T1573 Microsoft Sentinel · KQL

Detect Encrypted Channel in Microsoft Sentinel

This detection identifies adversaries using custom or non-standard encryption to conceal command and control (C2) traffic. Unlike legitimate TLS/HTTPS, malware implementing encrypted channels often exhibits behavioral anomalies: unusual processes making encrypted connections, connections to raw IP addresses without SNI, self-signed or short-lived certificates, high-frequency beaconing intervals, non-browser processes using port 443/8443 with atypical TLS fingerprints (JA3), and data volumes inconsistent with the application type. This detection correlates process lineage, network destinations, certificate characteristics, and traffic timing to surface encrypted C2 channels used by threat actors such as Tropic Trooper, Lazarus Group, and malware families including RCSession, Cryptoistic, Gomir, and Chaes.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1573 Encrypted Channel
Canonical reference
https://attack.mitre.org/techniques/T1573/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousParentProcesses = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe", "explorer.exe"]);
let LegitimateEncryptedApps = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "outlook.exe", "teams.exe", "onedrive.exe", "slack.exe", "zoom.exe", "msiexec.exe", "wuauclt.exe", "svchost.exe"]);
let EncryptedPorts = dynamic([443, 8443, 8080, 4443, 9443, 3443, 7443]);
// Step 1: Identify network connections from suspicious or non-browser processes on encrypted ports
let SuspiciousEncryptedConnections = DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (EncryptedPorts)
| where not(InitiatingProcessFileName has_any (LegitimateEncryptedApps))
| where isnotempty(RemoteIP)
// Exclude private/loopback IP ranges
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fc00:|fe80:)")
| extend IsIPOnlyConnection = (isempty(RemoteUrl) or RemoteUrl == RemoteIP or RemoteUrl matches regex @"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
| extend SuspiciousParent = (InitiatingProcessParentFileName has_any (SuspiciousParentProcesses))
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessAccountName,
    InitiatingProcessId,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    IsIPOnlyConnection,
    SuspiciousParent,
    BytesSent,
    BytesReceived;
// Step 2: Detect beaconing behavior — repeated encrypted connections at regular intervals
let BeaconingDetection = DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (EncryptedPorts)
| where not(InitiatingProcessFileName has_any (LegitimateEncryptedApps))
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| summarize
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AvgBytesSent = avg(BytesSent),
    AvgBytesReceived = avg(BytesReceived),
    ConnectionTimes = make_list(TimeGenerated, 50)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| where ConnectionCount >= 5
| where UniqueRemoteIPs == 1
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend AvgIntervalMinutes = iff(ConnectionCount > 1, toreal(DurationMinutes) / toreal(ConnectionCount - 1), 0.0)
// Flag regular beaconing: 5+ connections with consistent intervals (1-60 min)
| where AvgIntervalMinutes between (1.0 .. 60.0)
| extend BeaconScore = case(
    AvgIntervalMinutes < 5, "High - Sub-5min beaconing",
    AvgIntervalMinutes < 15, "Medium - Regular beaconing",
    "Low - Periodic connection"
);
// Combine results
SuspiciousEncryptedConnections
| join kind=leftouter (
    BeaconingDetection
    | project DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgIntervalMinutes, BeaconScore
) on DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| extend RiskScore = case(
    IsIPOnlyConnection == true and SuspiciousParent == true, "Critical",
    IsIPOnlyConnection == true or (isnotempty(BeaconScore) and BeaconScore startswith "High"), "High",
    SuspiciousParent == true or isnotempty(BeaconScore), "Medium",
    "Low"
)
| where RiskScore in ("Critical", "High", "Medium")
| project
    TimeGenerated,
    DeviceName,
    RiskScore,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessAccountName,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    IsIPOnlyConnection,
    BeaconScore,
    ConnectionCount,
    AvgIntervalMinutes,
    BytesSent,
    BytesReceived
| sort by RiskScore asc, TimeGenerated desc
high severity medium confidence

Detects encrypted C2 channels by identifying non-browser processes making encrypted connections (ports 443, 8443, etc.) to external IPs, particularly connections to raw IP addresses without hostname resolution (SNI omission), and beaconing behavior with regular connection intervals. Assigns risk scores based on parent process suspicion, IP-only destinations, and regularity of connections.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Custom internal applications or agents that connect to known infrastructure over HTTPS but are not in the allowlist (add to LegitimateEncryptedApps)
  • IT monitoring and management tools (SCCM, Ansible, Puppet) that make frequent scheduled encrypted connections to management infrastructure
  • Security products (EDR agents, vulnerability scanners, DLP solutions) that beacon home over encrypted channels on non-standard ports
  • Cloud sync clients or backup agents connecting to cloud storage endpoints on port 443 at regular intervals
  • VPN clients and network tunneling software that establish persistent encrypted connections as part of normal operation
Download portable Sigma rule (.yml)

Other platforms for T1573

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Custom Encrypted C2 Beacon Using PowerShell SSL

    Expected signal: Sysmon Event ID 3 (NetworkConnect) with Image=powershell.exe, DestinationPort=443, DestinationHostname=ifconfig.me; Sysmon Event ID 1 showing PowerShell execution with -ExecutionPolicy Bypass flag; DeviceNetworkEvents showing 5 connections at ~30 second intervals (low jitter beaconing pattern)

  2. Test 2Simulate C2 Connection to Raw IP Address Over HTTPS

    Expected signal: Sysmon Event ID 3 with Image=powershell.exe, DestinationIp=1.1.1.1, DestinationPort=443, DestinationHostname empty or equal to the IP address; DeviceNetworkEvents showing IsIPOnlyConnection=true with RemoteUrl matching RemoteIP

  3. Test 3Simulate Encrypted C2 Beacon from LOLBin (mshta.exe)

    Expected signal: Sysmon Event ID 1 showing mshta.exe execution with HTA file path argument; Sysmon Event ID 3 with Image=mshta.exe, DestinationPort=443, DestinationHostname=httpbin.org; DeviceProcessEvents and DeviceNetworkEvents correlation showing mshta.exe as initiating process

  4. Test 4Linux Custom Encrypted Beacon Simulation Using OpenSSL

    Expected signal: Auditd SYSCALL records for connect() calls from openssl process; syslog entries showing openssl process network activity; on hosts with Sysmon for Linux, Event ID 3 showing openssl making TLS connections to external IP on port 443 at ~30 second intervals

Last updated: 2026-03-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1573 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1573.001Symmetric CryptographyT1573.002Asymmetric CryptographyT1071Application Layer ProtocolT1132Data EncodingT1568Dynamic ResolutionT1219Remote Access ToolsT1205Traffic SignalingT1090ProxyT1059Command and Scripting Interpreter

Same Tactic: Command and Control

Popular Detections