url.query regex "[a-z]{1,4}=[A-Za-z0-9+/_%\\-]{60,}"
    )
  ) or
  /* Branch 3: Scripting engine making outbound public-IP connections (beaconing) */
  (
    process.name in~ ("python.exe", "python3", "python3.exe", "perl.exe", "ruby.exe",
                      "wscript.exe", "cscript.exe", "mshta.exe", "powershell.exe", "pwsh.exe") and
    not cidrMatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
                  "127.0.0.0/8", "169.254.0.0/16", "::1/128")
  )
)

high severity medium confidence

Data Sources

Zeek DNS logs (logs-zeek.dns-*) Zeek HTTP logs (logs-zeek.http-*) Elastic Endpoint Security (logs-endpoint.events.network-*) Packetbeat Suricata Network IDS

Required Tables

logs-zeek.dns-* logs-zeek.http-* logs-endpoint.events.network-*

False Positives

CDN edge nodes and load balancers using long hash-based subdomain labels for health checks or anycast routing (e.g., AWS ELB, Fastly, Akamai long-token subdomains)
Legitimate software update and package management services encoding content hashes or version manifests as long Base64 query parameters (e.g., npm, pip, Homebrew with integrity verification)
Developer tunneling tools such as ngrok, localtunnel, or Cloudflare Tunnel that generate long random Base64-like subdomains to proxy locally running services

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  destinationip,
  destinationport,
  username,
  LOGSOURCETYPENAME(logsourceid) AS SourceType,
  QIDNAME(qid) AS EventName,
  "QueryName" AS DNSQuery,
  URL AS RequestURL,
  "ProcessPath" AS ProcessImage,
  magnitude
FROM events
WHERE
(
  /* Branch 1: DNS query with encoded first subdomain label */
  (
    QIDNAME(qid) LIKE '%DNS%'
    AND (
      "QueryName" MATCHES '^[A-Za-z0-9+/=]{50,}\\..+'
      OR "QueryName" MATCHES '^[A-Za-z0-9_\\-]{50,}\\..+'
      OR "QueryName" MATCHES '^[0-9a-fA-F]{50,}\\..+'
    )
  )
  OR
  /* Branch 2: HTTP/S request with encoded path segment or query string parameter */
  (
    destinationport IN (80, 443, 8080, 8443, 8888)
    AND URL IS NOT NULL
    AND (
      URL MATCHES '.*/[A-Za-z0-9_\\-]{60,}(/|\\?|$).*'
      OR URL MATCHES '.*[?&][a-z]{1,4}=[A-Za-z0-9+/_%\\-]{60,}.*'
    )
  )
  OR
  /* Branch 3: Scripting engine process making outbound connections to public IPs */
  (
    "ProcessPath" MATCHES '(?i).*(python|perl|ruby|wscript|cscript|mshta|powershell|pwsh)\\..*'
    AND NOT INCIDR(destinationip, '10.0.0.0/8')
    AND NOT INCIDR(destinationip, '172.16.0.0/12')
    AND NOT INCIDR(destinationip, '192.168.0.0/16')
    AND NOT INCIDR(destinationip, '127.0.0.0/8')
    AND NOT INCIDR(destinationip, '169.254.0.0/16')
  )
)
LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

QRadar DSM for Microsoft Windows Security Event Log QRadar DSM for Sysmon (Windows Event Log provider) QRadar Network Activity flows QRadar DSM for Microsoft DNS Analytical Log

Required Tables

events

False Positives

Enterprise endpoint agents (CrowdStrike Falcon, Microsoft Defender, Carbon Black) that use Python or PowerShell runtimes to beacon cloud management APIs with encoded host telemetry in URL parameters
Browser extensions or enterprise SaaS tools using long Base64-encoded JWT tokens or session identifiers as HTTP query parameters for authentication and session resumption
Custom internal REST APIs using UUID-composite path segments or Base64-encoded resource identifiers that exceed 60 characters, commonly seen in microservice architectures

