Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in Microsoft Sentinel
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.
MITRE ATT&CK
- Tactic
- Exfiltration
- Sub-technique
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1048/001/
KQL Detection Query
let SuspiciousExfilTools = dynamic(["openssl", "ccrypt", "mcrypt", "gpg", "7z", "aescrypt", "cryptcat"]);
let SuspiciousExfilArgs = dynamic(["enc -aes", "enc -rc4", "enc -des", "-k ", "-pass pass:", "-aes-256", "-aes-128", "aes256", "rc4", "chacha20", "-nosalt", "-base64"]);
let NetworkExfilPorts = dynamic([21, 22, 25, 80, 443, 8080, 8443, 4444, 1337, 9001, 6666, 53]);
// Detection 1: Processes using encryption tools with network-related arguments
let EncryptionToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousExfilTools)
or (FileName =~ "python.exe" and ProcessCommandLine has_any ("AES", "RC4", "Cipher", "encrypt", "socket", "send"))
or (FileName =~ "python3" and ProcessCommandLine has_any ("AES", "RC4", "Cipher", "encrypt", "socket", "send"))
| where ProcessCommandLine has_any (SuspiciousExfilArgs)
| extend EncryptionAlgo = case(
ProcessCommandLine has "aes", "AES",
ProcessCommandLine has "rc4", "RC4",
ProcessCommandLine has "des", "DES",
ProcessCommandLine has "chacha", "ChaCha20",
ProcessCommandLine has "blowfish", "Blowfish",
"Unknown"
)
| extend HasNetworkIndicator = ProcessCommandLine has_any ("-connect", "-l ", "nc ", "netcat", "curl", "wget", "ftp", "http", "tcp", "udp", "socket")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, EncryptionAlgo, HasNetworkIndicator;
// Detection 2: Large outbound network connections from encryption-capable processes
let EncryptedNetworkExfil = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (SuspiciousExfilTools)
or InitiatingProcessFileName in~ ("openssl", "ccrypt", "cryptcat")
| where RemoteIPType == "Public"
| where SentBytes > 1000000
| extend ExfilSizeMB = round(toreal(SentBytes) / 1048576, 2)
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, RemoteUrl, SentBytes, ExfilSizeMB, InitiatingProcessFileName, InitiatingProcessCommandLine;
// Detection 3: OpenSSL or cryptcat creating network connections
let OpenSSLNetworkActivity = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "openssl" or InitiatingProcessCommandLine has "openssl"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, SentBytes, ReceivedBytes, InitiatingProcessFileName, InitiatingProcessCommandLine;
union EncryptionToolUsage, EncryptedNetworkExfil, OpenSSLNetworkActivity
| sort by Timestamp descDetects exfiltration over symmetric encrypted non-C2 protocols by monitoring for encryption tool execution (OpenSSL, ccrypt, cryptcat, mcrypt) with network-related arguments, large outbound data transfers from encryption-capable processes, and network connections initiated by known encryption utilities. Covers AES, RC4, DES, ChaCha20, and Blowfish algorithm indicators. Uses union to combine process-based and network-based detections.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of OpenSSL for TLS certificate management, key generation, or PKI operations by system administrators
- Backup software using AES encryption to transfer data to cloud storage (e.g., Veeam, Acronis, rsync with encryption flags)
- Secure file transfer tools such as SFTP, SCP, or WinSCP that use symmetric encryption internally during session
- Security scanning and penetration testing tools (Metasploit, nmap scripts) run by authorized red team or security operations personnel
- Software build pipelines encrypting artifacts for distribution using OpenSSL or GPG with symmetric keys
Other platforms for T1048.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP
Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.
- Test 2Symmetric Encrypted Exfiltration via Python Script with RC4
Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.
- Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat
Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).
- Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key
Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.
References (10)
- https://attack.mitre.org/techniques/T1048/001/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.openssl.org/docs/man3.0/man1/openssl-enc.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.001/T1048.001.md
- https://www.sans.org/white-papers/33649/
- https://www.mandiant.com/resources/blog/targeted-attack-exfiltration
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek
- https://attack.mitre.org/techniques/T1573/001/
Unlock Pro Content
Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.