T1573.001

Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.

Microsoft Sentinel / Defender

kusto

// T1573.001 — Symmetric Cryptography C2
// Correlates Windows crypto library loads from non-system, non-browser processes
// with subsequent outbound connections to public IPs on non-standard ports.
// Designed to surface processes that load encryption APIs and then communicate externally —
// the behavioral signature common to AES/RC4/DES-based C2 frameworks.
let CryptoLibraries = dynamic([
  "rsaenh.dll",
  "bcrypt.dll",
  "bcryptprimitives.dll",
  "cryptsp.dll",
  "ncrypt.dll"
]);
let ExcludedSystemProcs = dynamic([
  "lsass.exe", "svchost.exe", "services.exe", "spoolsv.exe", "csrss.exe",
  "winlogon.exe", "smss.exe", "wininit.exe", "MsMpEng.exe", "NisSrv.exe",
  "SecurityHealthService.exe", "SearchIndexer.exe", "fontdrvhost.exe",
  "dwm.exe", "sihost.exe", "taskhostw.exe", "RuntimeBroker.exe"
]);
let ExcludedBrowsers = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
  "opera.exe", "brave.exe", "vivaldi.exe"
]);
let StandardPorts = dynamic([
  80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389
]);
// Step 1 — processes loading crypto libraries (excluding known-legitimate)
let CryptoLoaders = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName in~ (CryptoLibraries)
| where not(InitiatingProcessFileName in~ (ExcludedSystemProcs))
| where not(InitiatingProcessFileName in~ (ExcludedBrowsers))
| project
    LoadTime = Timestamp,
    DeviceName,
    DeviceId,
    ProcessName = InitiatingProcessFileName,
    ProcessId = InitiatingProcessId,
    ProcessCmd = InitiatingProcessCommandLine,
    AccountName = InitiatingProcessAccountName,
    ProcessSHA256 = InitiatingProcessSHA256,
    CryptoLib = FileName;
// Step 2 — outbound connections to public IPs on non-standard ports
let SuspiciousConns = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where not(RemotePort in (StandardPorts))
| project
    ConnTime = Timestamp,
    DeviceName,
    DeviceId,
    ConnProcess = InitiatingProcessFileName,
    ConnProcessId = InitiatingProcessId,
    RemoteIP,
    RemotePort,
    BytesSent = SentBytes,
    BytesReceived = ReceivedBytes;
// Step 3 — correlate: crypto load followed by external connection within 15 minutes
CryptoLoaders
| join kind=inner (SuspiciousConns)
    on DeviceName, $left.ProcessId == $right.ConnProcessId
| where ConnTime between (LoadTime .. (LoadTime + 15m))
| summarize
    CryptoLibsLoaded = make_set(CryptoLib),
    RemoteIPs = make_set(RemoteIP),
    RemotePorts = make_set(RemotePort),
    ConnectionCount = count(),
    TotalBytesSent = sum(BytesSent),
    TotalBytesReceived = sum(BytesReceived),
    FirstConnection = min(ConnTime),
    LastConnection = max(ConnTime)
    by DeviceName, ProcessName, ProcessCmd, AccountName, ProcessSHA256
| extend DataTransferMB = round(toreal(TotalBytesSent + TotalBytesReceived) / 1048576, 2)
| extend DurationMinutes = datetime_diff('minute', LastConnection, FirstConnection)
| extend AvgIntervalSeconds = iif(
    ConnectionCount > 1,
    toreal(DurationMinutes * 60) / toreal(ConnectionCount - 1),
    0.0)
| extend BeaconLikely = AvgIntervalSeconds between (30.0 .. 3600.0) and ConnectionCount >= 5
| sort by ConnectionCount desc

high severity medium confidence

Data Sources

Module: Module Load Network Traffic: Network Connection Creation Microsoft Defender for Endpoint — DeviceImageLoadEvents Microsoft Defender for Endpoint — DeviceNetworkEvents

