Encrypted Channel

Sub-techniques (3)

ID	Name
T1521.001	Symmetric Cryptography
T1521.002	Asymmetric Cryptography
T1521.003	SSL Pinning

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1521

Sub-techniques: T1521.001, T1521.002, T1521.003

Tactic Type: Post-Adversary Device Access

ⓘ

Tactic: Command and Control

ⓘ

Platforms: Android, iOS

Version: 2.0

Created: 01 October 2019

Last Modified: 24 October 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S1095	AhRat	AhRat can communicate with the C2 using HTTPS requests.^[1]
S0302	Twitoor	Twitoor encrypts its C2 communication.^[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID	Name	Analytic ID	Analytic Description
DET0641	Detection of Encrypted Channel	AN1716	Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.
DET0641	Detection of Encrypted Channel	AN1717	Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

References

Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.

ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.