Sumo Logic CSE

sql

/* Branch 1: Sysmon DNS queries (EventCode 22) with encoded subdomain labels */
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "22"
| parse regex "QueryName:\\s+(?<DNSQuery>[^\\r\\n]+)" nodrop
| parse regex "Image:\\s+(?<ProcessImage>[^\\r\\n]+)" nodrop
| parse regex "User:\\s+(?<UserName>[^\\r\\n]+)" nodrop
| parse regex field=DNSQuery "^(?<FirstLabel>[^.]+)\\." nodrop
| where !(isNull(FirstLabel)) and !(isEmpty(FirstLabel))
| where length(FirstLabel) > 50
    or FirstLabel matches /^[A-Za-z0-9+\/=]{40,}$/
    or FirstLabel matches /^[A-Za-z0-9_\-]{40,}$/
    or FirstLabel matches /^[0-9a-fA-F]{40,}$/
| eval EncodingType = if(FirstLabel matches /^[0-9a-fA-F]{40,}$/, "HexEncoded",
                     if(FirstLabel matches /^[A-Za-z0-9+\/=]{40,}$/, "Base64Like",
                     "ModifiedBase64URLSafe"))
| eval DetectionBranch = "DNS_NonStandardEncoding"
| fields _time, _sourceHost, UserName, ProcessImage, DNSQuery, FirstLabel, EncodingType, DetectionBranch

/* Branch 2: Sysmon network connects (EventCode 3) — scripting engine beaconing */
/* Run as a separate query:
(_sourceCategory=*sysmon*)
| where EventCode = "3"
| parse regex "Image:\\s+(?<ProcessImage>[^\\r\\n]+)" nodrop
| parse regex "DestinationIp:\\s+(?<DestIP>[^\\r\\n]+)" nodrop
| parse regex "DestinationPort:\\s+(?<DestPort>[^\\r\\n]+)" nodrop
| where ProcessImage matches /(?i).*(python|perl|ruby|wscript|cscript|mshta|powershell|pwsh).*/
| where !(DestIP matches /^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.).*/)
| eval DetectionBranch = "Beaconing_ScriptingEngine"
| timeslice 1h
| stats count as ConnCount, dcount(DestIP) as UniqueIPs, values(DestIP) as DestIPs
    by _timeslice, _sourceHost, ProcessImage
| where ConnCount > 10 and UniqueIPs < 3
*/

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log source) Sumo Logic Cloud SIEM (normalized Windows/Sysmon events) Sumo Logic Threat Intelligence (enrichment)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

IT management platforms using wscript.exe or cscript.exe for legitimate administrative tasks communicating with management endpoints using token-encoded URLs
DNS-based geographic load balancers or service discovery systems generating long hash-based first labels for endpoint routing (e.g., Route 53 weighted routing, Cloudflare DNS)
Automated enterprise PowerShell scripts performing scheduled telemetry collection or reporting to cloud services using long session-scoped query parameters

Google Chronicle / SecOps

yaral

rule t1132_002_non_standard_encoding_dns {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1132.002: Non-Standard Encoding — DNS subdomains with Base64, modified Base64, or hex-encoded first labels exceeding 50 characters. Covers TONESHELL, NightClub (DNS modified Base64), RDAT (Base64 with substitutions in DNS), and InvisiMole (modified Base32) families."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1132.002"
    confidence = "MEDIUM"
    false_positives = "CDN hash-based subdomains, ngrok/localtunnel proxy subdomains, DNS-based service mesh identifiers"
    version = "1.0"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    $dns.network.dns.questions.name != ""
    (
      re.regex($dns.network.dns.questions.name, `^[A-Za-z0-9+/=]{50,}\.`) nocase or
      re.regex($dns.network.dns.questions.name, `^[A-Za-z0-9_\-]{50,}\.`) nocase or
      re.regex($dns.network.dns.questions.name, `^[0-9a-fA-F]{50,}\.`) nocase
    )
    $dns.principal.hostname != ""

  match:
    $dns.principal.hostname over 1h

  outcome:
    $event_count = count_distinct($dns.network.dns.questions.name)
    $queried_names = array_distinct($dns.network.dns.questions.name)
    $process_paths = array_distinct($dns.principal.process.file.full_path)
    $users = array_distinct($dns.principal.user.userid)