Required Tables

DeviceImageLoadEvents DeviceNetworkEvents

False Positives

Security agents (CrowdStrike, Carbon Black, SentinelOne, Cylance) that load crypto libraries to encrypt their own telemetry streams and communicate with backend cloud services
Enterprise backup agents (Veeam, Commvault, Veritas) that perform AES-encrypted data transfers to off-site repositories on non-standard ports
Software update mechanisms (Autodesk, Adobe, JetBrains) that use TLS on non-443 ports (e.g., 7443, 8444) and load bcrypt.dll as part of update verification
VPN and proxy clients (Cisco AnyConnect, GlobalProtect, ZScaler) that load crypto libraries before establishing tunnels to public infrastructure
Developer IDEs and language runtimes (Visual Studio, IntelliJ, Python interpreters) loading cryptographic libraries during normal operation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1" OR DestinationIp="169.254.*" OR DestinationIp="0.0.0.0")
NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=8080 OR DestinationPort=8443 OR DestinationPort=53 OR DestinationPort=22 OR DestinationPort=21 OR DestinationPort=25 OR DestinationPort=587 OR DestinationPort=465 OR DestinationPort=993 OR DestinationPort=995 OR DestinationPort=110 OR DestinationPort=143 OR DestinationPort=3389)
NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe" OR Image="*\\iexplore.exe" OR Image="*\\opera.exe" OR Image="*\\brave.exe")
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\MsMpEng.exe" OR Image="*\\services.exe" OR Image="*\\csrss.exe" OR Image="*\\winlogon.exe")
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| eval isSuspiciousProcess=case(
    match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe)"), 2,
    match(Image, "(?i)(python\.exe|python3\.exe|perl\.exe|ruby\.exe|node\.exe|php\.exe|java\.exe|javaw\.exe)"), 1,
    1==1, 0)
| eval isEphemeralPort=if(DestinationPort >= 49152, 1, 0)
| eval isLowUnusualPort=if(DestinationPort < 1024 AND DestinationPort != 80 AND DestinationPort != 443 AND DestinationPort != 53 AND DestinationPort != 22, 1, 0)
| eval isKnownC2Port=if(DestinationPort=4444 OR DestinationPort=4445 OR DestinationPort=1337 OR DestinationPort=8888 OR DestinationPort=9999 OR DestinationPort=6666 OR DestinationPort=7777, 2, 0)
| eval PortSuspicion=isEphemeralPort + isLowUnusualPort + isKnownC2Port
| eval SuspicionScore=isSuspiciousProcess + PortSuspicion
| where SuspicionScore >= 1
| stats
    count as ConnectionCount,
    dc(DestinationIp) as UniqueRemoteIPs,
    values(DestinationIp) as RemoteIPs,
    values(DestinationPort) as RemotePorts,
    earliest(_time) as FirstConnection,
    latest(_time) as LastConnection,
    max(SuspicionScore) as MaxSuspicion
    by host, User, Image, ProcessName
| where ConnectionCount >= 3 OR (ConnectionCount >= 1 AND MaxSuspicion >= 3)
| eval Duration=LastConnection - FirstConnection
| eval AvgIntervalSec=if(ConnectionCount > 1, round(Duration / (ConnectionCount - 1), 0), 0)
| eval PossibleBeacon=case(
    AvgIntervalSec >= 30 AND AvgIntervalSec <= 3600 AND ConnectionCount >= 5, "HIGH",
    AvgIntervalSec >= 30 AND AvgIntervalSec <= 7200 AND ConnectionCount >= 3, "MEDIUM",
    1==1, "LOW")
| table host, User, Image, ProcessName, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePorts, AvgIntervalSec, PossibleBeacon, MaxSuspicion, FirstConnection, LastConnection
| sort - MaxSuspicion, - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3 — Network Connection

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security monitoring tools (Nessus, Tenable, Qualys agents) that make frequent outbound connections to cloud management planes on non-standard ports
Scripting-based automation (PowerShell DSC, Python monitoring scripts) that poll external APIs on non-standard ports as part of legitimate infrastructure health checks
Game launchers (Steam, Epic, Battle.net) using proprietary ports that score as ephemeral or unusual
VoIP applications (Cisco Jabber, Zoom, WebEx) using dynamic UDP/TCP ports that score as ephemeral
Java-based enterprise applications (Elasticsearch clients, Kafka producers) making persistent connections on non-standard ports

Elastic Security (EQL)

eql

sequence by host.id, process.entity_id with maxspan=15m
  [library where host.os.type == "windows"
    and dll.name in~ ("rsaenh.dll", "bcrypt.dll", "bcryptprimitives.dll", "cryptsp.dll", "ncrypt.dll")
    and not process.name in~ ("lsass.exe", "svchost.exe", "services.exe", "spoolsv.exe", "csrss.exe",
      "winlogon.exe", "smss.exe", "wininit.exe", "MsMpEng.exe", "NisSrv.exe",
      "SecurityHealthService.exe", "SearchIndexer.exe", "fontdrvhost.exe",
      "dwm.exe", "sihost.exe", "taskhostw.exe", "RuntimeBroker.exe",
      "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
      "opera.exe", "brave.exe", "vivaldi.exe")]
  [network where host.os.type == "windows"
    and network.direction == "egress"
    and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "::1/128")
    and not destination.port in (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)]

high severity medium confidence

Data Sources

Elastic Endpoint Security (endpoint agent) Windows Event Logs via Filebeat/Winlogbeat Sysmon via Filebeat

