T1048.001

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

Microsoft Sentinel / Defender

kusto

let SuspiciousExfilTools = dynamic(["openssl", "ccrypt", "mcrypt", "gpg", "7z", "aescrypt", "cryptcat"]);
let SuspiciousExfilArgs = dynamic(["enc -aes", "enc -rc4", "enc -des", "-k ", "-pass pass:", "-aes-256", "-aes-128", "aes256", "rc4", "chacha20", "-nosalt", "-base64"]);
let NetworkExfilPorts = dynamic([21, 22, 25, 80, 443, 8080, 8443, 4444, 1337, 9001, 6666, 53]);
// Detection 1: Processes using encryption tools with network-related arguments
let EncryptionToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousExfilTools)
  or (FileName =~ "python.exe" and ProcessCommandLine has_any ("AES", "RC4", "Cipher", "encrypt", "socket", "send"))
  or (FileName =~ "python3" and ProcessCommandLine has_any ("AES", "RC4", "Cipher", "encrypt", "socket", "send"))
| where ProcessCommandLine has_any (SuspiciousExfilArgs)
| extend EncryptionAlgo = case(
    ProcessCommandLine has "aes", "AES",
    ProcessCommandLine has "rc4", "RC4",
    ProcessCommandLine has "des", "DES",
    ProcessCommandLine has "chacha", "ChaCha20",
    ProcessCommandLine has "blowfish", "Blowfish",
    "Unknown"
  )
| extend HasNetworkIndicator = ProcessCommandLine has_any ("-connect", "-l ", "nc ", "netcat", "curl", "wget", "ftp", "http", "tcp", "udp", "socket")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, EncryptionAlgo, HasNetworkIndicator;
// Detection 2: Large outbound network connections from encryption-capable processes
let EncryptedNetworkExfil = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (SuspiciousExfilTools)
  or InitiatingProcessFileName in~ ("openssl", "ccrypt", "cryptcat")
| where RemoteIPType == "Public"
| where SentBytes > 1000000
| extend ExfilSizeMB = round(toreal(SentBytes) / 1048576, 2)
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, RemoteUrl, SentBytes, ExfilSizeMB, InitiatingProcessFileName, InitiatingProcessCommandLine;
// Detection 3: OpenSSL or cryptcat creating network connections
let OpenSSLNetworkActivity = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "openssl" or InitiatingProcessCommandLine has "openssl"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, SentBytes, ReceivedBytes, InitiatingProcessFileName, InitiatingProcessCommandLine;
union EncryptionToolUsage, EncryptedNetworkExfil, OpenSSLNetworkActivity
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate use of OpenSSL for TLS certificate management, key generation, or PKI operations by system administrators
Backup software using AES encryption to transfer data to cloud storage (e.g., Veeam, Acronis, rsync with encryption flags)
Secure file transfer tools such as SFTP, SCP, or WinSCP that use symmetric encryption internally during session
Security scanning and penetration testing tools (Metasploit, nmap scripts) run by authorized red team or security operations personnel
Software build pipelines encrypting artifacts for distribution using OpenSSL or GPG with symmetric keys

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval Image_lower=lower(Image)
| eval IsEncryptionTool=if(
    match(Image_lower, "(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)") OR
    (match(Image_lower, "python") AND match(CommandLine, "(aes|rc4|des|chacha|blowfish|pycrypto|cryptography|cipher|encrypt)")),
    1, 0
  )
| eval HasAESIndicator=if(match(CommandLine, "(enc\s+-aes|aes-256|aes-128|aes256|aes128|-aes)"), 1, 0)
| eval HasRC4Indicator=if(match(CommandLine, "(rc4|\-rc4|arcfour)"), 1, 0)
| eval HasKeyMaterial=if(match(CommandLine, "(-k\s+\S+|-pass\s+pass:|-passout|-passin|-password|--passphrase|secret|shared.?key)"), 1, 0)
| eval HasNetworkTarget=if(match(CommandLine, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|https?://|ftp://|-connect|s_client|s_server|netcat|nc\s)"), 1, 0)
| eval HasNoSalt=if(match(CommandLine, "-nosalt"), 1, 0)
| eval SuspicionScore=IsEncryptionTool + HasAESIndicator + HasRC4Indicator + HasKeyMaterial + HasNetworkTarget + HasNoSalt
| where SuspicionScore >= 2
| eval EncryptionAlgo=case(
    HasAESIndicator=1, "AES",
    HasRC4Indicator=1, "RC4",
    match(CommandLine, "des"), "DES",
    match(CommandLine, "chacha"), "ChaCha20",
    1=1, "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsEncryptionTool, HasAESIndicator, HasRC4Indicator, HasKeyMaterial, HasNetworkTarget, HasNoSalt, SuspicionScore, EncryptionAlgo
| sort - _time
| appendcols [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
      (Image="*openssl*" OR Image="*cryptcat*" OR Image="*ccrypt*")
      NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | table _time, host, User, Image, DestinationIp, DestinationPort, CommandLine
  ]

