Detect Exfiltration Over Symmetric Encrypted Non-C2 Protocol in Sumo Logic CSE
Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments.
MITRE ATT&CK
- Tactic
- Exfiltration
- Sub-technique
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1048/001/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon* OR _sourceCategory=linux/auditd)
| where EventCode = 1 OR EventID = 1
| parse regex "(?i)Image:\s*(?<process_image>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine:\s*(?<command_line>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage:\s*(?<parent_image>[^\r\n]+)" nodrop
| parse regex "(?i)User:\s*(?<user>[^\r\n]+)" nodrop
| parse regex "(?i)Computer:\s*(?<computer>[^\r\n]+)" nodrop
| where !isEmpty(process_image) AND !isEmpty(command_line)
| eval proc_lower = toLowerCase(process_image)
| eval cmd_lower = toLowerCase(command_line)
| where (
proc_lower matches "*(openssl|ccrypt|mcrypt|cryptcat|aescrypt|gpg)*"
OR (proc_lower matches "*python*" AND
(cmd_lower matches "*aes*" OR cmd_lower matches "*rc4*" OR
cmd_lower matches "*cipher*" OR cmd_lower matches "*encrypt*" OR
cmd_lower matches "*socket*"))
)
| where (
cmd_lower matches "*enc -aes*" OR cmd_lower matches "*enc -rc4*"
OR cmd_lower matches "*-aes-256*" OR cmd_lower matches "*-aes-128*"
OR cmd_lower matches "*aes256*" OR cmd_lower matches "*aes128*"
OR cmd_lower matches "*-rc4*" OR cmd_lower matches "*arcfour*"
OR cmd_lower matches "*chacha20*" OR cmd_lower matches "*-nosalt*"
OR cmd_lower matches "*-pass pass:*" OR cmd_lower matches "*-passout*"
OR cmd_lower matches "*-passin*"
)
| where (
cmd_lower matches "*-connect*" OR cmd_lower matches "*netcat*"
OR cmd_lower matches "*curl*" OR cmd_lower matches "*wget*"
OR cmd_lower matches "*http*" OR cmd_lower matches "*ftp*"
OR cmd_lower matches "*socket*" OR cmd_lower matches "*tcp*"
)
| eval encryption_algo =
if(cmd_lower matches "*aes*", "AES",
if(cmd_lower matches "*rc4*" OR cmd_lower matches "*arcfour*", "RC4",
if(cmd_lower matches "*chacha*", "ChaCha20",
if(cmd_lower matches "*des*", "DES", "Unknown"))))
| eval has_key_material =
if(cmd_lower matches "*-k *" OR cmd_lower matches "*-pass pass:*"
OR cmd_lower matches "*-passout*" OR cmd_lower matches "*passphrase*",
"true", "false")
| eval has_nosalt = if(cmd_lower matches "*-nosalt*", "true", "false")
| eval suspicion_score =
(if(proc_lower matches "*(openssl|ccrypt|cryptcat|aescrypt)*", 1, 0))
+ (if(encryption_algo != "Unknown", 1, 0))
+ (if(has_key_material = "true", 1, 0))
+ (if(cmd_lower matches "*-connect*" OR cmd_lower matches "*socket*"
OR cmd_lower matches "*netcat*", 1, 0))
+ (if(has_nosalt = "true", 1, 0))
| where suspicion_score >= 2
| count by computer, process_image, command_line, parent_image, user, encryption_algo, has_key_material, has_nosalt, suspicion_score
| order by suspicion_score desc, _count descSumo Logic query parsing Sysmon Event ID 1 (Process Create) from Windows or Linux endpoint sources to detect symmetric encryption tool invocations with cipher arguments and network connectivity indicators. Implements a suspicion score (0–5) mirroring the SPL approach, requiring a score ≥ 2 before surfacing results. Scores weight: encryption tool binary (+1), cipher algorithm in args (+1), key material in args (+1), network target indicators (+1), -nosalt flag (+1). Classifies encryption algorithm and key material presence for triage.
Data Sources
Required Tables
False Positives & Tuning
- IT staff using openssl for bulk certificate operations (renewal scripts, ACME clients) that include -pass arguments and connect to Let's Encrypt or internal CAs
- Python data engineering jobs using PyCryptodome or cryptography libraries for AES-encrypted REST API communication with SaaS platforms
- Automated backup agents encrypting files with ccrypt or gpg before uploading to S3-compatible endpoints using curl
- Security team tooling invoking openssl s_client for TLS fingerprinting or cipher suite enumeration during assessments
Other platforms for T1048.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate File Using OpenSSL AES Encryption over HTTP
Expected signal: Sysmon Event ID 1: Process Create for openssl with CommandLine containing 'enc -aes-256-cbc -nosalt -k' and the key material. Sysmon Event ID 1: Process Create for curl with destination URL. Sysmon Event ID 3: Network connection from curl to destination IP:8080. Sysmon Event ID 11: File Create for /tmp/exfil_payload.enc. Auditd records showing execve syscalls for openssl and curl with full argument lists.
- Test 2Symmetric Encrypted Exfiltration via Python Script with RC4
Expected signal: Sysmon Event ID 1: Process Create for python3 with CommandLine containing 'rc4', 'socket', 'encrypt', and 'connect'. Sysmon Event ID 3: Network connection from python3 to 192.168.1.200:9001 (non-standard port, high-confidence exfiltration indicator). Auditd execve syscall with full Python -c command argument.
- Test 3OpenSSL Encrypted Data Transfer via Named Pipe to Netcat
Expected signal: Sysmon Event ID 1: Process Create for openssl with '-aes-256-cbc -k <key> -nosalt' in CommandLine. Sysmon Event ID 1: Process Create for nc targeting 192.168.1.200:4444 (classic reverse shell port). Sysmon Event ID 3: Network connection from nc to external IP on port 4444. Possible Sysmon Event ID 1 for tar as parent/sibling process. Linux auditd: execve records for all three commands (tar, openssl, nc).
- Test 4Exfiltration via OpenSSL s_client Over HTTPS Port with Symmetric Key
Expected signal: Sysmon Event ID 1: First openssl process with 'enc -aes-256-cbc -k TeamPreSharedKey99 -nosalt' in CommandLine. Sysmon Event ID 1: Second openssl process with 's_client -connect 192.168.1.200:443' in CommandLine. Sysmon Event ID 3: Network connection from openssl s_client to port 443. Sysmon Event ID 11: File Create for /tmp/inner_encrypted.bin. The double-process pattern (enc then s_client) is highly distinctive.
References (10)
- https://attack.mitre.org/techniques/T1048/001/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.openssl.org/docs/man3.0/man1/openssl-enc.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.001/T1048.001.md
- https://www.sans.org/white-papers/33649/
- https://www.mandiant.com/resources/blog/targeted-attack-exfiltration
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek
- https://attack.mitre.org/techniques/T1573/001/
Unlock Pro Content
Get the full detection package for T1048.001 including response playbook, investigation guide, and atomic red team tests.