Required Tables

library (ECS dll.name) network (ECS network.direction, destination.ip, destination.port) process (ECS process.name, process.entity_id)

False Positives

Enterprise software using TLS libraries internally (e.g., backup agents, update clients) that also initiate outbound encrypted communications on non-standard management ports
Development tools such as git, curl, or Python scripts that load crypto libraries for HTTPS operations and connect to developer infrastructure on non-standard ports
Endpoint security agents or DLP products that load cryptographic libraries as part of data inspection pipelines and maintain outbound connections to their cloud management platforms
VoIP clients and conferencing tools (Zoom, Teams standalone) that load crypto DLLs for media encryption and connect on high ephemeral ports

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  destinationip,
  destinationport,
  username,
  LOGSOURCENAME(logSourceId) AS LogSource,
  CATEGORYNAME(category) AS Category,
  devicehostname AS HostName,
  "ApplicationProtocol" AS AppProtocol,
  payload
FROM events
WHERE
  LOGSOURCETYPEID(logSourceId) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND QIDNAME(qid) LIKE '%Network Connect%'
  AND NOT (destinationip LIKE '10.%'
    OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
    OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%'
    OR destinationip LIKE '172.20.%' OR destinationip LIKE '172.21.%'
    OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
    OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%'
    OR destinationip LIKE '172.26.%' OR destinationip LIKE '172.27.%'
    OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
    OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
    OR destinationip LIKE '192.168.%'
    OR destinationip LIKE '127.%'
    OR destinationip LIKE '169.254.%'
    OR destinationip = '0.0.0.0')
  AND destinationport NOT IN (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)
  AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
  AND (payload ILIKE '%powershell%' OR payload ILIKE '%wscript%' OR payload ILIKE '%cscript%'
    OR payload ILIKE '%mshta%' OR payload ILIKE '%rundll32%' OR payload ILIKE '%regsvr32%'
    OR payload ILIKE '%certutil%' OR payload ILIKE '%bitsadmin%'
    OR destinationport >= 49152
    OR destinationport IN (4444, 4445, 1337, 8888, 9999, 6666, 7777))
  AND starttime > NOW() - 86400 SECONDS
GROUP BY
  devicehostname, username, sourceip, destinationip, destinationport, payload
HAVING COUNT(*) >= 3
ORDER BY COUNT(*) DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (EventCode 3) Windows Security Event Log via QRadar WinCollect

Required Tables

events (QRadar normalized event store) logsourcetypes (QRadar metadata table)

False Positives

Enterprise management agents (SCCM, Tanium, CrowdStrike sensor, Carbon Black) connecting to cloud backends on high or proprietary ports using process names that match LOLBin patterns
Developer tooling pipelines — CI runners, npm/pip/cargo processes — initiating TLS connections to artifact repositories on non-standard ports
Custom internal applications using non-standard ports for encrypted API communications that run under user accounts rather than service accounts