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate OpenSSL usage for certificate operations, key generation, and TLS debugging by network or system administrators
Backup and archival software using GPG or AES encryption for data-at-rest protection before upload to cloud storage
Security tools performing vulnerability assessments or penetration tests with authorized scope
DevOps pipelines encrypting build artifacts or secrets using OpenSSL with symmetric keys
Network monitoring tools using encryption to protect captured traffic during analysis

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     process.name : ("openssl", "ccrypt", "mcrypt", "cryptcat", "aescrypt", "gpg", "7z") or
     (process.name : ("python", "python3", "python.exe") and
      process.command_line : ("*AES*", "*RC4*", "*Cipher*", "*encrypt*", "*socket*", "*send*"))
   ) and
   process.command_line : (
     "*enc -aes*", "*enc -rc4*", "*enc -des*", "*-k *", "*-pass pass:*",
     "*-aes-256*", "*-aes-128*", "*aes256*", "*aes128*", "*rc4*", "*arcfour*",
     "*chacha20*", "*-nosalt*", "*-base64*", "*-connect*", "*netcat*",
     "*socket*", "*curl*", "*wget*", "*ftp*"
   )]
  [network where event.type in ("start", "connection") and
   network.direction : ("outbound", "egress") and
   not destination.ip : (
     "10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
     "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
     "172.30.*", "172.31.*", "192.168.*", "127.*", "::1"
   )]

/* Standalone: Large outbound transfer from encryption tool process */
// network where event.type in ("start", "connection") and
//   network.direction : ("outbound", "egress") and
//   process.name : ("openssl", "ccrypt", "mcrypt", "cryptcat", "aescrypt", "gpg") and
//   network.bytes > 1000000 and
//   not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
//     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
//     "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
//     "172.30.*", "172.31.*", "192.168.*", "127.*")

high severity medium confidence

Data Sources

Elastic Endpoint Security agent (endpoint.events.process, endpoint.events.network) Winlogbeat with Sysmon module (process create / network connect) Auditbeat (auditd module on Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-* auditbeat-*

