T1132 Microsoft Sentinel · KQL

Detect Data Encoding in Microsoft Sentinel

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. Real-world examples include BADNEWS converting encrypted C2 data to hexadecimal then Base64 before transmission, Ursnif embedding Base64-encoded data in HTTP URLs, H1N1 using an altered Base64 scheme for C2 traffic, and Linux Rabbit sending encoded payloads as URL parameters.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1132 Data Encoding
Canonical reference
https://attack.mitre.org/techniques/T1132/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let lookback = 24h;
let EncodingPatterns = dynamic([
    "base64", "-encode", "-decode", "FromBase64String", "ToBase64String",
    "b64encode", "b64decode", "binascii", "hexlify", "unhexlify",
    "zlib.compress", "gzip", "deflate", "urllib.parse.quote",
    "hex_codec", "btoa(", "atob(", "[Convert]::", "System.Convert"
]);
let NetworkPatterns = dynamic([
    "http://", "https://", "ftp://", "socket", "connect(",
    "urllib", "requests.", "Net.WebClient", "Invoke-WebRequest",
    "Invoke-RestMethod", "TcpClient", "UdpClient", "WebSocket",
    "curl ", "wget ", "UploadString", "DownloadString"
]);
// Branch 1: certutil used for encoding/decoding — classic LOLBin C2 helper
let CertutilEncoding = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-encode", "-decode", "-urlcache")
| extend DetectionBranch = "CertutilEncoding"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Scripting interpreter combining encoding + network primitives in same invocation
let ScriptingEncodeNetwork = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("python.exe", "python3.exe", "perl.exe", "php.exe", "ruby.exe", "node.exe", "nodejs")
| where ProcessCommandLine has_any (EncodingPatterns)
| where ProcessCommandLine has_any (NetworkPatterns)
| extend DetectionBranch = "ScriptingEncodeNetwork"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: PowerShell using Base64 conversion APIs with networking classes
let PSEncodeNetwork = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("FromBase64String", "ToBase64String", "[Convert]::", "System.Convert")
| where ProcessCommandLine has_any ("Net.WebClient", "Invoke-WebRequest", "Invoke-RestMethod",
                                      "TcpClient", "UdpClient", "UploadString", "DownloadString")
| extend DetectionBranch = "PSEncodeNetwork"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 4: curl or wget carrying suspiciously long Base64 or hex-encoded argument data
let EncodedNetworkUtil = DeviceProcessEvents
| where Timestamp > ago(lookback)
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget")
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{60,}={0,2}"
      or ProcessCommandLine matches regex @"[0-9a-fA-F]{80,}"
| extend DetectionBranch = "EncodedNetworkUtil"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union CertutilEncoding, ScriptingEncodeNetwork, PSEncodeNetwork, EncodedNetworkUtil
| sort by Timestamp desc
medium severity medium confidence

Detects encoded C2 communication patterns by monitoring process creation events for four distinct encoding+network activity signatures: (1) certutil.exe invoked with -encode, -decode, or -urlcache flags — a well-known LOLBin technique used by attackers to encode or decode C2 payloads; (2) scripting interpreters (Python, Perl, PHP, Ruby, Node.js) whose command lines combine encoding functions (base64, binascii, hexlify, zlib) with network primitives (urllib, socket, http) in a single invocation; (3) PowerShell processes combining Base64 conversion APIs ([Convert]::ToBase64String, FromBase64String) with WebClient or TCP/UDP networking classes; (4) curl or wget invocations carrying argument strings matching the Base64 or hexadecimal character pattern at suspicious lengths. The union approach across all four branches provides broad coverage across common encoding+network attack vectors seen in real-world C2 frameworks including Mythic, Cobalt Strike, and Python-based custom implants.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Software deployment tools (SCCM, Intune, Ansible) that use certutil -decode or -urlcache to deliver installer payloads from internal distribution servers
  • Data science and DevOps pipelines (CI/CD agents, Terraform, configuration management) that Base64-encode credentials or configuration blobs before transmitting to APIs
  • Application monitoring agents (Datadog, Splunk UF, New Relic) that encode telemetry payloads before posting to SaaS collection endpoints
  • Web developers testing REST APIs with curl, passing Base64-encoded Bearer tokens or JSON payloads in request bodies
  • Security tooling including vulnerability scanners and SIEM forwarders that encode log data or signatures during transmission
Download portable Sigma rule (.yml)

Other platforms for T1132

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1certutil Base64 Encode Reconnaissance Output and Transmit via curl

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with CommandLine containing '-encode %TEMP%\recon_out.txt'. Sysmon Event ID 11: File Create for %TEMP%\recon_encoded.b64. Sysmon Event ID 1: Subsequent Process Create for curl.exe with CommandLine containing '--data-binary @' and the encoded temp file. Sysmon Event ID 3: Network Connection from curl.exe to 127.0.0.1:8080 (connection refused, but event fires).

  2. Test 2Python Base64-Encoded System Fingerprint Beacon

    Expected signal: Sysmon Event ID 1: Process Create for python.exe (or python3.exe) with CommandLine containing 'base64', 'urllib.request', 'socket', and 'os'. Sysmon Event ID 3: Network Connection attempt from python.exe to 127.0.0.1:8080.

  3. Test 3PowerShell ToBase64String with WebClient POST

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ToBase64String', '[System.Convert]::', 'Net.WebClient', and 'UploadString'. Sysmon Event ID 3: Network Connection attempt from powershell.exe to 127.0.0.1:8080. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational captures the full script including the ToBase64String call.

  4. Test 4Hex-Encoded C2 Data via Python binascii and subprocess curl

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'binascii', 'hexlify', and 'subprocess'. Sysmon Event ID 1: Child Process Create for curl.exe with CommandLine containing 'http://127.0.0.1:8080/q?d=' followed by a hex-encoded string of 40+ characters. Sysmon Event ID 3: Network Connection attempt from curl.exe to 127.0.0.1:8080.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1132 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1132.001Standard EncodingT1132.002Non-Standard EncodingT1071Application Layer ProtocolT1071.004DNST1573Encrypted ChannelT1573.001Symmetric CryptographyT1027Obfuscated Files or InformationT1105Ingress Tool TransferT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative Protocol

Same Tactic: Command and Control

Popular Detections