Detect Symmetric Cryptography in Sumo Logic CSE
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1573 Encrypted Channel
- Sub-technique
- T1573.001 Symmetric Cryptography
- Canonical reference
- https://attack.mitre.org/techniques/T1573/001/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventID = "3"
| parse field=Image "*\\*" as ImagePath, ProcessName
| where !(DestinationIp matches "10.*"
or DestinationIp matches "172.16.*" or DestinationIp matches "172.17.*"
or DestinationIp matches "172.18.*" or DestinationIp matches "172.19.*"
or DestinationIp matches "172.20.*" or DestinationIp matches "172.21.*"
or DestinationIp matches "172.22.*" or DestinationIp matches "172.23.*"
or DestinationIp matches "172.24.*" or DestinationIp matches "172.25.*"
or DestinationIp matches "172.26.*" or DestinationIp matches "172.27.*"
or DestinationIp matches "172.28.*" or DestinationIp matches "172.29.*"
or DestinationIp matches "172.30.*" or DestinationIp matches "172.31.*"
or DestinationIp matches "192.168.*"
or DestinationIp matches "127.*"
or DestinationIp matches "169.254.*")
| where !(DestinationPort in ("80","443","8080","8443","53","22","21","20","25","587","465","993","995","110","143","3389"))
| where !(ProcessName in ("chrome.exe","firefox.exe","msedge.exe","iexplore.exe","opera.exe","brave.exe",
"svchost.exe","lsass.exe","MsMpEng.exe","services.exe","csrss.exe","winlogon.exe","spoolsv.exe"))
| eval isSuspiciousProcess = if(ProcessName in ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe",
"cscript.exe","mshta.exe","regsvr32.exe","rundll32.exe","certutil.exe","bitsadmin.exe","msiexec.exe"), 2,
if(ProcessName in ("python.exe","python3.exe","node.exe","java.exe","perl.exe","ruby.exe"), 1, 0))
| eval dport = tonumber(DestinationPort)
| eval isEphemeralPort = if(dport >= 49152, 1, 0)
| eval isKnownC2Port = if(dport in (4444, 4445, 1337, 8888, 9999, 6666, 7777), 2, 0)
| eval SuspicionScore = isSuspiciousProcess + isEphemeralPort + isKnownC2Port
| where SuspicionScore >= 1
| timeslice 1h
| stats
count as ConnectionCount,
dcount(DestinationIp) as UniqueRemoteIPs,
values(DestinationIp) as RemoteIPs,
values(DestinationPort) as RemotePorts,
min(_messageTime) as FirstConnection,
max(_messageTime) as LastConnection,
max(SuspicionScore) as MaxSuspicion
by _timeslice, Computer, User, ProcessName, Image
| where ConnectionCount >= 3 or (ConnectionCount >= 1 and MaxSuspicion >= 3)
| eval Duration = LastConnection - FirstConnection
| eval AvgIntervalSec = if(ConnectionCount > 1, round(Duration / (ConnectionCount - 1), 0), 0)
| eval PossibleBeacon = if(AvgIntervalSec >= 30 and AvgIntervalSec <= 3600 and ConnectionCount >= 5, "HIGH",
if(AvgIntervalSec >= 30 and AvgIntervalSec <= 7200 and ConnectionCount >= 3, "MEDIUM", "LOW"))
| fields Computer, User, Image, ProcessName, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePorts, AvgIntervalSec, PossibleBeacon, MaxSuspicion
| sort by MaxSuspicion, ConnectionCountSumo Logic query against Sysmon EventCode 3 (Network Connect) data, filtering for non-browser, non-system processes making outbound connections to public IPs on non-standard ports. Scores each process on suspicion heuristics (LOLBin identity, ephemeral port usage, known C2 port matches) then aggregates to surface beaconing patterns indicative of symmetric-cipher C2 frameworks.
Data Sources
Required Tables
False Positives & Tuning
- IT automation platforms (Ansible, Puppet, Chef agents) running as scripting engines (python.exe, ruby.exe) and connecting to management infrastructure on high ports
- Security tooling that uses powershell.exe or cmd.exe for endpoint health checks back to a SIEM collector or orchestration platform on non-standard ports
- Cloud sync clients or backup utilities that implement proprietary TLS over high ephemeral ports from process names that resemble scripting engines
Other platforms for T1573.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AES-Encrypted Beacon Simulation via PowerShell Crypto API
Expected signal: DeviceImageLoadEvents: bcrypt.dll and bcryptprimitives.dll loaded by powershell.exe. DeviceProcessEvents (Sysmon EventCode=1): powershell.exe with the AES command line. DeviceNetworkEvents (Sysmon EventCode=3): TCP connection attempt from powershell.exe to 127.0.0.1:4444 (will fail but logged). PowerShell ScriptBlock Log EventID 4104: AES class instantiation and Encrypt operations.
- Test 2XOR-Encrypted C2 Beacon Simulation via PowerShell (Azorult/Bisonal Pattern)
Expected signal: Sysmon EventCode=1: powershell.exe with -WindowStyle Hidden flag (HiddenWindow indicator). DeviceNetworkEvents: HTTP connection attempt to 127.0.0.1:8888 from powershell.exe. PowerShell ScriptBlock Log EventID 4104: XOR loop and WebClient UploadString call. DeviceImageLoadEvents: rsaenh.dll or bcrypt.dll loaded by powershell.exe for System.Security.Cryptography namespace initialization.
- Test 3RC4-Equivalent Stream Cipher via Python (Dridex/SMOKEDHAM Pattern)
Expected signal: Sysmon EventCode=1: python.exe spawned with obfuscated RC4 implementation in command line. DeviceNetworkEvents: socket connection attempt to 127.0.0.1:443 from python.exe (if connect enabled). DeviceProcessEvents: python.exe as child of cmd.exe or test harness. No DLL load events (Python uses its own crypto implementation).
- Test 4AES-CBC Encrypted C2 over TCP — Linux/macOS (OpenSSL + netcat)
Expected signal: Linux auditd: execve syscall for openssl and nc with AES encryption arguments. Syslog: process creation events if auditd logging is configured. Network: TCP connection attempt to 127.0.0.1:4444 from nc process. Linux security tools: openssl process with enc subcommand and -aes-256-cbc flag followed immediately by nc with external destination.
References (14)
- https://attack.mitre.org/techniques/T1573/001/
- https://attack.mitre.org/techniques/T1573/
- https://securelist.com/dridex-a-history-of-evolution/78531/
- https://www.fireeye.com/blog/threat-research/2021/06/smokedham-backdoor-unc2465.html
- https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
- https://www.trendmicro.com/en_us/research/19/a/new-emotet-hijacks-windows-update.html
- https://www.proofpoint.com/us/threat-insight/post/azorult-malware-downloader-and-credential-stealer
- https://www.microsoft.com/en-us/security/blog/2023/06/14/lockbit-3-ransomware-disruption/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573.001/T1573.001.md
- https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimagloadevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Unlock Pro Content
Get the full detection package for T1573.001 including response playbook, investigation guide, and atomic red team tests.