False Positives

Administrators using openssl s_client or s_server for TLS certificate testing and OCSP validation against public CA endpoints
Python-based DevOps automation or data pipelines using pycryptodome or cryptography libraries for legitimate API calls to external services
Backup solutions invoking ccrypt or gpg to encrypt files before transferring to cloud storage buckets over HTTPS
CI/CD pipelines performing GPG-signed artifact verification with outbound keyserver lookups (keys.openpgp.org, keyserver.ubuntu.com)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  "ProcessName" AS process_name,
  "CommandLine" AS command_line,
  LONG("BytesSent") AS bytes_sent,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CASE
    WHEN "CommandLine" ILIKE '%aes%'     THEN 'AES'
    WHEN "CommandLine" ILIKE '%rc4%'
      OR "CommandLine" ILIKE '%arcfour%' THEN 'RC4'
    WHEN "CommandLine" ILIKE '%chacha%'  THEN 'ChaCha20'
    WHEN "CommandLine" ILIKE '%des%'     THEN 'DES'
    ELSE 'Unknown'
  END AS encryption_algo,
  CASE
    WHEN "CommandLine" ILIKE '%-nosalt%' THEN 'true'
    ELSE 'false'
  END AS has_nosalt,
  CASE
    WHEN "CommandLine" ILIKE '%-pass pass:%'
      OR "CommandLine" ILIKE '%-k %'
      OR "CommandLine" ILIKE '%-passout%'
      OR "CommandLine" ILIKE '%-passin%' THEN 'true'
    ELSE 'false'
  END AS has_key_material
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Sysmon',
    'Linux OS',
    'Universal DSM',
    'SNARE for Windows'
  )
  AND (
    ("ProcessName" ILIKE '%openssl%' OR "ProcessName" ILIKE '%ccrypt%'
      OR "ProcessName" ILIKE '%mcrypt%' OR "ProcessName" ILIKE '%cryptcat%'
      OR "ProcessName" ILIKE '%aescrypt%' OR "ProcessName" ILIKE '%gpg%')
    OR
    ("ProcessName" ILIKE '%python%' AND (
      "CommandLine" ILIKE '%AES%' OR "CommandLine" ILIKE '%RC4%'
      OR "CommandLine" ILIKE '%encrypt%' OR "CommandLine" ILIKE '%socket%'
      OR "CommandLine" ILIKE '%Cipher%'
    ))
  )
  AND (
    "CommandLine" ILIKE '%enc -aes%'  OR "CommandLine" ILIKE '%-aes-256%'
    OR "CommandLine" ILIKE '%aes256%' OR "CommandLine" ILIKE '%aes128%'
    OR "CommandLine" ILIKE '%enc -rc4%' OR "CommandLine" ILIKE '%-rc4%'
    OR "CommandLine" ILIKE '%arcfour%' OR "CommandLine" ILIKE '%chacha20%'
    OR "CommandLine" ILIKE '%-nosalt%' OR "CommandLine" ILIKE '%-pass pass:%'
    OR "CommandLine" ILIKE '%-passout%' OR "CommandLine" ILIKE '%-passin%'
    OR "CommandLine" ILIKE '%-k %'
  )
  AND (
    "CommandLine" ILIKE '%-connect%' OR "CommandLine" ILIKE '%socket%'
    OR "CommandLine" ILIKE '%netcat%'  OR "CommandLine" ILIKE '%http%'
    OR "CommandLine" ILIKE '%curl%'    OR "CommandLine" ILIKE '%wget%'
    OR "CommandLine" ILIKE '%ftp%'     OR "CommandLine" ILIKE '%tcp%'
  )
  AND NOT (
    destinationip INSUBNET '10.0.0.0/8'
    OR destinationip INSUBNET '172.16.0.0/12'
    OR destinationip INSUBNET '192.168.0.0/16'
    OR destinationip INSUBNET '127.0.0.0/8'
    OR destinationip IS NULL
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar SIEM with Windows Security Event Log DSM Sysmon for Windows (process create / network connect events) Linux OS DSM (auditd or syslog process tracking) Universal DSM for generic endpoint process telemetry

Required Tables

events

False Positives

Authorized openssl invocations for TLS certificate signing, CSR generation, or OCSP stapling against public PKI infrastructure
Python-based ETL or ML pipelines using AES-encrypted communication with cloud data warehouses or APIs
Security orchestration playbooks calling encryption utilities during automated incident response or data sanitization
Legitimate ccrypt or gpg file encryption followed by SFTP/FTPS upload to authorized external storage providers

