Detect Data Encoding in Elastic Security
Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. Real-world examples include BADNEWS converting encrypted C2 data to hexadecimal then Base64 before transmission, Ursnif embedding Base64-encoded data in HTTP URLs, H1N1 using an altered Base64 scheme for C2 traffic, and Linux Rabbit sending encoded payloads as URL parameters.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1132 Data Encoding
- Canonical reference
- https://attack.mitre.org/techniques/T1132/
Elastic Detection Query
sequence by host.id with maxspan=1m
[
any where event.category == "process" and event.type == "start"
and (
/* Branch 1: certutil encoding/decoding LOLBin */
(
process.name : "certutil.exe"
and process.args : ("-encode", "-decode", "-urlcache", "/encode", "/decode", "/urlcache")
)
or
/* Branch 2: scripting interpreter combining encoding and network primitives */
(
process.name : ("python.exe", "python3.exe", "perl.exe", "php.exe", "ruby.exe", "node.exe", "nodejs")
and process.command_line : ("*base64*", "*b64encode*", "*b64decode*", "*binascii*", "*hexlify*", "*unhexlify*", "*zlib*", "*gzip*", "*btoa*", "*atob*", "*urllib.parse.quote*", "*hex_codec*")
and process.command_line : ("*http://*", "*https://*", "*ftp://*", "*socket*", "*urllib*", "*requests.*", "*connect(*")
)
or
/* Branch 3: PowerShell Base64 conversion with network classes */
(
process.name : ("powershell.exe", "pwsh.exe")
and process.command_line : ("*FromBase64String*", "*ToBase64String*", "*[Convert]::*", "*System.Convert*")
and process.command_line : ("*Net.WebClient*", "*Invoke-WebRequest*", "*Invoke-RestMethod*", "*TcpClient*", "*UdpClient*", "*UploadString*", "*DownloadString*")
)
or
/* Branch 4: curl/wget with long encoded arguments */
(
process.name : ("curl.exe", "curl", "wget.exe", "wget")
and (
process.command_line : "*=*"
and (
process.command_line regex~ "[A-Za-z0-9+/]{60,}={0,2}"
or process.command_line regex~ "[0-9a-fA-F]{80,}"
)
)
)
)
]Detects T1132 Data Encoding used in C2 communication. Covers four behavioral patterns: certutil LOLBin encoding/decoding, scripting interpreters combining encoding APIs with network primitives, PowerShell Base64 conversion paired with network classes, and curl/wget invoked with suspiciously long Base64 or hex-encoded argument strings indicative of encoded C2 payloads.
Data Sources
Required Tables
False Positives & Tuning
- Developers or DevOps engineers running Python/Node.js scripts that legitimately encode data before API transmission (e.g., OAuth flows, webhook HMAC signatures)
- IT administrators using certutil to download and verify file checksums or encode certificate data during PKI operations
- Security tools and EDR agents that use curl or wget with encoded authentication tokens or API keys in their command lines
Other platforms for T1132
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1certutil Base64 Encode Reconnaissance Output and Transmit via curl
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine containing '-encode %TEMP%\recon_out.txt'. Sysmon Event ID 11: File Create for %TEMP%\recon_encoded.b64. Sysmon Event ID 1: Subsequent Process Create for curl.exe with CommandLine containing '--data-binary @' and the encoded temp file. Sysmon Event ID 3: Network Connection from curl.exe to 127.0.0.1:8080 (connection refused, but event fires).
- Test 2Python Base64-Encoded System Fingerprint Beacon
Expected signal: Sysmon Event ID 1: Process Create for python.exe (or python3.exe) with CommandLine containing 'base64', 'urllib.request', 'socket', and 'os'. Sysmon Event ID 3: Network Connection attempt from python.exe to 127.0.0.1:8080.
- Test 3PowerShell ToBase64String with WebClient POST
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', '[System.Convert]::', 'Net.WebClient', and 'UploadString'. Sysmon Event ID 3: Network Connection attempt from powershell.exe to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational captures the full script including the ToBase64String call.
- Test 4Hex-Encoded C2 Data via Python binascii and subprocess curl
Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'binascii', 'hexlify', and 'subprocess'. Sysmon Event ID 1: Child Process Create for curl.exe with CommandLine containing 'http://127.0.0.1:8080/q?d=' followed by a hex-encoded string of 40+ characters. Sysmon Event ID 3: Network Connection attempt from curl.exe to 127.0.0.1:8080.
References (12)
- https://attack.mitre.org/techniques/T1132/
- https://attack.mitre.org/techniques/T1132/001/
- https://attack.mitre.org/techniques/T1132/002/
- https://en.wikipedia.org/wiki/Binary-to-text_encoding
- https://en.wikipedia.org/wiki/Character_encoding
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
- https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1132 including response playbook, investigation guide, and atomic red team tests.