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventID = "3"
| parse field=Image "*\\*" as ImagePath, ProcessName
| where !(DestinationIp matches "10.*"
  or DestinationIp matches "172.16.*" or DestinationIp matches "172.17.*"
  or DestinationIp matches "172.18.*" or DestinationIp matches "172.19.*"
  or DestinationIp matches "172.20.*" or DestinationIp matches "172.21.*"
  or DestinationIp matches "172.22.*" or DestinationIp matches "172.23.*"
  or DestinationIp matches "172.24.*" or DestinationIp matches "172.25.*"
  or DestinationIp matches "172.26.*" or DestinationIp matches "172.27.*"
  or DestinationIp matches "172.28.*" or DestinationIp matches "172.29.*"
  or DestinationIp matches "172.30.*" or DestinationIp matches "172.31.*"
  or DestinationIp matches "192.168.*"
  or DestinationIp matches "127.*"
  or DestinationIp matches "169.254.*")
| where !(DestinationPort in ("80","443","8080","8443","53","22","21","20","25","587","465","993","995","110","143","3389"))
| where !(ProcessName in ("chrome.exe","firefox.exe","msedge.exe","iexplore.exe","opera.exe","brave.exe",
    "svchost.exe","lsass.exe","MsMpEng.exe","services.exe","csrss.exe","winlogon.exe","spoolsv.exe"))
| eval isSuspiciousProcess = if(ProcessName in ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe",
    "cscript.exe","mshta.exe","regsvr32.exe","rundll32.exe","certutil.exe","bitsadmin.exe","msiexec.exe"), 2,
  if(ProcessName in ("python.exe","python3.exe","node.exe","java.exe","perl.exe","ruby.exe"), 1, 0))
| eval dport = tonumber(DestinationPort)
| eval isEphemeralPort = if(dport >= 49152, 1, 0)
| eval isKnownC2Port = if(dport in (4444, 4445, 1337, 8888, 9999, 6666, 7777), 2, 0)
| eval SuspicionScore = isSuspiciousProcess + isEphemeralPort + isKnownC2Port
| where SuspicionScore >= 1
| timeslice 1h
| stats
    count as ConnectionCount,
    dcount(DestinationIp) as UniqueRemoteIPs,
    values(DestinationIp) as RemoteIPs,
    values(DestinationPort) as RemotePorts,
    min(_messageTime) as FirstConnection,
    max(_messageTime) as LastConnection,
    max(SuspicionScore) as MaxSuspicion
    by _timeslice, Computer, User, ProcessName, Image
| where ConnectionCount >= 3 or (ConnectionCount >= 1 and MaxSuspicion >= 3)
| eval Duration = LastConnection - FirstConnection
| eval AvgIntervalSec = if(ConnectionCount > 1, round(Duration / (ConnectionCount - 1), 0), 0)
| eval PossibleBeacon = if(AvgIntervalSec >= 30 and AvgIntervalSec <= 3600 and ConnectionCount >= 5, "HIGH",
    if(AvgIntervalSec >= 30 and AvgIntervalSec <= 7200 and ConnectionCount >= 3, "MEDIUM", "LOW"))
| fields Computer, User, Image, ProcessName, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePorts, AvgIntervalSec, PossibleBeacon, MaxSuspicion
| sort by MaxSuspicion, ConnectionCount

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon for Windows (EventCode 3) Windows Event Forwarding

Required Tables

Sysmon Network Connect events (_sourceCategory=*sysmon* or *windows*) Sumo Logic CIP normalized fields

False Positives

IT automation platforms (Ansible, Puppet, Chef agents) running as scripting engines (python.exe, ruby.exe) and connecting to management infrastructure on high ports
Security tooling that uses powershell.exe or cmd.exe for endpoint health checks back to a SIEM collector or orchestration platform on non-standard ports
Cloud sync clients or backup utilities that implement proprietary TLS over high ephemeral ports from process names that resemble scripting engines

Google Chronicle / SecOps

yaral

rule T1573_001_symmetric_crypto_c2 {
  meta:
    author = "df00tech"
    description = "Detects processes loading Windows cryptographic libraries followed by outbound connections to public IPs on non-standard ports — behavioral signature of symmetric-cipher C2 (AES/RC4/DES). Covers Dridex, LockBit, Emotet, SMOKEDHAM patterns."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1573.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Event 1 — DLL load of a Windows cryptographic library
    $dll_load.metadata.event_type = "PROCESS_MODULE_LOAD"
    $dll_load.principal.hostname = $hostname
    $dll_load.principal.process.pid = $pid
    $dll_load.target.file.full_path = /(?i)(rsaenh\.dll|bcrypt\.dll|bcryptprimitives\.dll|cryptsp\.dll|ncrypt\.dll)$/
    not $dll_load.principal.process.file.full_path = /(?i)(lsass\.exe|svchost\.exe|services\.exe|spoolsv\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe|MsMpEng\.exe|NisSrv\.exe|SecurityHealthService\.exe|SearchIndexer\.exe|fontdrvhost\.exe|dwm\.exe|sihost\.exe|taskhostw\.exe|RuntimeBroker\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe)$/

    // Event 2 — Outbound network connection to public IP on non-standard port
    $net_conn.metadata.event_type = "NETWORK_CONNECTION"
    $net_conn.principal.hostname = $hostname
    $net_conn.principal.process.pid = $pid
    $net_conn.network.direction = "OUTBOUND"
    not $net_conn.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.|0\.0\.0\.0|::1)/
    not $net_conn.target.port in (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)

    // Temporal constraint — connection within 15 minutes of DLL load
    $net_conn.metadata.event_timestamp.seconds <= $dll_load.metadata.event_timestamp.seconds + 900
    $net_conn.metadata.event_timestamp.seconds >= $dll_load.metadata.event_timestamp.seconds

  condition:
    $dll_load and $net_conn
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows endpoints via Chronicle forwarder Sysmon EventCode 7 (Image Load) and EventCode 3 (Network Connect) ingested as UDM events

Required Tables

UDM events: PROCESS_MODULE_LOAD UDM events: NETWORK_CONNECTION

False Positives

Enterprise patch management or deployment agents that load bcrypt.dll for certificate validation and then connect to update servers on proprietary high ports
Database client libraries (ODBC, JDBC) loading ncrypt.dll for TLS-encrypted connections to cloud databases on non-standard database ports
Legitimate custom LOB (line-of-business) applications that implement AES encryption internally via bcryptprimitives.dll and phone home to vendor SaaS infrastructure on non-standard HTTPS alternatives

CrowdStrike LogScale (CQL)

cql

// T1573.001 — Symmetric Cryptography C2: CrowdStrike LogScale CQL
// Detects ImageLoad of Windows crypto DLLs from unexpected processes,
// correlated with outbound network connections to public IPs on non-standard ports.

