Skip to content

DET0124 Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi

Item Value
ID DET0124
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1132.001 (Standard Encoding)

Analytics

Windows

AN0345

Process invokes a standard encoder (e.g., PowerShell -enc, certutil -encode, base64 via .NET/Invoke-Expression) or emits long Base64/hex literals → shortly followed by outbound network egress with high bytes_out:bytes_in ratio or HTTP headers/payloads containing Base64/MIME blocks.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Script Execution (DC0029) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Network Traffic Flow (DC0078) M365Defender:DeviceNetworkEvents NetworkConnection: bytes_sent >> bytes_received anomaly
Mutable Elements
Field Description
PayloadEntropyThreshold Shannon entropy cutoff to consider payload suspicious (e.g., > 4.5–5.0 for HTTP body).
B64LengthThreshold Min continuous Base64 token length in command lines/script blocks to alert (e.g., > 100 chars).
TimeWindow Correlation window between encoding event and egress (default 10m).
KnownAdminTools Legitimate tools (e.g., backup agents) that routinely encode/compress data.
BytesOutToInRatio Minimum ratio to treat flow as asymmetric (e.g., ≥ 4:1).

Linux

AN0346

Shell/utility (base64, xxd -p, od, openssl enc -base64, python/perl base64 libraries) encodes data → subsequent outbound connections (curl/wget/bash TCP, socat, python requests) with high asymmetry or Base64/MIME blobs in HTTP/DNS payloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve of base64
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) NSM:Flow http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64
Mutable Elements
Field Description
EncodingToolsAllowList Build/backup jobs that legitimately call base64/openssl.
EntropyThreshold Shannon entropy for payloads (e.g., >4.5).
TimeWindow Join window between exec and egress (default 10m).
OutInRatio Bytes_out / bytes_in threshold (default 4).

macOS

AN0347

Processes use base64/xxd/openssl/python Objective‑C APIs to encode data (seen in EndpointSecurity exec events or Unified Logs) → quick outbound connections with large bytes_out or HTTP POSTs carrying Base64/MIME bodies.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process command line contains base64, -enc, openssl enc -base64
Network Traffic Flow (DC0078) PF:Logs outbound flows with bytes_out >> bytes_in
Network Traffic Content (DC0085) NSM:Flow http: HTTP body contains long Base64 sections
Mutable Elements
Field Description
AllowedDeveloperIDs Signed/allowed developer binaries routinely using encoding.
EntropyThreshold Payload entropy cutoff.
TimeWindow Exec → egress window.

ESXi

AN0348

ESXi shell (BusyBox) or VMware utilities (openssl, python if present) used to Base64/hex encode data from datastore or config files → followed by abnormal egress from the host (NSX/flow logs) with asymmetric bytes_out or HTTPS posts to non-management endpoints.

Log Sources
Data Component Name Channel
Process Creation (DC0032) esxi:shell commands containing base64, openssl enc -base64, xxd -p
Application Log Content (DC0038) esxi:hostd unexpected script/command invocations via hostd
Network Traffic Flow (DC0078) NSX:FlowLogs network_flow: bytes_out >> bytes_in to external
Network Traffic Content (DC0085) NSM:Flow http: Base64/MIME looking payloads from ESXi host IP
Mutable Elements
Field Description
MgmtCIDRs CIDRs for legitimate vCenter/NSX/backup endpoints.
BytesRatio Out:In ratio deemed suspicious (e.g., ≥3 on ESXi).
TimeWindow Correlation window between shell command and egress.