T1573.001 CrowdStrike LogScale · LogScale

Detect Symmetric Cryptography in CrowdStrike LogScale

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.001 Symmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1573.001 — Symmetric Cryptography C2: CrowdStrike LogScale CQL
// Detects ImageLoad of Windows crypto DLLs from unexpected processes,
// correlated with outbound network connections to public IPs on non-standard ports.

// Step 1 — Find crypto DLL loads from suspicious processes
#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)(rsaenh\.dll|bcrypt\.dll|bcryptprimitives\.dll|cryptsp\.dll|ncrypt\.dll)$/
| not ProcessImageFileName = /(?i)(lsass\.exe|svchost\.exe|services\.exe|spoolsv\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe|MsMpEng\.exe|NisSrv\.exe|SecurityHealthService\.exe|SearchIndexer\.exe|fontdrvhost\.exe|dwm\.exe|sihost\.exe|taskhostw\.exe|RuntimeBroker\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe)$/
| ProcessName := replace(ProcessImageFileName, /.*\\/, "")
| select([timestamp, aid, ComputerName, ProcessImageFileName, ProcessName, TargetProcessId, SHA256HashData])
| rename(field=TargetProcessId, as=CryptoLoaderPid)
| rename(field=timestamp, as=DllLoadTime)
| join(
    // Step 2 — Find outbound connections on non-standard ports to public IPs
    {
      #event_simpleName=NetworkConnectIP4
      | not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
      | RemotePort != 80
      | RemotePort != 443
      | RemotePort != 8080
      | RemotePort != 8443
      | RemotePort != 53
      | RemotePort != 22
      | RemotePort != 21
      | RemotePort != 25
      | RemotePort != 587
      | RemotePort != 465
      | RemotePort != 993
      | RemotePort != 995
      | RemotePort != 110
      | RemotePort != 143
      | RemotePort != 3389
      | IsOutboundInitiator = true
      | select([timestamp, aid, ComputerName, ContextProcessId, RemoteAddressIP4, RemotePort, LocalPort])
      | rename(field=timestamp, as=ConnTime)
      | rename(field=ContextProcessId, as=ConnPid)
    },
    field=[aid, ComputerName],
    include=[ConnPid, ConnTime, RemoteAddressIP4, RemotePort]
  )
| CryptoLoaderPid = ConnPid
| TimeDeltaSec := (ConnTime - DllLoadTime) / 1000000000
| TimeDeltaSec >= 0
| TimeDeltaSec <= 900
| groupBy([ComputerName, ProcessName, ProcessImageFileName, SHA256HashData], function=[
    count(as=ConnectionCount),
    collect(RemoteAddressIP4, as=RemoteIPs),
    collect(RemotePort, as=RemotePorts),
    min(ConnTime, as=FirstConnection),
    max(ConnTime, as=LastConnection),
    collect(ImageFileName, as=CryptoDLLs)
  ])
| DurationSec := (LastConnection - FirstConnection) / 1000000000
| AvgIntervalSec := if(ConnectionCount > 1, round(DurationSec / (ConnectionCount - 1)), 0)
| BeaconLikely := if(AvgIntervalSec >= 30 AND AvgIntervalSec <= 3600 AND ConnectionCount >= 5, "HIGH",
    if(AvgIntervalSec >= 30 AND AvgIntervalSec <= 7200 AND ConnectionCount >= 3, "MEDIUM", "LOW"))
| ConnectionCount >= 2
| sort(ConnectionCount, order=desc)
high severity medium confidence

CrowdStrike LogScale CQL query joining ClassifiedModuleLoad events (crypto DLL loads) with NetworkConnectIP4 events (outbound connections) on the same agent ID, computer name, and process ID within a 15-minute window. Filters to exclude known system processes, browsers, and standard service ports. Groups results by process to surface beaconing cadence indicative of AES/RC4/DES-based C2 (Dridex, LockBit, SMOKEDHAM, Emotet).

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR)CrowdStrike Humio/LogScale — Falcon event streamFalcon sensor: ClassifiedModuleLoad, NetworkConnectIP4 event types

Required Tables

ClassifiedModuleLoad (Falcon module load telemetry)NetworkConnectIP4 (Falcon network connection telemetry)

False Positives & Tuning

  • CrowdStrike or third-party EDR agents themselves loading crypto DLLs for local file scanning and then connecting to cloud telemetry endpoints on high ports — the sensor process should be excluded by SHA256 or process path allowlist
  • Software distribution tools (SCCM client, Intune management extension) that load bcrypt.dll for certificate operations and maintain persistent HTTPS-like connections to management clouds on alternate ports
  • Custom enterprise applications using Windows CNG APIs (bcryptprimitives.dll) for data-at-rest encryption that also communicate with internal SaaS backends via non-standard TLS ports
Download portable Sigma rule (.yml)

Other platforms for T1573.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API

    Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.

  2. Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)

    Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.

  3. Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)

    Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).

  4. Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)

    Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.002Asymmetric Cryptography

Related Techniques

T1573Encrypted ChannelT1573.002Asymmetric CryptographyT1071.001Web ProtocolsT1071.004DNST1568.002Domain Generation AlgorithmsT1055Process InjectionT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Command and Control

Popular Detections