T1573 Encrypted Channel Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousParentProcesses = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe", "explorer.exe"]);
let LegitimateEncryptedApps = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "outlook.exe", "teams.exe", "onedrive.exe", "slack.exe", "zoom.exe", "msiexec.exe", "wuauclt.exe", "svchost.exe"]);
let EncryptedPorts = dynamic([443, 8443, 8080, 4443, 9443, 3443, 7443]);
// Step 1: Identify network connections from suspicious or non-browser processes on encrypted ports
let SuspiciousEncryptedConnections = DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (EncryptedPorts)
| where not(InitiatingProcessFileName has_any (LegitimateEncryptedApps))
| where isnotempty(RemoteIP)
// Exclude private/loopback IP ranges
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fc00:|fe80:)")
| extend IsIPOnlyConnection = (isempty(RemoteUrl) or RemoteUrl == RemoteIP or RemoteUrl matches regex @"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
| extend SuspiciousParent = (InitiatingProcessParentFileName has_any (SuspiciousParentProcesses))
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessAccountName,
    InitiatingProcessId,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    IsIPOnlyConnection,
    SuspiciousParent,
    BytesSent,
    BytesReceived;
// Step 2: Detect beaconing behavior — repeated encrypted connections at regular intervals
let BeaconingDetection = DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (EncryptedPorts)
| where not(InitiatingProcessFileName has_any (LegitimateEncryptedApps))
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| summarize
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AvgBytesSent = avg(BytesSent),
    AvgBytesReceived = avg(BytesReceived),
    ConnectionTimes = make_list(TimeGenerated, 50)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| where ConnectionCount >= 5
| where UniqueRemoteIPs == 1
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend AvgIntervalMinutes = iff(ConnectionCount > 1, toreal(DurationMinutes) / toreal(ConnectionCount - 1), 0.0)
// Flag regular beaconing: 5+ connections with consistent intervals (1-60 min)
| where AvgIntervalMinutes between (1.0 .. 60.0)
| extend BeaconScore = case(
    AvgIntervalMinutes < 5, "High - Sub-5min beaconing",
    AvgIntervalMinutes < 15, "Medium - Regular beaconing",
    "Low - Periodic connection"
);
// Combine results
SuspiciousEncryptedConnections
| join kind=leftouter (
    BeaconingDetection
    | project DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgIntervalMinutes, BeaconScore
) on DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| extend RiskScore = case(
    IsIPOnlyConnection == true and SuspiciousParent == true, "Critical",
    IsIPOnlyConnection == true or (isnotempty(BeaconScore) and BeaconScore startswith "High"), "High",
    SuspiciousParent == true or isnotempty(BeaconScore), "Medium",
    "Low"
)
| where RiskScore in ("Critical", "High", "Medium")
| project
    TimeGenerated,
    DeviceName,
    RiskScore,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessAccountName,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    IsIPOnlyConnection,
    BeaconScore,
    ConnectionCount,
    AvgIntervalMinutes,
    BytesSent,
    BytesReceived
| sort by RiskScore asc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Custom internal applications or agents that connect to known infrastructure over HTTPS but are not in the allowlist (add to LegitimateEncryptedApps)
IT monitoring and management tools (SCCM, Ansible, Puppet) that make frequent scheduled encrypted connections to management infrastructure
Security products (EDR agents, vulnerability scanners, DLP solutions) that beacon home over encrypted channels on non-standard ports
Cloud sync clients or backup agents connecting to cloud storage endpoints on port 443 at regular intervals
VPN clients and network tunneling software that establish persistent encrypted connections as part of normal operation

