Skip to content

DET0108 Detection Strategy for Data Encoding in C2 Channels

Item Value
ID DET0108
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1132 (Data Encoding)

Analytics

Windows

AN0302

Atypical processes (e.g., powershell.exe, regsvr32.exe) encode large outbound traffic using Base64 or other character encodings; this traffic is sent over uncommon ports or embedded in protocol fields (e.g., HTTP cookies or headers).

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Traffic Content (DC0085) NSM:Flow Unusual Base64-encoded content in URI, headers, or POST body
Mutable Elements
Field Description
PayloadEntropyThreshold Adjust to accommodate legitimate compression or encryption patterns in normal web traffic
ProcessAllowlist Define expected processes initiating outbound traffic to reduce false positives
AnomalyScoreThreshold Set threshold for how far traffic deviates from baseline protocol structure or size

Linux

AN0303

Custom scripts or processes encode outbound traffic using gzip, Base64, or hex prior to exfiltration via curl, wget, or custom sockets. Encoding typically occurs before or during outbound connections from non-network daemons.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow Base64 strings or gzip in URI, headers, or POST body
Command Execution (DC0064) linux:syslog Unusual outbound transfers from CLI tools like base64, gzip, or netcat
Mutable Elements
Field Description
TimeWindow Tune duration of multi-stage encoding + transfer operations to account for script variability
UserContext Apply user allow/block list depending on which users normally perform CLI encoding

macOS

AN0304

Processes use built-in encoding utilities (e.g., base64, xxd, or plutil) to encode file contents followed by HTTP/HTTPS transfer via curl or custom applications.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog base64 or curl processes chained within short execution window
Network Traffic Content (DC0085) macos:unifiedlog HTTP POST with encoded content in user-agent or cookie field
Mutable Elements
Field Description
EncodedCommandLengthThreshold Minimum byte size of encoded strings to treat as suspicious
SuspiciousProcessChainDepth Number of chained processes within a short window to treat as a correlated behavior

ESXi

AN0305

ESXi daemons (e.g., hostd, vpxa) are wrapped or impersonated to send large outbound traffic using gzip/Base64 encoding over SSH or HTTP. These actions follow suspicious logins or shell access.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell base64 or gzip use within shell session
Network Traffic Content (DC0085) esxi:vmkernel Outbound traffic using encoded payloads post-login
User Account Authentication (DC0002) ESXiLogs:authlog Unexpected login followed by encoding commands
Mutable Elements
Field Description
AuthSourceTrustLevel Use to scope encoded traffic suspicion to accounts that should not initiate transfers
ExfilBurstThreshold Threshold for bursty outbound traffic size deviation from baseline