T1048.001 CrowdStrike LogScale · LogScale

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in CrowdStrike LogScale

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: ProcessRollup2 — encryption tool with cipher args and network target indicators
#event_simpleName=ProcessRollup2
| FileName = /(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)/
  OR (FileName = /(?i)python/ AND CommandLine = /(?i)(AES|RC4|Cipher|encrypt|socket|send|pycrypto|cryptography)/)
| CommandLine = /(?i)(enc[\s]+-aes|enc[\s]+-rc4|-aes-256|-aes-128|aes256|aes128|-rc4|arcfour|chacha20|-nosalt|-pass[\s]+pass:|-passout|-passin|-k[\s]+\S+)/
| CommandLine = /(?i)(-connect|netcat|nc[\s]|curl|wget|ftp:\/\/|http:\/\/|https:\/\/|tcp|socket|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/
| EncryptionAlgo := if(CommandLine = /(?i)aes/, "AES",
    if(CommandLine = /(?i)(rc4|arcfour)/, "RC4",
      if(CommandLine = /(?i)chacha/, "ChaCha20",
        if(CommandLine = /(?i)\bdes\b/, "DES", "Unknown"))))
| HasKeyMaterial := if(CommandLine = /(?i)(-k[\s]|-pass[\s]+pass:|-passout|-passin|passphrase|shared.?key)/, "true", "false")
| HasNoSalt := if(CommandLine = /-nosalt/, "true", "false")
| HasNetworkTarget := if(CommandLine = /(?i)(-connect|netcat|nc[\s]|curl|wget|http|socket|tcp)/, "true", "false")
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, EncryptionAlgo, HasKeyMaterial, HasNoSalt, HasNetworkTarget],
    function=[
      count(as=EventCount),
      min(field=ContextTimeStamp, as=FirstSeen),
      max(field=ContextTimeStamp, as=LastSeen)
    ]
  )
| sort(field=EventCount, order=desc)

// Detection 2 (run separately): NetworkConnectIP4 — large outbound transfer from encryption process
// #event_simpleName=NetworkConnectIP4
// | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
// | join(
//     [#event_simpleName=ProcessRollup2
//      | FileName = /(?i)(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)/],
//     field=[TargetProcessId, ComputerName],
//     include=[FileName, CommandLine, UserName, ParentBaseFileName]
//   )
// | where BytesSent > 1000000
// | ExfilSizeMB := round(BytesSent / 1048576, 2)
// | groupBy([ComputerName, UserName, FileName, RemoteAddressIP4, RemotePort, ExfilSizeMB, CommandLine])
// | sort(field=ExfilSizeMB, order=desc)
high severity medium confidence

CrowdStrike LogScale CQL querying ProcessRollup2 events for encryption tool executions (openssl, ccrypt, mcrypt, cryptcat, gpg, aescrypt, Python with crypto imports) bearing symmetric cipher arguments and network connectivity indicators. Uses inline conditional field derivation to classify encryption algorithm (AES/RC4/ChaCha20/DES), key material presence, -nosalt flag, and network target. A second commented query joins NetworkConnectIP4 events to identify large outbound transfers (>1 MB) directly attributable to encryption tool processes on public IPs. Both detections align with the KQL/SPL behavioral scope for T1048.001.

Data Sources

CrowdStrike Falcon Endpoint Detection and Response (EDR)Falcon Insight XDR (ProcessRollup2, NetworkConnectIP4 telemetry)

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Security engineers using openssl for TLS debugging, certificate pinning validation, or cipher suite enumeration on authorized endpoints
  • Python-based DevOps tooling using AES-CBC encrypted payloads for secrets management integrations (HashiCorp Vault, AWS KMS) with external endpoints
  • Automated backup scripts invoking ccrypt or gpg to encrypt files before transferring to remote SFTP or cloud storage destinations
  • Software package managers or update mechanisms that GPG-verify signed packages downloaded from vendor mirrors over HTTPS
Download portable Sigma rule (.yml)

Other platforms for T1048.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP

    Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.

  2. Test 2Symmetric Encrypted Exfiltration via Python Script with RC4

    Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.

  3. Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat

    Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).

  4. Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key

    Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1560.001Archive via UtilityT1132Data EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1005Data from Local SystemT1074Data StagedT1071Application Layer ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Exfiltration

Popular Detections