// Step 1 — Find crypto DLL loads from suspicious processes
#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)(rsaenh\.dll|bcrypt\.dll|bcryptprimitives\.dll|cryptsp\.dll|ncrypt\.dll)$/
| not ProcessImageFileName = /(?i)(lsass\.exe|svchost\.exe|services\.exe|spoolsv\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe|MsMpEng\.exe|NisSrv\.exe|SecurityHealthService\.exe|SearchIndexer\.exe|fontdrvhost\.exe|dwm\.exe|sihost\.exe|taskhostw\.exe|RuntimeBroker\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe)$/
| ProcessName := replace(ProcessImageFileName, /.*\\/, "")
| select([timestamp, aid, ComputerName, ProcessImageFileName, ProcessName, TargetProcessId, SHA256HashData])
| rename(field=TargetProcessId, as=CryptoLoaderPid)
| rename(field=timestamp, as=DllLoadTime)
| join(
    // Step 2 — Find outbound connections on non-standard ports to public IPs
    {
      #event_simpleName=NetworkConnectIP4
      | not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
      | RemotePort != 80
      | RemotePort != 443
      | RemotePort != 8080
      | RemotePort != 8443
      | RemotePort != 53
      | RemotePort != 22
      | RemotePort != 21
      | RemotePort != 25
      | RemotePort != 587
      | RemotePort != 465
      | RemotePort != 993
      | RemotePort != 995
      | RemotePort != 110
      | RemotePort != 143
      | RemotePort != 3389
      | IsOutboundInitiator = true
      | select([timestamp, aid, ComputerName, ContextProcessId, RemoteAddressIP4, RemotePort, LocalPort])
      | rename(field=timestamp, as=ConnTime)
      | rename(field=ContextProcessId, as=ConnPid)
    },
    field=[aid, ComputerName],
    include=[ConnPid, ConnTime, RemoteAddressIP4, RemotePort]
  )
| CryptoLoaderPid = ConnPid
| TimeDeltaSec := (ConnTime - DllLoadTime) / 1000000000
| TimeDeltaSec >= 0
| TimeDeltaSec <= 900
| groupBy([ComputerName, ProcessName, ProcessImageFileName, SHA256HashData], function=[
    count(as=ConnectionCount),
    collect(RemoteAddressIP4, as=RemoteIPs),
    collect(RemotePort, as=RemotePorts),
    min(ConnTime, as=FirstConnection),
    max(ConnTime, as=LastConnection),
    collect(ImageFileName, as=CryptoDLLs)
  ])
| DurationSec := (LastConnection - FirstConnection) / 1000000000
| AvgIntervalSec := if(ConnectionCount > 1, round(DurationSec / (ConnectionCount - 1)), 0)
| BeaconLikely := if(AvgIntervalSec >= 30 AND AvgIntervalSec <= 3600 AND ConnectionCount >= 5, "HIGH",
    if(AvgIntervalSec >= 30 AND AvgIntervalSec <= 7200 AND ConnectionCount >= 3, "MEDIUM", "LOW"))
| ConnectionCount >= 2
| sort(ConnectionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) CrowdStrike Humio/LogScale — Falcon event stream Falcon sensor: ClassifiedModuleLoad, NetworkConnectIP4 event types

Required Tables

ClassifiedModuleLoad (Falcon module load telemetry) NetworkConnectIP4 (Falcon network connection telemetry)

False Positives

CrowdStrike or third-party EDR agents themselves loading crypto DLLs for local file scanning and then connecting to cloud telemetry endpoints on high ports — the sensor process should be excluded by SHA256 or process path allowlist
Software distribution tools (SCCM client, Intune management extension) that load bcrypt.dll for certificate operations and maintain persistent HTTPS-like connections to management clouds on alternate ports
Custom enterprise applications using Windows CNG APIs (bcryptprimitives.dll) for data-at-rest encryption that also communicate with internal SaaS backends via non-standard TLS ports

Last updated: 2026-04-21 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Symmetric Cryptography

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections