DET0011 Detecting Junk Data in C2 Channels via Behavioral Analysis
| Item |
Value |
| ID |
DET0011 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1001.001 (Junk Data)
Analytics
Windows
AN0030
Processes generating large outbound connections with disproportionate send/receive ratios, often to uncommon ports or hosts, potentially inserting meaningless data into protocol payloads.
Log Sources
Mutable Elements
| Field |
Description |
| PayloadEntropyThreshold |
Tunable threshold for Shannon entropy of network payloads. |
| TimeWindow |
Duration of outbound data transfer to evaluate disproportionate upload size. |
| UserContext |
Filter based on user accounts allowed to generate outbound traffic. |
Linux
AN0031
Outbound traffic with anomalous payload sizes and patterns from non-networking processes, often observed via packet inspection or connection logs.
Log Sources
Mutable Elements
| Field |
Description |
| EntropyScore |
Adjust based on expected entropy of typical outbound data. |
| ProcessWhitelist |
Exclude known good binaries that generate high network output. |
| DataRatioThreshold |
Minimum ratio of bytes_sent to bytes_received. |
macOS
AN0032
Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.
Log Sources
Mutable Elements
| Field |
Description |
| ParentProcessCheck |
Allow filtering based on parent-child relationship for benign services. |
| HostWhitelist |
Known legitimate C2-like patterns (e.g., Apple telemetry). |
ESXi
AN0033
Anomalous traffic from ESXi host management daemons (like hostd or vpxa) embedding non-standard payloads in management protocols (e.g., HTTPS) or beaconing behavior.
Log Sources
Mutable Elements
| Field |
Description |
| TLSFingerprintMismatch |
Detects mismatched TLS client behavior vs expected for hostd/vpxa. |
| UnusualDestinationPorts |
Highlight traffic from ESXi hosts to uncommon ports outside vCenter ranges. |