T1048.001 Elastic Security · Elastic

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in Elastic Security

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     process.name : ("openssl", "ccrypt", "mcrypt", "cryptcat", "aescrypt", "gpg", "7z") or
     (process.name : ("python", "python3", "python.exe") and
      process.command_line : ("*AES*", "*RC4*", "*Cipher*", "*encrypt*", "*socket*", "*send*"))
   ) and
   process.command_line : (
     "*enc -aes*", "*enc -rc4*", "*enc -des*", "*-k *", "*-pass pass:*",
     "*-aes-256*", "*-aes-128*", "*aes256*", "*aes128*", "*rc4*", "*arcfour*",
     "*chacha20*", "*-nosalt*", "*-base64*", "*-connect*", "*netcat*",
     "*socket*", "*curl*", "*wget*", "*ftp*"
   )]
  [network where event.type in ("start", "connection") and
   network.direction : ("outbound", "egress") and
   not destination.ip : (
     "10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
     "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
     "172.30.*", "172.31.*", "192.168.*", "127.*", "::1"
   )]

/* Standalone: Large outbound transfer from encryption tool process */
// network where event.type in ("start", "connection") and
//   network.direction : ("outbound", "egress") and
//   process.name : ("openssl", "ccrypt", "mcrypt", "cryptcat", "aescrypt", "gpg") and
//   network.bytes > 1000000 and
//   not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
//     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
//     "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
//     "172.30.*", "172.31.*", "192.168.*", "127.*")
high severity medium confidence

Detects symmetric encryption tools (openssl, ccrypt, cryptcat, gpg, aescrypt) executing with cipher-specific arguments (AES, RC4, ChaCha20, -nosalt, -pass pass:, embedded key material) followed within 5 minutes by outbound network connections to public IP space. Uses EQL sequence correlation on host.id to join process launch and network telemetry. A secondary standalone query flags large outbound transfers (>1 MB) directly from encryption tool processes. Targets T1048.001 by focusing on the combination of symmetric cipher arguments and network exfiltration indicators.

Data Sources

Elastic Endpoint Security agent (endpoint.events.process, endpoint.events.network)Winlogbeat with Sysmon module (process create / network connect)Auditbeat (auditd module on Linux)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*winlogbeat-*auditbeat-*

False Positives & Tuning

  • Administrators using openssl s_client or s_server for TLS certificate testing and OCSP validation against public CA endpoints
  • Python-based DevOps automation or data pipelines using pycryptodome or cryptography libraries for legitimate API calls to external services
  • Backup solutions invoking ccrypt or gpg to encrypt files before transferring to cloud storage buckets over HTTPS
  • CI/CD pipelines performing GPG-signed artifact verification with outbound keyserver lookups (keys.openpgp.org, keyserver.ubuntu.com)
Download portable Sigma rule (.yml)

Other platforms for T1048.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP

    Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.

  2. Test 2Symmetric Encrypted Exfiltration via Python Script with RC4

    Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.

  3. Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat

    Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).

  4. Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key

    Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1560.001Archive via UtilityT1132Data EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1005Data from Local SystemT1074Data StagedT1071Application Layer ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Exfiltration

Popular Detections