  condition:
    $dns
}

rule t1132_002_non_standard_encoding_http {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1132.002: Non-Standard Encoding — HTTP/S requests with anomalously long path segments or query parameters consistent with custom Base64, XOR-encoded, or character-substituted C2 payloads transmitted over standard web protocols."
    severity = "HIGH"
    priority = "MEDIUM"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1132.002"
    confidence = "MEDIUM"
    false_positives = "SaaS platforms with long JWT tokens in URLs, package managers with hash-encoded integrity parameters"
    version = "1.0"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.network.http.method != ""
    (
      re.regex($http.target.url, `/[A-Za-z0-9_\-]{60,}(/|\?|$)`) nocase or
      re.regex($http.target.url, `[?&][a-z]{1,4}=[A-Za-z0-9+/_%\-]{60,}`) nocase
    )
    $http.principal.hostname != ""

  condition:
    $http
}

high severity medium confidence

Data Sources

Chronicle UDM (Unified Data Model) — NETWORK_DNS events Chronicle UDM — NETWORK_HTTP events Chronicle forwarder: Zeek DNS/HTTP, Windows Sysmon, Google Cloud DNS

Required Tables

udm_events (event_type: NETWORK_DNS) udm_events (event_type: NETWORK_HTTP)

False Positives

Cloud provider health check subdomains using Base64-encoded endpoint identifiers (AWS ALB, GCP GCLB, Azure Traffic Manager) — whitelist by target principal.hostname for known cloud provider FQDN suffixes
Mobile analytics SDKs encoding device fingerprints or crash report tokens as long Base64 strings in HTTP query parameters to vendor collection endpoints
Zero-trust network access and VPN solutions embedding encoded session certificates or ephemeral tokens in DNS-over-HTTPS subdomain labels for split-tunnel routing

CrowdStrike LogScale (CQL)

cql

// Branch 1: DNS requests with encoded subdomain labels (Falcon DnsRequest telemetry)
#event_simpleName = "DnsRequest"
| regex("^(?<FirstLabel>[A-Za-z0-9+/=_\\-]{50,})\\.", field=DomainName)
| LabelLength := length(FirstLabel)
| EncodingType := if(match(regex="^[0-9a-fA-F]{50,}$", field=FirstLabel), "HexEncoded",
                  if(match(regex="^[A-Za-z0-9+/=]{50,}$", field=FirstLabel), "Base64Like",
                  if(match(regex="^[A-Za-z0-9_\\-]{50,}$", field=FirstLabel), "ModifiedBase64URLSafe",
                  "LongSubdomain")))
| DetectionBranch := "DNS_NonStandardEncoding"
| table([@timestamp, ComputerName, UserName, DomainName, FirstLabel, LabelLength,
         EncodingType, FileName, CommandLine, DetectionBranch])

// Branch 2: Scripting engine beaconing with low destination diversity (run separately)
// #event_simpleName = "NetworkConnectIP4"
// | FileName = /(?i)^(python|python3|perl|ruby|wscript|cscript|mshta|powershell|pwsh)(\.exe)?$/
// | not cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12",
//            "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])
// | groupBy([ComputerName, FileName, CommandLine], function=[
//     count(as=ConnCount),
//     countDistinct(RemoteAddressIP4, as=UniqueIPs),
//     collect(RemotePort, as=Ports),
//     collect(RemoteAddressIP4, as=DestIPs)
//   ])
// | where ConnCount > 10 and UniqueIPs < 3
// | DetectionBranch := "Beaconing_ScriptingEngine_CustomEncoding"
// | table([ComputerName, FileName, CommandLine, ConnCount, UniqueIPs, DestIPs, Ports, DetectionBranch])

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor — DnsRequest events CrowdStrike Falcon Sensor — NetworkConnectIP4 events CrowdStrike Falcon Sensor — ProcessRollup2 events (for process tree correlation)

Required Tables

DnsRequest NetworkConnectIP4 ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself and other endpoint agents using Python or PowerShell runtimes to beacon cloud management APIs with encoded telemetry — whitelist by process hash or parent process
Software development workstations where Python, Ruby, or Node scripts actively communicate with package registries (PyPI, npm, RubyGems) or CI/CD orchestrators using long token-encoded URLs
DNS-based service mesh and service discovery solutions (HashiCorp Consul, Istio with DNS delegation) that use long hashed service identifiers as subdomain prefixes for internal routing

Last updated: 2026-04-18 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1132.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Non-Standard Encoding

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections