T1573.001 Microsoft Sentinel · KQL

Detect Symmetric Cryptography in Microsoft Sentinel

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.001 Symmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1573.001 — Symmetric Cryptography C2
// Correlates Windows crypto library loads from non-system, non-browser processes
// with subsequent outbound connections to public IPs on non-standard ports.
// Designed to surface processes that load encryption APIs and then communicate externally —
// the behavioral signature common to AES/RC4/DES-based C2 frameworks.
let CryptoLibraries = dynamic([
  "rsaenh.dll",
  "bcrypt.dll",
  "bcryptprimitives.dll",
  "cryptsp.dll",
  "ncrypt.dll"
]);
let ExcludedSystemProcs = dynamic([
  "lsass.exe", "svchost.exe", "services.exe", "spoolsv.exe", "csrss.exe",
  "winlogon.exe", "smss.exe", "wininit.exe", "MsMpEng.exe", "NisSrv.exe",
  "SecurityHealthService.exe", "SearchIndexer.exe", "fontdrvhost.exe",
  "dwm.exe", "sihost.exe", "taskhostw.exe", "RuntimeBroker.exe"
]);
let ExcludedBrowsers = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
  "opera.exe", "brave.exe", "vivaldi.exe"
]);
let StandardPorts = dynamic([
  80, 443, 8080, 8443, 53, 22, 21, 20, 25, 587, 465, 993, 995, 110, 143, 3389
]);
// Step 1 — processes loading crypto libraries (excluding known-legitimate)
let CryptoLoaders = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName in~ (CryptoLibraries)
| where not(InitiatingProcessFileName in~ (ExcludedSystemProcs))
| where not(InitiatingProcessFileName in~ (ExcludedBrowsers))
| project
    LoadTime = Timestamp,
    DeviceName,
    DeviceId,
    ProcessName = InitiatingProcessFileName,
    ProcessId = InitiatingProcessId,
    ProcessCmd = InitiatingProcessCommandLine,
    AccountName = InitiatingProcessAccountName,
    ProcessSHA256 = InitiatingProcessSHA256,
    CryptoLib = FileName;
// Step 2 — outbound connections to public IPs on non-standard ports
let SuspiciousConns = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where not(RemotePort in (StandardPorts))
| project
    ConnTime = Timestamp,
    DeviceName,
    DeviceId,
    ConnProcess = InitiatingProcessFileName,
    ConnProcessId = InitiatingProcessId,
    RemoteIP,
    RemotePort,
    BytesSent = SentBytes,
    BytesReceived = ReceivedBytes;
// Step 3 — correlate: crypto load followed by external connection within 15 minutes
CryptoLoaders
| join kind=inner (SuspiciousConns)
    on DeviceName, $left.ProcessId == $right.ConnProcessId
| where ConnTime between (LoadTime .. (LoadTime + 15m))
| summarize
    CryptoLibsLoaded = make_set(CryptoLib),
    RemoteIPs = make_set(RemoteIP),
    RemotePorts = make_set(RemotePort),
    ConnectionCount = count(),
    TotalBytesSent = sum(BytesSent),
    TotalBytesReceived = sum(BytesReceived),
    FirstConnection = min(ConnTime),
    LastConnection = max(ConnTime)
    by DeviceName, ProcessName, ProcessCmd, AccountName, ProcessSHA256
| extend DataTransferMB = round(toreal(TotalBytesSent + TotalBytesReceived) / 1048576, 2)
| extend DurationMinutes = datetime_diff('minute', LastConnection, FirstConnection)
| extend AvgIntervalSeconds = iif(
    ConnectionCount > 1,
    toreal(DurationMinutes * 60) / toreal(ConnectionCount - 1),
    0.0)
| extend BeaconLikely = AvgIntervalSeconds between (30.0 .. 3600.0) and ConnectionCount >= 5
| sort by ConnectionCount desc
high severity medium confidence

Detects symmetric cryptography-based C2 by correlating Windows crypto library loads (rsaenh.dll, bcrypt.dll, bcryptprimitives.dll, cryptsp.dll, ncrypt.dll) from unexpected processes with subsequent outbound connections to public IPs on non-standard ports within a 15-minute window. Uses DeviceImageLoadEvents and DeviceNetworkEvents from Microsoft Defender for Endpoint. The join links a process's first crypto DLL load to its external network activity — a behavioral pattern common to AES/RC4/DES C2 implants. Includes a beacon likelihood flag based on connection frequency and interval regularity.

Data Sources

Module: Module LoadNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint — DeviceImageLoadEventsMicrosoft Defender for Endpoint — DeviceNetworkEvents

Required Tables

DeviceImageLoadEventsDeviceNetworkEvents

False Positives & Tuning

  • Security agents (CrowdStrike, Carbon Black, SentinelOne, Cylance) that load crypto libraries to encrypt their own telemetry streams and communicate with backend cloud services
  • Enterprise backup agents (Veeam, Commvault, Veritas) that perform AES-encrypted data transfers to off-site repositories on non-standard ports
  • Software update mechanisms (Autodesk, Adobe, JetBrains) that use TLS on non-443 ports (e.g., 7443, 8444) and load bcrypt.dll as part of update verification
  • VPN and proxy clients (Cisco AnyConnect, GlobalProtect, ZScaler) that load crypto libraries before establishing tunnels to public infrastructure
  • Developer IDEs and language runtimes (Visual Studio, IntelliJ, Python interpreters) loading cryptographic libraries during normal operation
Download portable Sigma rule (.yml)

Other platforms for T1573.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API

    Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.

  2. Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)

    Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.

  3. Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)

    Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).

  4. Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)

    Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.002Asymmetric Cryptography

Related Techniques

T1573Encrypted ChannelT1573.002Asymmetric CryptographyT1071.001Web ProtocolsT1071.004DNST1568.002Domain Generation AlgorithmsT1055Process InjectionT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Command and Control

Popular Detections