A process/script constructs or references a custom/alphabet translation table (e.g., 64/85/32+ arbitrary chars, XOR/base-N loops) or emits long high-entropy strings that do NOT validate as standard Base64/Hex → shortly after, the same process (or its child) generates outbound traffic with asymmetric bytes_out:bytes_in, fixed-size beacons, or protocol/header mismatches (e.g., Content-Type says JSON but body fails JSON parse / contains non-standard alphabet).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Script Execution (DC0029) | WinEventLog:PowerShell | EventCode=4103, 4104 |
| Network Traffic Flow (DC0078) | m365:defender | NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch |
| Field | Description |
|---|---|
| EntropyThreshold | Minimum Shannon entropy for the suspected token/payload (e.g., >4.8). |
| TokenLengthThreshold | Minimum continuous token length to treat as potential non-standard payload (e.g., ≥120 chars). |
| BytesOutToInRatio | Out:In ratio considered suspicious (e.g., ≥4:1). |
| FixedPacketStdDevThreshold | Std. dev. threshold (size or interval) to mark packets as 'uniform' (beacon-like). |
| TimeWindow | Correlation window from encode routine to egress (default 10m). |
| KnownLegitEncoders | Legitimate in-house/custom encoders to suppress. |
Shell scripts or binaries implement custom mapping tables (tr/sed/awk/golang/rust/python encode loops), or emit long high-entropy tokens that fail Base64/Hex validation → correlated with egress showing asymmetric flow, protocol-mismatch payloads, or DNS/HTTP bodies containing low-diversity-but-long custom alphabets.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Network Traffic Content (DC0085) | NSM:Flow | http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs |
| Field | Description |
|---|---|
| EntropyThreshold | Payload entropy minimum. |
| TokenLengthThreshold | Length threshold for suspect tokens. |
| BytesOutToInRatio | Asymmetry cutoff for flows. |
| TimeWindow | Correlation join window. |
| KnownEncoders | Legitimate internal tools/agents. |
EndpointSecurity/Unified Logs show processes generating custom alphabets or long high-entropy, non-standard tokens → network logs (PF/Zeek/EDR) show asymmetric beacons, protocol mismatches, or periodic fixed-size posts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets |
| Network Traffic Flow (DC0078) | PF:Logs | high out:in ratio or fixed-size periodic flows |
| Network Traffic Content (DC0085) | NSM:Flow | http: suspicious long tokens with custom alphabets in body/headers |
| Field | Description |
|---|---|
| EntropyThreshold | Payload entropy minimum. |
| TokenLengthThreshold | Minimum suspicious token length. |
| BytesOutToInRatio | Asymmetry threshold. |
| TimeWindow | Correlation window. |
| AllowedSignedBinaries | Signed binaries that legitimately implement custom encoders. |
ESXi shell or scripts produce long, high-entropy tokens (non-standard alphabets) in shell.log/hostd, followed by outbound flows (NSX/Zeek) with asymmetric ratios or protocol mismatches to non-management endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:shell | commands containing long non-standard tokens or custom lookup tables |
| Application Log Content (DC0038) | esxi:hostd | unexpected script invocations producing long encoded strings |
| Network Traffic Flow (DC0078) | NSM:Flow | network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs |
| Network Traffic Content (DC0085) | NSM:Flow | http: HTTP bodies from ESXi host IPs containing long, non-standard tokens |
| Field | Description |
|---|---|
| MgmtCIDRs | CIDRs allowed for normal ESXi mgmt/backup. |
| BytesOutToInRatio | Asymmetry cutoff (e.g., ≥3). |
| TokenLengthThreshold | Minimum token length. |
| TimeWindow | Correlation window. |