Detect Symmetric Cryptography in Google Chronicle
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.001 Symmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/001/
YARA-L Detection Query
rule T1573_001_symmetric_crypto_c2 {
meta:
author = "df00tech"
description = "Detects processes loading Windows cryptographic libraries followed by outbound connections to public IPs on non-standard ports — behavioral signature of symmetric-cipher C2 (AES/RC4/DES). Covers Dridex, LockBit, Emotet, SMOKEDHAM patterns."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1573.001"
severity = "HIGH"
priority = "HIGH"
events:
// Event 1 — DLL load of a Windows cryptographic library
$dll_load.metadata.event_type = "PROCESS_MODULE_LOAD"
$dll_load.principal.hostname = $hostname
$dll_load.principal.process.pid = $pid
$dll_load.target.file.full_path = /(?i)(rsaenh\.dll|bcrypt\.dll|bcryptprimitives\.dll|cryptsp\.dll|ncrypt\.dll)$/
not $dll_load.principal.process.file.full_path = /(?i)(lsass\.exe|svchost\.exe|services\.exe|spoolsv\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe|MsMpEng\.exe|NisSrv\.exe|SecurityHealthService\.exe|SearchIndexer\.exe|fontdrvhost\.exe|dwm\.exe|sihost\.exe|taskhostw\.exe|RuntimeBroker\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe)$/
// Event 2 — Outbound network connection to public IP on non-standard port
$net_conn.metadata.event_type = "NETWORK_CONNECTION"
$net_conn.principal.hostname = $hostname
$net_conn.principal.process.pid = $pid
$net_conn.network.direction = "OUTBOUND"
not $net_conn.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.|0\.0\.0\.0|::1)/
not $net_conn.target.port in (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)
// Temporal constraint — connection within 15 minutes of DLL load
$net_conn.metadata.event_timestamp.seconds <= $dll_load.metadata.event_timestamp.seconds + 900
$net_conn.metadata.event_timestamp.seconds >= $dll_load.metadata.event_timestamp.seconds
condition:
$dll_load and $net_conn
}Chronicle YARA-L 2.0 rule correlating Windows cryptographic DLL load events (PROCESS_MODULE_LOAD) with subsequent outbound NETWORK_CONNECTION events to public IPs on non-standard ports from the same process within a 15-minute window. Excludes known-legitimate system processes and browsers. Detects symmetric-cipher C2 frameworks including those used by Dridex (RC4), LockBit 3.0 (AES), and Emotet (AES).
Data Sources
Required Tables
False Positives & Tuning
- Enterprise patch management or deployment agents that load bcrypt.dll for certificate validation and then connect to update servers on proprietary high ports
- Database client libraries (ODBC, JDBC) loading ncrypt.dll for TLS-encrypted connections to cloud databases on non-standard database ports
- Legitimate custom LOB (line-of-business) applications that implement AES encryption internally via bcryptprimitives.dll and phone home to vendor SaaS infrastructure on non-standard HTTPS alternatives
Other platforms for T1573.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API
Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.
- Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)
Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.
- Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)
Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).
- Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)
Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.
References (14)
- https://attack.mitre.org/techniques/T1573/001/
- https://attack.mitre.org/techniques/T1573/
- https://securelist.com/dridex-a-history-of-evolution/78531/
- https://www.fireeye.com/blog/threat-research/2021/06/smokedham-backdoor-unc2465.html
- https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
- https://www.trendmicro.com/en_us/research/19/a/new-emotet-hijacks-windows-update.html
- https://www.proofpoint.com/us/threat-insight/post/azorult-malware-downloader-and-credential-stealer
- https://www.microsoft.com/en-us/security/blog/2023/06/14/lockbit-3-ransomware-disruption/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.001/T1573.001.md
- https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimagloadevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.