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=linux/auditd)
| where EventCode = 1 OR EventID = 1
| parse regex "(?i)Image:\s*(?<process_image>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine:\s*(?<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage:\s*(?<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)User:\s*(?<user>[^\r\n]+)" nodrop
| parse regex "(?i)Computer:\s*(?<computer>[^\r\n]+)" nodrop
| where !isEmpty(process_image) AND !isEmpty(command_line)
| eval proc_lower = toLowerCase(process_image)
| eval cmd_lower  = toLowerCase(command_line)
| where (
    proc_lower matches "*(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)*"
    OR (proc_lower matches "*python*" AND
        (cmd_lower matches "*aes*" OR cmd_lower matches "*rc4*" OR
         cmd_lower matches "*cipher*" OR cmd_lower matches "*encrypt*" OR
         cmd_lower matches "*socket*"))
  )
| where (
    cmd_lower matches "*enc -aes*" OR cmd_lower matches "*enc -rc4*"
    OR cmd_lower matches "*-aes-256*" OR cmd_lower matches "*-aes-128*"
    OR cmd_lower matches "*aes256*"   OR cmd_lower matches "*aes128*"
    OR cmd_lower matches "*-rc4*"     OR cmd_lower matches "*arcfour*"
    OR cmd_lower matches "*chacha20*" OR cmd_lower matches "*-nosalt*"
    OR cmd_lower matches "*-pass pass:*" OR cmd_lower matches "*-passout*"
    OR cmd_lower matches "*-passin*"
  )
| where (
    cmd_lower matches "*-connect*" OR cmd_lower matches "*netcat*"
    OR cmd_lower matches "*curl*"    OR cmd_lower matches "*wget*"
    OR cmd_lower matches "*http*"    OR cmd_lower matches "*ftp*"
    OR cmd_lower matches "*socket*"  OR cmd_lower matches "*tcp*"
  )
| eval encryption_algo =
    if(cmd_lower matches "*aes*", "AES",
      if(cmd_lower matches "*rc4*" OR cmd_lower matches "*arcfour*", "RC4",
        if(cmd_lower matches "*chacha*", "ChaCha20",
          if(cmd_lower matches "*des*", "DES", "Unknown"))))
| eval has_key_material =
    if(cmd_lower matches "*-k *" OR cmd_lower matches "*-pass pass:*"
       OR cmd_lower matches "*-passout*" OR cmd_lower matches "*passphrase*",
       "true", "false")
| eval has_nosalt = if(cmd_lower matches "*-nosalt*", "true", "false")
| eval suspicion_score =
    (if(proc_lower matches "*(openssl|ccrypt|cryptcat|aescrypt)*", 1, 0))
    + (if(encryption_algo != "Unknown", 1, 0))
    + (if(has_key_material = "true", 1, 0))
    + (if(cmd_lower matches "*-connect*" OR cmd_lower matches "*socket*"
          OR cmd_lower matches "*netcat*", 1, 0))
    + (if(has_nosalt = "true", 1, 0))
| where suspicion_score >= 2
| count by computer, process_image, command_line, parent_image, user, encryption_algo, has_key_material, has_nosalt, suspicion_score
| order by suspicion_score desc, _count desc

high severity medium confidence

Data Sources

Sysmon for Windows (Event ID 1 — Process Create) via Sumo Logic Collector Linux auditd process exec events via Sumo Logic Installed Collector Endpoint security agent process telemetry forwarded to Sumo Logic

Required Tables

windows/sysmon linux/auditd endpoint/process

False Positives

IT staff using openssl for bulk certificate operations (renewal scripts, ACME clients) that include -pass arguments and connect to Let's Encrypt or internal CAs
Python data engineering jobs using PyCryptodome or cryptography libraries for AES-encrypted REST API communication with SaaS platforms
Automated backup agents encrypting files with ccrypt or gpg before uploading to S3-compatible endpoints using curl
Security team tooling invoking openssl s_client for TLS fingerprinting or cipher suite enumeration during assessments

Google Chronicle / SecOps

yaral

rule t1048_001_symmetric_encrypted_exfil {
  meta:
    author          = "Detection Engineering"
    description     = "Detects T1048.001: symmetric encryption tool (openssl, ccrypt, cryptcat, gpg, aescrypt, Python crypto) launched with AES/RC4/ChaCha20 cipher arguments, followed within 5 minutes by an outbound connection from the same host to a public IP. Key-material indicators (-k, -pass pass:, -nosalt) increase fidelity."
    mitre_attack_tactic    = "Exfiltration"
    mitre_attack_technique = "T1048.001"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"
    created         = "2026-04-16"

  events:
    /* Event 1: Encryption tool process launch with cipher arguments */
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname  = $hostname
    (
      re.regex($proc.target.process.file.full_path,
        `(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)python`) and
        re.regex($proc.target.process.command_line,
          `(?i)(aes|rc4|des|chacha|blowfish|cipher|encrypt|pycrypto|cryptography)`)
      )
    )
    re.regex($proc.target.process.command_line,
      `(?i)(enc[\s]+-aes|enc[\s]+-rc4|enc[\s]+-des|-aes-256|-aes-128|aes256|aes128|-rc4|arcfour|chacha20|-nosalt|-pass[\s]+pass:|-k[\s]+\S+|-passout|-passin)`)

