Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1573
Sub-techniques:  T1573.001, T1573.002
Platforms: Linux, Network, Windows, macOS
Version: 1.1
Created: 16 March 2020
Last Modified: 16 April 2024

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used multiple layers of encryption within malware to protect C2 communication.[1]

G1002 BITTER

BITTER has encrypted their C2 communications.[2]

S0631 Chaes

Chaes has used encryption for its C2 channel.[3]

S0498 Cryptoistic

Cryptoistic can engage in encrypted communications with C2.[4]

S0032 gh0st RAT

gh0st RAT has encrypted TCP communications to evade detection.[5]

S0681 Lizar

Lizar can support encrypted communications between the client and server.[6][7]

S1016 MacMa

MacMa has used TLS encryption to initialize a custom protocol for C2 communications.[8]

G0059 Magic Hound

Magic Hound has used an encrypted http proxy in C2 communications.[9]

S0198 NETWIRE

NETWIRE can encrypt C2 communications.[10]

S1012 PowerLess

PowerLess can use an encrypted channel for C2 communications.[11]

S1046 PowGoop

PowGoop can receive encrypted commands from C2.[12]

S0662 RCSession

RCSession can use an encrypted beacon to check in with C2.[13]

C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.[14]

G0081 Tropic Trooper

Tropic Trooper has encrypted traffic with the C2 to prevent network detection.[15]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

M1020 SSL/TLS Inspection

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References