Encrypted Channel

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1573
Sub-techniques:  T1573.001, T1573.002
Platforms: Linux, Windows, macOS
Data Sources: Network Traffic: Network Traffic Content
Version: 1.0
Created: 16 March 2020
Last Modified: 20 April 2021

Procedure Examples

ID Name Description
S0498 Cryptoistic

Cryptoistic can engage in encrypted communications with C2.[1]

S0032 gh0st RAT

gh0st RAT has encrypted TCP communications to evade detection.[2]

S0198 NETWIRE

NETWIRE can encrypt C2 communications.[3]

G0081 Tropic Trooper

Tropic Trooper has encrypted traffic with the C2 to prevent network detection.[4]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

M1020 SSL/TLS Inspection

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.[5] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.[6]

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[7]

References