T1132.002 Splunk · SPL

Detect Non-Standard Encoding in Splunk

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Non-standard encoding schemes diverge from existing protocol specifications — for example, modified Base64 using a custom alphabet, XOR encoding with a static or rolling key, character substitution (replacing '/' with '-s', '+' with '-p'), or custom binary serialization. Real-world examples include OceanSalt (NOT operation on bytes), Small Sieve (hex byte swapping), TONESHELL (XOR with 32/256-byte key), NightClub (modified Base64 in DNS subdomains), RDAT (Base64 with character substitutions in DNS), InvisiMole (modified Base32 in DNS subdomains), and Uroburos (custom Base62/Base32). Detection focuses on anomalous DNS subdomain lengths and entropy, unusual encoded patterns in network traffic, and scripting processes generating high-entropy outbound data.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1132 Data Encoding
Sub-technique
T1132.002 Non-Standard Encoding
Canonical reference
https://attack.mitre.org/techniques/T1132/002/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval QueryName=lower(QueryName)
  | eval LongestLabel=mvmax(split(QueryName, "."), len)
  | eval LabelLength=len(mvindex(split(QueryName, "."), 0))
  | eval FirstLabel=mvindex(split(QueryName, "."), 0)
  | eval IsLongSubdomain=if(LabelLength > 50, 1, 0)
  | eval MatchesBase64=if(match(FirstLabel, "^[a-z0-9+/=]{40,}$"), 1, 0)
  | eval MatchesModifiedBase64=if(match(FirstLabel, "^[a-z0-9_\-]{40,}$"), 1, 0)
  | eval MatchesHex=if(match(FirstLabel, "^[0-9a-f]{40,}$"), 1, 0)
  | eval EncodingType=case(
      MatchesHex=1, "HexEncoded",
      MatchesBase64=1, "Base64Like",
      MatchesModifiedBase64=1, "ModifiedBase64URLSafe",
      1=1, "LongSubdomain"
    )
  | where IsLongSubdomain=1 OR MatchesBase64=1 OR MatchesModifiedBase64=1 OR MatchesHex=1
  | eval DetectionBranch="DNS_LongEncodedSubdomain"
  | table _time, host, User, Image, QueryName, FirstLabel, LabelLength, EncodingType, DetectionBranch
]
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | stats count as QueryCount, dc(QueryName) as UniqueQueries, values(QueryName) as Queries
      by host, Image, CommandLine, span(_time, 600)
  | where QueryCount > 20 AND UniqueQueries > 15
  | eval DetectionBranch="DNS_HighVolumeTunneling"
  | table _time, host, Image, CommandLine, QueryCount, UniqueQueries, DetectionBranch
]
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
  | eval Image=lower(Image)
  | where match(Image, "(python|perl|ruby|wscript|cscript|mshta|powershell|pwsh)\.exe")
  | bucket _time span=1h
  | stats count as ConnCount, dc(DestinationIp) as UniqueIPs,
          values(DestinationPort) as Ports, values(DestinationIp) as DestIPs
      by _time, host, Image, CommandLine
  | where ConnCount > 10 AND UniqueIPs < 3
  | eval DetectionBranch="Beaconing_ScriptingEngine"
  | table _time, host, Image, CommandLine, ConnCount, UniqueIPs, DestIPs, Ports, DetectionBranch
]
[
  search index=* sourcetype="stream:http"
  | eval uri_path=urldecode(uri_path), uri_query=urldecode(uri_query)
  | eval HasEncodedPath=if(match(uri_path, "/[A-Za-z0-9_\-]{60,}(\?|/|$)"), 1, 0)
  | eval HasEncodedParam=if(match(uri_query, "[a-z]{1,4}=[A-Za-z0-9+/%_\-]{60,}"), 1, 0)
  | eval HasCharSubstitution=if(
      match(uri_path, "-s[A-Za-z0-9_\-]+") OR match(uri_path, "-p[A-Za-z0-9_\-]+"), 1, 0
    )
  | where HasEncodedPath=1 OR HasEncodedParam=1 OR HasCharSubstitution=1
  | eval DetectionBranch="HTTP_NonStandardEncodedPayload"
  | table _time, src_ip, dest_ip, dest_port, uri_path, uri_query, http_method,
          HasEncodedPath, HasEncodedParam, HasCharSubstitution, DetectionBranch
]
| sort - _time
medium severity medium confidence

Detects non-standard C2 encoding across four branches using Sysmon and stream data: (1) DNS Event ID 22 queries with subdomain labels exceeding 50 characters matching Base64, URL-safe Base64, or hex patterns — targeting NightClub/RDAT/InvisiMole DNS tunneling; (2) high-volume DNS query bursts from single processes suggesting automated DNS tunneling; (3) scripting engines making repeated connections to a small set of public IPs suggesting encoded beaconing; (4) HTTP streams with long encoded URL paths or query parameters, including NightClub-style character substitution patterns (-s, -p). Combines Sysmon DNS, Sysmon network, and Splunk stream data.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Connection CreationSysmon Event ID 22 (DNS Query)Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalstream:http

False Positives & Tuning

  • CDN services and cloud storage pre-signed URLs (AWS S3, Azure Blob) with long base64-encoded authentication tokens in URL paths
  • Monitoring and observability agents (Datadog, New Relic, Dynatrace) making frequent scheduled metric collection calls to a fixed set of collector endpoints
  • Web applications using JWT tokens, SAML assertions, or encoded session state in URL query parameters
  • Security scanners and vulnerability assessment tools generating high-volume DNS queries during network enumeration
  • DNS-based load balancers or CDN health checks generating regular DNS query patterns that may resemble beaconing
Download portable Sigma rule (.yml)

Other platforms for T1132.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DNS Tunneling with Modified Base64 Subdomain Encoding

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName will contain a long alphanumeric subdomain label (length > 30 characters) matching the pattern [a-z0-9ps]{30,}\.df00tech-test\.local. Sysmon Event ID 1 (Process Create): powershell.exe with command line containing Base64, Replace, and Resolve-DnsName. PowerShell ScriptBlock Log Event ID 4104 capturing the encoding logic.

  2. Test 2XOR-Encoded C2 Data Transmission Simulation (TONESHELL Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing -bxor, New-Object System.Net.WebClient, and UploadString. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection will be refused but event fires). PowerShell ScriptBlock Log Event ID 4104 capturing the full XOR encoding loop and WebClient upload code.

  3. Test 3High-Volume DNS Query Burst Simulating DNS Tunneling Data Transfer

    Expected signal: 25x Sysmon Event ID 22 (DNS Query) events within ~5 seconds, each with a unique QueryName containing a long base64-like subdomain label (length 40-70 characters) under df00tech-dnstest.local. All queries initiated by powershell.exe. The burst pattern with unique subdomains matches DNS tunneling telemetry.

  4. Test 4HTTP C2 with Custom Base64 Alphabet Encoding (Neo-reGeorg Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing IndexOf, ToCharArray, WebClient, and UploadString — all indicators of custom encoding implementation. Sysmon Event ID 3: Network connection to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 capturing the full custom alphabet encoding logic. If stream:http is available, the POST body will contain d=<60+ char custom-alphabet string>.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1132.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1132Data Encoding

Related Sub-techniques

T1132.001Standard Encoding

Related Techniques

T1132.001Standard EncodingT1071.004DNST1071.001Web ProtocolsT1573.001Symmetric CryptographyT1027Obfuscated Files or InformationT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1568.002Domain Generation AlgorithmsT1090.001Internal ProxyT1205.002Socket Filters

Same Tactic: Command and Control

Popular Detections