T1573.001 IBM QRadar · QRadar

Detect Symmetric Cryptography in IBM QRadar

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.001 Symmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  destinationip,
  destinationport,
  username,
  LOGSOURCENAME(logSourceId) AS LogSource,
  CATEGORYNAME(category) AS Category,
  devicehostname AS HostName,
  "ApplicationProtocol" AS AppProtocol,
  payload
FROM events
WHERE
  LOGSOURCETYPEID(logSourceId) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND QIDNAME(qid) LIKE '%Network Connect%'
  AND NOT (destinationip LIKE '10.%'
    OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
    OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%'
    OR destinationip LIKE '172.20.%' OR destinationip LIKE '172.21.%'
    OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
    OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%'
    OR destinationip LIKE '172.26.%' OR destinationip LIKE '172.27.%'
    OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
    OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
    OR destinationip LIKE '192.168.%'
    OR destinationip LIKE '127.%'
    OR destinationip LIKE '169.254.%'
    OR destinationip = '0.0.0.0')
  AND destinationport NOT IN (80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389)
  AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
  AND (payload ILIKE '%powershell%' OR payload ILIKE '%wscript%' OR payload ILIKE '%cscript%'
    OR payload ILIKE '%mshta%' OR payload ILIKE '%rundll32%' OR payload ILIKE '%regsvr32%'
    OR payload ILIKE '%certutil%' OR payload ILIKE '%bitsadmin%'
    OR destinationport >= 49152
    OR destinationport IN (4444, 4445, 1337, 8888, 9999, 6666, 7777))
  AND starttime > NOW() - 86400 SECONDS
GROUP BY
  devicehostname, username, sourceip, destinationip, destinationport, payload
HAVING COUNT(*) >= 3
ORDER BY COUNT(*) DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting Sysmon EventCode 3 (Network Connect) from suspicious process categories on non-standard ports to public IPs, with emphasis on LOLBins and scripting engines that commonly carry symmetric-cipher C2 sessions. Correlates connection volume to surface potential beaconing patterns consistent with Dridex, Emotet, and similar malware families.

Data Sources

IBM QRadar SIEMSysmon for Windows (EventCode 3)Windows Security Event Log via QRadar WinCollect

Required Tables

events (QRadar normalized event store)logsourcetypes (QRadar metadata table)

False Positives & Tuning

  • Enterprise management agents (SCCM, Tanium, CrowdStrike sensor, Carbon Black) connecting to cloud backends on high or proprietary ports using process names that match LOLBin patterns
  • Developer tooling pipelines — CI runners, npm/pip/cargo processes — initiating TLS connections to artifact repositories on non-standard ports
  • Custom internal applications using non-standard ports for encrypted API communications that run under user accounts rather than service accounts
Download portable Sigma rule (.yml)

Other platforms for T1573.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API

    Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.

  2. Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)

    Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.

  3. Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)

    Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).

  4. Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)

    Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.002Asymmetric Cryptography

Related Techniques

T1573Encrypted ChannelT1573.002Asymmetric CryptographyT1071.001Web ProtocolsT1071.004DNST1568.002Domain Generation AlgorithmsT1055Process InjectionT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Command and Control

Popular Detections