T1048.001 Splunk · SPL

Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in Splunk

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1048 Exfiltration Over Alternative Protocol
Sub-technique
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Canonical reference
https://attack.mitre.org/techniques/T1048/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval Image_lower=lower(Image)
| eval IsEncryptionTool=if(
    match(Image_lower, "(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)") OR
    (match(Image_lower, "python") AND match(CommandLine, "(aes|rc4|des|chacha|blowfish|pycrypto|cryptography|cipher|encrypt)")),
    1, 0
  )
| eval HasAESIndicator=if(match(CommandLine, "(enc\s+-aes|aes-256|aes-128|aes256|aes128|-aes)"), 1, 0)
| eval HasRC4Indicator=if(match(CommandLine, "(rc4|\-rc4|arcfour)"), 1, 0)
| eval HasKeyMaterial=if(match(CommandLine, "(-k\s+\S+|-pass\s+pass:|-passout|-passin|-password|--passphrase|secret|shared.?key)"), 1, 0)
| eval HasNetworkTarget=if(match(CommandLine, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|https?://|ftp://|-connect|s_client|s_server|netcat|nc\s)"), 1, 0)
| eval HasNoSalt=if(match(CommandLine, "-nosalt"), 1, 0)
| eval SuspicionScore=IsEncryptionTool + HasAESIndicator + HasRC4Indicator + HasKeyMaterial + HasNetworkTarget + HasNoSalt
| where SuspicionScore >= 2
| eval EncryptionAlgo=case(
    HasAESIndicator=1, "AES",
    HasRC4Indicator=1, "RC4",
    match(CommandLine, "des"), "DES",
    match(CommandLine, "chacha"), "ChaCha20",
    1=1, "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsEncryptionTool, HasAESIndicator, HasRC4Indicator, HasKeyMaterial, HasNetworkTarget, HasNoSalt, SuspicionScore, EncryptionAlgo
| sort - _time
| appendcols [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
      (Image="*openssl*" OR Image="*cryptcat*" OR Image="*ccrypt*")
      NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | table _time, host, User, Image, DestinationIp, DestinationPort, CommandLine
  ]
high severity medium confidence

Detects exfiltration over symmetric encrypted non-C2 protocols using Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection). Assigns a suspicion score based on detection of encryption tools, algorithm indicators (AES, RC4), key material in command lines, network targets, and nosalt flags. Score threshold of 2 or higher triggers alerting. Also appends network connection events for known encryption tools communicating to public IPs.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate OpenSSL usage for certificate operations, key generation, and TLS debugging by network or system administrators
  • Backup and archival software using GPG or AES encryption for data-at-rest protection before upload to cloud storage
  • Security tools performing vulnerability assessments or penetration tests with authorized scope
  • DevOps pipelines encrypting build artifacts or secrets using OpenSSL with symmetric keys
  • Network monitoring tools using encryption to protect captured traffic during analysis
Download portable Sigma rule (.yml)

Other platforms for T1048.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP

    Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.

  2. Test 2Symmetric Encrypted Exfiltration via Python Script with RC4

    Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.

  3. Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat

    Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).

  4. Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key

    Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1048Exfiltration Over Alternative Protocol

Related Sub-techniques

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Related Techniques

T1048Exfiltration Over Alternative ProtocolT1048.002Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1560.001Archive via UtilityT1132Data EncodingT1573Encrypted ChannelT1573.001Symmetric CryptographyT1005Data from Local SystemT1074Data StagedT1071Application Layer ProtocolT1001.003Protocol or Service Impersonation

Same Tactic: Exfiltration

Popular Detections