Detect Symmetric Cryptography in Elastic Security
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.001 Symmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/001/
Elastic Detection Query
sequence by host.id, process.entity_id with maxspan=15m
[library where host.os.type == "windows"
and dll.name in~ ("rsaenh.dll", "bcrypt.dll", "bcryptprimitives.dll", "cryptsp.dll", "ncrypt.dll")
and not process.name in~ ("lsass.exe", "svchost.exe", "services.exe", "spoolsv.exe", "csrss.exe",
"winlogon.exe", "smss.exe", "wininit.exe", "MsMpEng.exe", "NisSrv.exe",
"SecurityHealthService.exe", "SearchIndexer.exe", "fontdrvhost.exe",
"dwm.exe", "sihost.exe", "taskhostw.exe", "RuntimeBroker.exe",
"chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
"opera.exe", "brave.exe", "vivaldi.exe")]
[network where host.os.type == "windows"
and network.direction == "egress"
and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "::1/128")
and not destination.port in (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)]Detects processes that load Windows cryptographic libraries (bcrypt.dll, rsaenh.dll, cryptsp.dll, ncrypt.dll) and subsequently make outbound connections to public IPs on non-standard ports within a 15-minute window. Excludes known-legitimate system processes and browsers. Targets the behavioral signature of AES/RC4/DES-based C2 frameworks such as Dridex, LockBit, and Emotet.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software using TLS libraries internally (e.g., backup agents, update clients) that also initiate outbound encrypted communications on non-standard management ports
- Development tools such as git, curl, or Python scripts that load crypto libraries for HTTPS operations and connect to developer infrastructure on non-standard ports
- Endpoint security agents or DLP products that load cryptographic libraries as part of data inspection pipelines and maintain outbound connections to their cloud management platforms
- VoIP clients and conferencing tools (Zoom, Teams standalone) that load crypto DLLs for media encryption and connect on high ephemeral ports
Other platforms for T1573.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API
Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.
- Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)
Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.
- Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)
Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).
- Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)
Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.
References (14)
- https://attack.mitre.org/techniques/T1573/001/
- https://attack.mitre.org/techniques/T1573/
- https://securelist.com/dridex-a-history-of-evolution/78531/
- https://www.fireeye.com/blog/threat-research/2021/06/smokedham-backdoor-unc2465.html
- https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
- https://www.trendmicro.com/en_us/research/19/a/new-emotet-hijacks-windows-update.html
- https://www.proofpoint.com/us/threat-insight/post/azorult-malware-downloader-and-credential-stealer
- https://www.microsoft.com/en-us/security/blog/2023/06/14/lockbit-3-ransomware-disruption/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.001/T1573.001.md
- https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimagloadevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.