T1573.001 Splunk · SPL

Detect Symmetric Cryptography in Splunk

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Sub-technique
T1573.001 Symmetric Cryptography
Canonical reference
https://attack.mitre.org/techniques/T1573/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1" OR DestinationIp="169.254.*" OR DestinationIp="0.0.0.0")
NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=8080 OR DestinationPort=8443 OR DestinationPort=53 OR DestinationPort=22 OR DestinationPort=21 OR DestinationPort=25 OR DestinationPort=587 OR DestinationPort=465 OR DestinationPort=993 OR DestinationPort=995 OR DestinationPort=110 OR DestinationPort=143 OR DestinationPort=3389)
NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe" OR Image="*\\iexplore.exe" OR Image="*\\opera.exe" OR Image="*\\brave.exe")
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\MsMpEng.exe" OR Image="*\\services.exe" OR Image="*\\csrss.exe" OR Image="*\\winlogon.exe")
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| eval isSuspiciousProcess=case(
    match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe)"), 2,
    match(Image, "(?i)(python\.exe|python3\.exe|perl\.exe|ruby\.exe|node\.exe|php\.exe|java\.exe|javaw\.exe)"), 1,
    1==1, 0)
| eval isEphemeralPort=if(DestinationPort >= 49152, 1, 0)
| eval isLowUnusualPort=if(DestinationPort < 1024 AND DestinationPort != 80 AND DestinationPort != 443 AND DestinationPort != 53 AND DestinationPort != 22, 1, 0)
| eval isKnownC2Port=if(DestinationPort=4444 OR DestinationPort=4445 OR DestinationPort=1337 OR DestinationPort=8888 OR DestinationPort=9999 OR DestinationPort=6666 OR DestinationPort=7777, 2, 0)
| eval PortSuspicion=isEphemeralPort + isLowUnusualPort + isKnownC2Port
| eval SuspicionScore=isSuspiciousProcess + PortSuspicion
| where SuspicionScore >= 1
| stats
    count as ConnectionCount,
    dc(DestinationIp) as UniqueRemoteIPs,
    values(DestinationIp) as RemoteIPs,
    values(DestinationPort) as RemotePorts,
    earliest(_time) as FirstConnection,
    latest(_time) as LastConnection,
    max(SuspicionScore) as MaxSuspicion
    by host, User, Image, ProcessName
| where ConnectionCount >= 3 OR (ConnectionCount >= 1 AND MaxSuspicion >= 3)
| eval Duration=LastConnection - FirstConnection
| eval AvgIntervalSec=if(ConnectionCount > 1, round(Duration / (ConnectionCount - 1), 0), 0)
| eval PossibleBeacon=case(
    AvgIntervalSec >= 30 AND AvgIntervalSec <= 3600 AND ConnectionCount >= 5, "HIGH",
    AvgIntervalSec >= 30 AND AvgIntervalSec <= 7200 AND ConnectionCount >= 3, "MEDIUM",
    1==1, "LOW")
| table host, User, Image, ProcessName, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePorts, AvgIntervalSec, PossibleBeacon, MaxSuspicion, FirstConnection, LastConnection
| sort - MaxSuspicion, - ConnectionCount
high severity medium confidence

Detects potential symmetric-encrypted C2 beaconing using Sysmon Event ID 3 (Network Connection). Scores each outbound connection to a public IP on a non-standard port based on process suspiciousness (scripting engines, LOLBins score higher) and port characteristics (ephemeral, low-unusual, known C2 ports). Aggregates by process to identify persistent beaconing patterns and calculates average beacon interval. High suspicion score or frequent connections to the same external IP trigger the alert.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3 — Network Connection

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Security monitoring tools (Nessus, Tenable, Qualys agents) that make frequent outbound connections to cloud management planes on non-standard ports
  • Scripting-based automation (PowerShell DSC, Python monitoring scripts) that poll external APIs on non-standard ports as part of legitimate infrastructure health checks
  • Game launchers (Steam, Epic, Battle.net) using proprietary ports that score as ephemeral or unusual
  • VoIP applications (Cisco Jabber, Zoom, WebEx) using dynamic UDP/TCP ports that score as ephemeral
  • Java-based enterprise applications (Elasticsearch clients, Kafka producers) making persistent connections on non-standard ports
Download portable Sigma rule (.yml)

Other platforms for T1573.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API

    Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.

  2. Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)

    Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.

  3. Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)

    Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).

  4. Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)

    Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1573Encrypted Channel

Related Sub-techniques

T1573.002Asymmetric Cryptography

Related Techniques

T1573Encrypted ChannelT1573.002Asymmetric CryptographyT1071.001Web ProtocolsT1071.004DNST1568.002Domain Generation AlgorithmsT1055Process InjectionT1027Obfuscated Files or InformationT1027.013Encrypted/Encoded FileT1132.001Standard Encoding

Same Tactic: Command and Control

Popular Detections