Skip to content

DET0503 Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Item Value
ID DET0503
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1048.001 (Exfiltration Over Symmetric Encrypted Non-C2 Protocol)

Analytics

Windows

AN1389

Detects the execution of non-browser processes establishing outbound encrypted network connections using uncommon symmetric encryption protocols (e.g., AES via PowerShell or custom scripts) to alternate external destinations.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
PayloadEntropyThreshold Flag high-entropy payloads sent over unexpected protocols.
TimeWindow Define allowable transfer window (e.g., abnormal traffic outside business hours).
ExecutableAllowlist List of known-good binaries for encrypted traffic (e.g., Chrome, Outlook).

Linux

AN1390

Detects command-line utilities or scripts using encryption libraries or symmetric algorithms (e.g., OpenSSL AES, GPG, Python + PyCrypto) in conjunction with outbound file transfers or traffic to external destinations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Connection Creation (DC0082) auditd:SYSCALL connect
Network Traffic Flow (DC0078) NSM:Flow conn.log or flow data
Network Traffic Content (DC0085) NSM:Flow ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)
Mutable Elements
Field Description
FileTransferIndicator Threshold for transferred data size or extension type.
LibraryCallTracking Hooks into use of encryption libraries like libcrypto.so, pycrypto, gpg.

macOS

AN1391

Detects symmetric key-based encryption operations (e.g., AES via Python, AppleScript, or OpenSSL) followed by unusual outbound connections from non-browser applications or scripted tools.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog log stream process subsystem
Network Traffic Flow (DC0078) macos:osquery socket_events
Network Connection Creation (DC0082) macos:unifiedlog log stream network activity
Mutable Elements
Field Description
ApplicationProfileBaseline Expected outbound connection profiles per app.
EncryptionRoutinePattern Indicators of manual encryption operations (e.g., script strings invoking AES).

ESXi

AN1392

Detects unexpected encrypted egress traffic from management services (e.g., hostd) or guest VMs utilizing symmetric encryption without traditional protocols (e.g., FTP with embedded AES ciphertext).

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) esxi:vmkernel egress log analysis
Command Execution (DC0064) esxi:hostd execution + payload hints
Network Traffic Content (DC0085) NSM:Flow host switch egress data
Mutable Elements
Field Description
GuestVMExfilWatchlist VMs with data sensitivity labels or outside normal behavior.
ServiceEgressProfile Expected egress destinations and volume for core services.