Process invokes a standard encoder (e.g., PowerShell -enc, certutil -encode, base64 via .NET/Invoke-Expression) or emits long Base64/hex literals → shortly followed by outbound network egress with high bytes_out:bytes_in ratio or HTTP headers/payloads containing Base64/MIME blocks.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Script Execution (DC0029) | WinEventLog:PowerShell | EventCode=4103, 4104 |
| Network Traffic Flow (DC0078) | M365Defender:DeviceNetworkEvents | NetworkConnection: bytes_sent >> bytes_received anomaly |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Shannon entropy cutoff to consider payload suspicious (e.g., > 4.5–5.0 for HTTP body). |
| B64LengthThreshold | Min continuous Base64 token length in command lines/script blocks to alert (e.g., > 100 chars). |
| TimeWindow | Correlation window between encoding event and egress (default 10m). |
| KnownAdminTools | Legitimate tools (e.g., backup agents) that routinely encode/compress data. |
| BytesOutToInRatio | Minimum ratio to treat flow as asymmetric (e.g., ≥ 4:1). |
Shell/utility (base64, xxd -p, od, openssl enc -base64, python/perl base64 libraries) encodes data → subsequent outbound connections (curl/wget/bash TCP, socat, python requests) with high asymmetry or Base64/MIME blobs in HTTP/DNS payloads.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Content (DC0085) | NSM:Flow | http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64 |
| Field | Description |
|---|---|
| EncodingToolsAllowList | Build/backup jobs that legitimately call base64/openssl. |
| EntropyThreshold | Shannon entropy for payloads (e.g., >4.5). |
| TimeWindow | Join window between exec and egress (default 10m). |
| OutInRatio | Bytes_out / bytes_in threshold (default 4). |
Processes use base64/xxd/openssl/python Objective‑C APIs to encode data (seen in EndpointSecurity exec events or Unified Logs) → quick outbound connections with large bytes_out or HTTP POSTs carrying Base64/MIME bodies.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process command line contains base64, -enc, openssl enc -base64 |
| Network Traffic Flow (DC0078) | PF:Logs | outbound flows with bytes_out >> bytes_in |
| Network Traffic Content (DC0085) | NSM:Flow | http: HTTP body contains long Base64 sections |
| Field | Description |
|---|---|
| AllowedDeveloperIDs | Signed/allowed developer binaries routinely using encoding. |
| EntropyThreshold | Payload entropy cutoff. |
| TimeWindow | Exec → egress window. |
ESXi shell (BusyBox) or VMware utilities (openssl, python if present) used to Base64/hex encode data from datastore or config files → followed by abnormal egress from the host (NSX/flow logs) with asymmetric bytes_out or HTTPS posts to non-management endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:shell | commands containing base64, openssl enc -base64, xxd -p |
| Application Log Content (DC0038) | esxi:hostd | unexpected script/command invocations via hostd |
| Network Traffic Flow (DC0078) | NSX:FlowLogs | network_flow: bytes_out >> bytes_in to external |
| Network Traffic Content (DC0085) | NSM:Flow | http: Base64/MIME looking payloads from ESXi host IP |
| Field | Description |
|---|---|
| MgmtCIDRs | CIDRs for legitimate vCenter/NSX/backup endpoints. |
| BytesRatio | Out:In ratio deemed suspicious (e.g., ≥3 on ESXi). |
| TimeWindow | Correlation window between shell command and egress. |