title: Non-Standard Encoding (T1132.002)
id: df00tech-t1132-002
status: experimental
description: "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Non-standard encoding schemes diverge from existing protocol specifications — for example, modified Base64 using a custom alphabet, XOR encoding with a static or rolling key, character substitution (replacing '/' with '-s', '+' with '-p'), or custom binary serialization. Real-world examples include OceanSalt (NOT operation on bytes), Small Sieve (hex byte swapping), TONESHELL (XOR with 32/256-byte key), NightClub (modified Base64 in DNS subdomains), RDAT (Base64 with character substitutions in DNS), InvisiMole (modified Base32 in DNS subdomains), and Uroburos (custom Base62/Base32). Detection focuses on anomalous DNS subdomain lengths and entropy, unusual encoded patterns in network traffic, and scripting processes generating high-entropy outbound data."
references:
  - https://attack.mitre.org/techniques/T1132/002/
  - https://df00tech.com/detections/T1132.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1132.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "CDN and cloud services that use long, base64-encoded tokens in URLs (AWS S3 presigned URLs, Azure SAS tokens, CloudFront signed URLs)"
  - Legitimate DNS-over-HTTPS or DNS security products that may generate high-volume DNS query patterns
  - "Monitoring and telemetry agents (Datadog, Dynatrace, New Relic) that POST encoded metrics to collection endpoints using long encoded query strings"
  - "Single-page applications and web APIs that encode state or session data in URL path components (JWT tokens, serialized objects)"
  - Certificate transparency logs and OCSP responders that use base64-encoded certificate data in URLs
level: medium