title: Junk Data (T1001.001)
id: df00tech-t1001-001
status: experimental
description: "Adversaries may add junk data to protocols used for command and control to make detection more difficult. By appending, prepending, or inserting random or meaningless data into C2 communications, adversaries prevent trivial signature-based detection. Examples include SUNBURST appending junk bytes to HTTP C2, P2P ZeuS adding junk data to UDP peer communications, Downdelph inserting pseudo-random characters between meaningful characters in C2 requests, and GoldMax generating decoy traffic to surround malicious traffic. This technique is primarily a network-level obfuscation method, making it challenging to detect purely through host-based telemetry."
references:
  - https://attack.mitre.org/techniques/T1001/001/
  - https://df00tech.com/detections/T1001.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1001.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software telemetry agents that send large amounts of diagnostic data to cloud endpoints with asymmetric request/response sizes
  - CDN or streaming applications making many small HTTP requests with varying payload sizes that resemble beaconing patterns
  - "DNS-based load balancing or service discovery mechanisms that use long subdomains for routing (e.g., AWS, Azure service endpoints)"
  - Software update mechanisms that poll update servers frequently with small request payloads
  - "Security monitoring agents (EDR, DLP) that beacon home to management infrastructure on standard ports"
level: medium