    /* Event 2: Outbound network connection from same host to public IP */
    $net.metadata.event_type  = "NETWORK_CONNECTION"
    $net.principal.hostname   = $hostname
    $net.network.direction    = "OUTBOUND"
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "::1/128")

    /* Sequence: process before network, within 5-minute window */
    $proc.metadata.event_timestamp.seconds <= $net.metadata.event_timestamp.seconds
    ($net.metadata.event_timestamp.seconds - $proc.metadata.event_timestamp.seconds) <= 300

  condition:
    $proc and $net
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Endpoint telemetry forwarded to Chronicle (EDR, Sysmon, auditd) Network detection telemetry (NDR, firewall, proxy logs normalized to UDM)

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION)

False Positives

System administrators running openssl enc for file encryption before upload to external cloud storage, generating both a process event and a subsequent network event
Scheduled tasks or cron jobs invoking ccrypt or gpg for automated encrypted backup followed by rsync/scp to off-site servers
Python automation scripts using AES encryption for API payload signing before posting to external REST endpoints
Penetration testing workstations running authorized red team tooling that includes openssl or cryptcat for C2 simulation exercises

CrowdStrike LogScale (CQL)

cql

// Detection 1: ProcessRollup2 — encryption tool with cipher args and network target indicators
#event_simpleName=ProcessRollup2
| FileName = /(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)/
  OR (FileName = /(?i)python/ AND CommandLine = /(?i)(AES|RC4|Cipher|encrypt|socket|send|pycrypto|cryptography)/)
| CommandLine = /(?i)(enc[\s]+-aes|enc[\s]+-rc4|-aes-256|-aes-128|aes256|aes128|-rc4|arcfour|chacha20|-nosalt|-pass[\s]+pass:|-passout|-passin|-k[\s]+\S+)/
| CommandLine = /(?i)(-connect|netcat|nc[\s]|curl|wget|ftp:\/\/|http:\/\/|https:\/\/|tcp|socket|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/
| EncryptionAlgo := if(CommandLine = /(?i)aes/, "AES",
    if(CommandLine = /(?i)(rc4|arcfour)/, "RC4",
      if(CommandLine = /(?i)chacha/, "ChaCha20",
        if(CommandLine = /(?i)\bdes\b/, "DES", "Unknown"))))
| HasKeyMaterial := if(CommandLine = /(?i)(-k[\s]|-pass[\s]+pass:|-passout|-passin|passphrase|shared.?key)/, "true", "false")
| HasNoSalt := if(CommandLine = /-nosalt/, "true", "false")
| HasNetworkTarget := if(CommandLine = /(?i)(-connect|netcat|nc[\s]|curl|wget|http|socket|tcp)/, "true", "false")
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, EncryptionAlgo, HasKeyMaterial, HasNoSalt, HasNetworkTarget],
    function=[
      count(as=EventCount),
      min(field=ContextTimeStamp, as=FirstSeen),
      max(field=ContextTimeStamp, as=LastSeen)
    ]
  )
| sort(field=EventCount, order=desc)

// Detection 2 (run separately): NetworkConnectIP4 — large outbound transfer from encryption process
// #event_simpleName=NetworkConnectIP4
// | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
// | join(
//     [#event_simpleName=ProcessRollup2
//      | FileName = /(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)/],
//     field=[TargetProcessId, ComputerName],
//     include=[FileName, CommandLine, UserName, ParentBaseFileName]
//   )
// | where BytesSent > 1000000
// | ExfilSizeMB := round(BytesSent / 1048576, 2)
// | groupBy([ComputerName, UserName, FileName, RemoteAddressIP4, RemotePort, ExfilSizeMB, CommandLine])
// | sort(field=ExfilSizeMB, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection and Response (EDR) Falcon Insight XDR (ProcessRollup2, NetworkConnectIP4 telemetry)

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Security engineers using openssl for TLS debugging, certificate pinning validation, or cipher suite enumeration on authorized endpoints
Python-based DevOps tooling using AES-CBC encrypted payloads for secrets management integrations (HashiCorp Vault, AWS KMS) with external endpoints
Automated backup scripts invoking ccrypt or gpg to encrypt files before transferring to remote SFTP or cloud storage destinations
Software package managers or update mechanisms that GPG-verify signed packages downloaded from vendor mirrors over HTTPS

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections