Atypical processes (e.g., powershell.exe, regsvr32.exe) encode large outbound traffic using Base64 or other character encodings; this traffic is sent over uncommon ports or embedded in protocol fields (e.g., HTTP cookies or headers).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Traffic Content (DC0085) | NSM:Flow | Unusual Base64-encoded content in URI, headers, or POST body |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Adjust to accommodate legitimate compression or encryption patterns in normal web traffic |
| ProcessAllowlist | Define expected processes initiating outbound traffic to reduce false positives |
| AnomalyScoreThreshold | Set threshold for how far traffic deviates from baseline protocol structure or size |
Custom scripts or processes encode outbound traffic using gzip, Base64, or hex prior to exfiltration via curl, wget, or custom sockets. Encoding typically occurs before or during outbound connections from non-network daemons.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Content (DC0085) | NSM:Flow | Base64 strings or gzip in URI, headers, or POST body |
| Command Execution (DC0064) | linux:syslog | Unusual outbound transfers from CLI tools like base64, gzip, or netcat |
| Field | Description |
|---|---|
| TimeWindow | Tune duration of multi-stage encoding + transfer operations to account for script variability |
| UserContext | Apply user allow/block list depending on which users normally perform CLI encoding |
Processes use built-in encoding utilities (e.g., base64, xxd, or plutil) to encode file contents followed by HTTP/HTTPS transfer via curl or custom applications.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | base64 or curl processes chained within short execution window |
| Network Traffic Content (DC0085) | macos:unifiedlog | HTTP POST with encoded content in user-agent or cookie field |
| Field | Description |
|---|---|
| EncodedCommandLengthThreshold | Minimum byte size of encoded strings to treat as suspicious |
| SuspiciousProcessChainDepth | Number of chained processes within a short window to treat as a correlated behavior |
ESXi daemons (e.g., hostd, vpxa) are wrapped or impersonated to send large outbound traffic using gzip/Base64 encoding over SSH or HTTP. These actions follow suspicious logins or shell access.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | base64 or gzip use within shell session |
| Network Traffic Content (DC0085) | esxi:vmkernel | Outbound traffic using encoded payloads post-login |
| User Account Authentication (DC0002) | ESXiLogs:authlog | Unexpected login followed by encoding commands |
| Field | Description |
|---|---|
| AuthSourceTrustLevel | Use to scope encoded traffic suspicion to accounts that should not initiate transfers |
| ExfilBurstThreshold | Threshold for bursty outbound traffic size deviation from baseline |