T1048.001 Google Chronicle · YARA-L

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in Google Chronicle

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1048_001_symmetric_encrypted_exfil {
  meta:
    author          = "Detection Engineering"
    description     = "Detects T1048.001: symmetric encryption tool (openssl, ccrypt, cryptcat, gpg, aescrypt, Python crypto) launched with AES/RC4/ChaCha20 cipher arguments, followed within 5 minutes by an outbound connection from the same host to a public IP. Key-material indicators (-k, -pass pass:, -nosalt) increase fidelity."
    mitre_attack_tactic    = "Exfiltration"
    mitre_attack_technique = "T1048.001"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"
    created         = "2026-04-16"

  events:
    /* Event 1: Encryption tool process launch with cipher arguments */
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname  = $hostname
    (
      re.regex($proc.target.process.file.full_path,
        `(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)python`) and
        re.regex($proc.target.process.command_line,
          `(?i)(aes|rc4|des|chacha|blowfish|cipher|encrypt|pycrypto|cryptography)`)
      )
    )
    re.regex($proc.target.process.command_line,
      `(?i)(enc[\s]+-aes|enc[\s]+-rc4|enc[\s]+-des|-aes-256|-aes-128|aes256|aes128|-rc4|arcfour|chacha20|-nosalt|-pass[\s]+pass:|-k[\s]+\S+|-passout|-passin)`)

    /* Event 2: Outbound network connection from same host to public IP */
    $net.metadata.event_type  = "NETWORK_CONNECTION"
    $net.principal.hostname   = $hostname
    $net.network.direction    = "OUTBOUND"
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "::1/128")

    /* Sequence: process before network, within 5-minute window */
    $proc.metadata.event_timestamp.seconds <= $net.metadata.event_timestamp.seconds
    ($net.metadata.event_timestamp.seconds - $proc.metadata.event_timestamp.seconds) <= 300

  condition:
    $proc and $net
}
high severity medium confidence

YARA-L 2.0 rule for Google Chronicle that correlates PROCESS_LAUNCH events (encryption utility invoked with cipher arguments) to NETWORK_CONNECTION events from the same host within a 300-second window. Uses UDM field model with re.regex for process path and command-line matching and net.ip_in_range_cidr for RFC-1918 exclusion. Targets the combination of a symmetric cipher invocation (openssl enc, rc4, aes256, chacha20, -nosalt, -pass pass:) with an outbound public network connection as the core signal for T1048.001.

Data Sources

Google Chronicle UDM (Unified Data Model)Endpoint telemetry forwarded to Chronicle (EDR, Sysmon, auditd)Network detection telemetry (NDR, firewall, proxy logs normalized to UDM)

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION)

False Positives & Tuning

  • System administrators running openssl enc for file encryption before upload to external cloud storage, generating both a process event and a subsequent network event
  • Scheduled tasks or cron jobs invoking ccrypt or gpg for automated encrypted backup followed by rsync/scp to off-site servers
  • Python automation scripts using AES encryption for API payload signing before posting to external REST endpoints
  • Penetration testing workstations running authorized red team tooling that includes openssl or cryptcat for C2 simulation exercises
Download portable Sigma rule (.yml)

Other platforms for T1048.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP

    Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.

  2. Test 2Symmetric Encrypted Exfiltration via Python Script with RC4

    Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.

  3. Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat

    Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).

  4. Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key

    Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1560.001Archive via UtilityT1132Data EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1005Data from Local SystemT1074Data StagedT1071Application Layer ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Exfiltration

Popular Detections