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval RemotePort=coalesce('dst_port', RemotePort)
| eval RemoteIp=coalesce('dst_ip', DestinationIp, RemoteIp)
| eval Image=coalesce('process', Image)
| where RemotePort IN ("443", "8443", "4443", "8080", "9443", "3443", "7443")
| where NOT match(RemoteIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\.168\\.|127\\.)")
| eval ProcessName=lower(mvindex(split(Image, "\\"), -1))
| where NOT ProcessName IN ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "outlook.exe", "teams.exe", "onedrive.exe", "slack.exe", "zoom.exe", "msiexec.exe", "wuauclt.exe")
| eval IsIPOnly=if(match(DestinationHostname, "^\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}$") OR isnull(DestinationHostname) OR DestinationHostname="", 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe"), 1, 0)
| bin _time span=1h
| stats
    count AS ConnectionCount,
    dc(RemoteIp) AS UniqueDestIPs,
    values(RemoteIp) AS DestIPs,
    values(DestinationHostname) AS DestHostnames,
    values(RemotePort) AS Ports,
    max(IsIPOnly) AS HasIPOnlyConn,
    max(SuspiciousParent) AS HasSuspiciousParent,
    first(ParentImage) AS ParentProcess,
    first(User) AS UserAccount,
    first(CommandLine) AS CommandLine
    by _time, host, ProcessName, Image
| eval RiskScore=case(
    HasIPOnlyConn=1 AND HasSuspiciousParent=1, "Critical",
    HasIPOnlyConn=1 OR (ConnectionCount >= 10 AND UniqueDestIPs=1), "High",
    HasSuspiciousParent=1 OR ConnectionCount >= 5, "Medium",
    1=1, "Low"
)
| where RiskScore IN ("Critical", "High", "Medium")
| eval BeaconIndicator=if(ConnectionCount >= 5 AND UniqueDestIPs=1, "Possible beaconing detected", "Single or varied connections")
| table _time, host, RiskScore, ProcessName, CommandLine, ParentProcess, UserAccount, DestIPs, DestHostnames, Ports, ConnectionCount, UniqueDestIPs, HasIPOnlyConn, HasSuspiciousParent, BeaconIndicator
| sort - RiskScore, - ConnectionCount

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Internal custom applications or scripts that communicate with known services over HTTPS — add these to the process exclusion list
IT management agents (SCCM client, antivirus update services, patch management tools) making regular encrypted check-ins
Development tools and package managers (npm, pip, git) connecting to package repositories on port 443
Remote desktop or remote access solutions that establish encrypted tunnels
Database replication services and backup agents using SSL/TLS on non-standard ports

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (443, 8443, 4443, 8080, 9443)
  and not process.name in ("chrome.exe", "firefox.exe", "msedge.exe", "outlook.exe", "teams.exe", "onedrive.exe", "slack.exe", "zoom.exe")
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")

high severity medium confidence

Data Sources

Elastic Endpoint Security Network events

Required Tables

logs-endpoint.events.network.*

False Positives

Custom internal monitoring agents connecting to known cloud services over HTTPS
IT management tools (SCCM, Ansible) making regular encrypted check-ins
Security products (EDR agents, DLP) beaconing over encrypted channels
Cloud sync clients connecting to cloud storage endpoints at regular intervals
VPN clients establishing persistent encrypted connections

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "Application" AS ProcessName,
  CASE
    WHEN "Application" IN ('chrome.exe','firefox.exe','msedge.exe','outlook.exe','teams.exe') THEN 'Legitimate Browser'
    WHEN destinationport IN (443,8443,4443) AND "Application" NOT IN ('chrome.exe','firefox.exe','msedge.exe') THEN 'Suspicious Encrypted Channel'
    ELSE 'Review Required'
  END AS RiskCategory,
  CASE
    WHEN destinationport IN (443,8443,4443) AND "Application" NOT IN ('chrome.exe','firefox.exe','msedge.exe') THEN 80
    WHEN destinationport IN (8080,9443,3443) THEN 60
    ELSE 40
  END AS RiskScore
FROM events
WHERE destinationport IN (443, 8443, 4443, 8080, 9443, 3443, 7443)
  AND NOT sourceip INCIDR '10.0.0.0/8'
  AND NOT sourceip INCIDR '172.16.0.0/12'
  AND NOT sourceip INCIDR '192.168.0.0/16'
  AND "Application" NOT IN ('chrome.exe','firefox.exe','msedge.exe','iexplore.exe','outlook.exe','teams.exe','onedrive.exe','slack.exe','zoom.exe')
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
LAST 1 HOURS

