title: Symmetric Cryptography (T1573.001)
id: df00tech-t1573-001
status: experimental
description: "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. Real-world malware families using this technique include Dridex (RC4), SMOKEDHAM (RC4), LockBit 3.0 (AES), Emotet (RSA+AES hybrid), SysUpdate (DES), Prikormka (Blowfish), Azorult (XOR), Bisonal (RC4/XOR), and InvisiMole (XOR). Detection cannot rely on payload inspection since the data is opaque; instead it must focus on behavioral proxies: crypto library usage by unexpected processes, beaconing patterns, process genealogy anomalies combined with external connections, and known cipher-specific implementation artifacts."
references:
  - https://attack.mitre.org/techniques/T1573/001/
  - https://df00tech.com/detections/T1573.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1573.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security agents (CrowdStrike, Carbon Black, SentinelOne, Cylance) that load crypto libraries to encrypt their own telemetry streams and communicate with backend cloud services"
  - "Enterprise backup agents (Veeam, Commvault, Veritas) that perform AES-encrypted data transfers to off-site repositories on non-standard ports"
  - "Software update mechanisms (Autodesk, Adobe, JetBrains) that use TLS on non-443 ports (e.g., 7443, 8444) and load bcrypt.dll as part of update verification"
  - "VPN and proxy clients (Cisco AnyConnect, GlobalProtect, ZScaler) that load crypto libraries before establishing tunnels to public infrastructure"
  - "Developer IDEs and language runtimes (Visual Studio, IntelliJ, Python interpreters) loading cryptographic libraries during normal operation"
level: high