Skip to content

DET0053 Detect Obfuscated C2 via Network Traffic Analysis

Item Value
ID DET0053
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1001 (Data Obfuscation)

Analytics

Windows

AN0144

Detects excessive outbound traffic to remote host over HTTP(S) from uncommon or previously unseen processes.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow HTTP
Mutable Elements
Field Description
OutboundByteThreshold Defines threshold ratio of outbound to inbound bytes that signals possible obfuscation
ProcessAllowlist List of known legitimate network clients to exclude from anomaly checks

Linux

AN0145

Identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL connect
Mutable Elements
Field Description
UserProcessBaseline Defines what is considered abnormal for a user-initiated process context

macOS

AN0146

Flags unexpected user applications initiating long-lived HTTP(S) sessions with irregular traffic patterns.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) macos:unifiedlog network flow
Process Creation (DC0032) macos:unifiedlog process
Mutable Elements
Field Description
SessionDuration Session length that exceeds average per-user expectations