high severity medium confidence

Data Sources

Sysmon via Windows Event Log Network flow data

Required Tables

events

False Positives

Custom internal applications connecting to known infrastructure over HTTPS
IT management tools making regular encrypted check-ins
Security products (EDR agents) beaconing over encrypted channels
Cloud sync clients connecting to storage endpoints at regular intervals
VPN clients establishing persistent encrypted connections

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 3
| where DestinationPort in ("443","8443","4443","8080","9443","3443","7443")
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|iexplore|outlook|teams|onedrive|slack|zoom")
| eval IsIPOnly = if(matches(DestinationHostname, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$") or isNull(DestinationHostname), "true", "false")
| eval SuspiciousParent = if(matches(lower(ParentImage), "cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe"), "true", "false")
| eval RiskScore = if(IsIPOnly = "true" and SuspiciousParent = "true", 100,
    if(IsIPOnly = "true", 70,
    if(SuspiciousParent = "true", 50, 30)))
| where RiskScore >= 50
| stats count AS ConnectionCount, values(DestinationIp) AS DestIPs, max(RiskScore) AS MaxRisk by _sourceHost, ProcessName, ParentImage, DestinationPort
| sort by MaxRisk desc

high severity medium confidence

Data Sources

Sysmon Endpoint data

Required Tables

_sourceCategory=*sysmon*

False Positives

Custom internal monitoring agents communicating over HTTPS to known services
IT management and patch management tools making scheduled encrypted connections
Security products beaconing to cloud-based management platforms
Backup agents connecting to cloud storage at regular intervals
VPN and network tunneling software maintaining persistent encrypted sessions

Google Chronicle / SecOps

yaral

rule T1573_encrypted_channel {
  meta:
    author = "Detection Engineering"
    description = "Detects potential encrypted C2 channels from non-browser processes"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1573"
    reference = "https://attack.mitre.org/techniques/T1573/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 9443)
    not $e.principal.process.file.full_path = /chrome|firefox|msedge|outlook|teams|onedrive|slack|zoom/i
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry via Chronicle ingestion

Required Tables

NETWORK_CONNECTION

False Positives

Custom internal monitoring agents making encrypted connections to authorized services
IT management tools with scheduled encrypted check-ins to management infrastructure
Security products (EDR, DLP) with regular beaconing over encrypted channels
Cloud sync and backup applications connecting to storage endpoints at intervals
VPN clients maintaining persistent encrypted tunnel connections

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 9443, 3443, 7443)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ImageFileName != /(?i)(chrome|firefox|msedge|iexplore|outlook|teams|onedrive|slack|zoom|svchost|wuauclt)/
| ConnectionDirection = "1"
| groupBy([aid, ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnectionCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| IsIPOnly := if(RemoteAddressIP4 =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, "true", "false")
| case {
    ConnectionCount >= 5 AND IsIPOnly = "true" => RiskScore := "Critical";
    ConnectionCount >= 5 => RiskScore := "High";
    IsIPOnly = "true" => RiskScore := "High";
    * => RiskScore := "Medium";
  }
| where RiskScore in ("Critical", "High", "Medium")
| table([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, ConnectionCount, IsIPOnly, RiskScore, FirstSeen, LastSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events

Required Tables

NetworkConnectIP4

False Positives

Custom internal monitoring agents using non-standard ports for encrypted telemetry
IT management platforms (SCCM, NinjaRMM) with regular encrypted check-ins
Security products (CrowdStrike itself, DLP tools) beaconing over encrypted channels
Business applications (backup clients, cloud sync) connecting at regular intervals
VPN and ZTNA clients maintaining persistent encrypted tunnel connections

Encrypted Channel

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Command and Control

Popular Detections