title: Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)
id: df00tech-t1048-001
status: experimental
description: "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. Symmetric encryption algorithms (RC4, AES, ChaCha20, Blowfish) use shared keys on both ends of the channel. Attackers may implement custom encryption over protocols not natively encrypted (HTTP, FTP, DNS) or add extra encryption layers over already-encrypted protocols (HTTPS, SFTP) to obscure data contents from network inspection tools. This technique is distinguished from asymmetric exfiltration by the pre-shared key requirement, often resulting in artifacts such as key material embedded in scripts, configuration files, or command-line arguments."
references:
  - https://attack.mitre.org/techniques/T1048/001/
  - https://df00tech.com/detections/T1048.001
author: df00tech
date: 2026/04/16
tags:
  - attack.t1048.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate use of OpenSSL for TLS certificate management, key generation, or PKI operations by system administrators"
  - "Backup software using AES encryption to transfer data to cloud storage (e.g., Veeam, Acronis, rsync with encryption flags)"
  - "Secure file transfer tools such as SFTP, SCP, or WinSCP that use symmetric encryption internally during session"
  - "Security scanning and penetration testing tools (Metasploit, nmap scripts) run by authorized red team or security operations personnel"
  - Software build pipelines encrypting artifacts for distribution using OpenSSL or GPG with symmetric keys
level: high