Encrypted Channel: Symmetric Cryptography

ID Name
T1521.001 Symmetric Cryptography
T1521.002 Asymmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.

ID: T1521.001
Sub-technique of:  T1521
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 05 April 2022
Last Modified: 05 April 2022

Procedure Examples

ID Name Description
S0478 EventBot

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[1]

S0411 Rotexy

Rotexy encrypts JSON HTTP payloads with AES.[2]

S1055 SharkBot

SharkBot can use RC4 to encrypt C2 payloads.[3]

G0112 Windshift

Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

References