Description
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has encrypted C2 communications with RC4.(Citation: Eset PlugX Korplug Mustang Panda March 2022... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016) |
| G0032 | Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operati... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used AES encrypted communications in C2.(Citation: Zscaler APT31 Covid-19 October 2020) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used a version of the Awen web shell that employed AES encryption and decryption for C2 comm... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used AES-128 CBC to encrypt C2 communications.(Citation: group-ib_redcurl2) |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware encrypts C2 traffic using RC4 with a hard-coded key.(Citation: Citizen Lab Stealth Fal... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022) |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has encrypted C2 traffic using RC4.(Citation: Sekoia ClickFake 2025) |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020) |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014) |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy ... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traff... |
Associated Software (166)
| ID | Name | Type | Context |
|---|---|---|---|
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) has encrypted traffic with RC4.(Citation: Kaspersky Dridex May 2017) |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021) |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET Invisi... |
| S1227 | StarProxy | Malware | [StarProxy](https://attack.mitre.org/software/S1227) has leveraged two 256-byte XOR keys to encrypt and decrypt network packets using a custom algori... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) has used DES to encrypt all C2 communications.(Citation: Lunghi Iron Tiger Linux) |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) is known to use RSA keys for encrypting C2 traffic. (Citation: Trend Micro Emotet Jan 2019) |
| S0113 | Prikormka | Malware | [Prikormka](https://attack.mitre.org/software/S0113) encrypts some C2 traffic with the Blowfish cipher.(Citation: ESET Operation Groundbait) |
| S0066 | 3PARA RAT | Malware | [3PARA RAT](https://attack.mitre.org/software/S0066) command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in ... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can encrypt C2 communications with AES.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR ... |
| S0034 | NETEAGLE | Malware | [NETEAGLE](https://attack.mitre.org/software/S0034) will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."(Cit... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) has used AES to exfiltrate documents.(Citation: ESET Machete July 2019) |
| S0344 | Azorult | Malware | [Azorult](https://attack.mitre.org/software/S0344) can encrypt C2 traffic using XOR.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult J... |
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some [Bisonal](https://attac... |
| S0060 | Sys10 | Malware | [Sys10](https://attack.mitre.org/software/S0060) uses an XOR 0x1 loop to encrypt its C2 domain.(Citation: Baumgartner Naikon 2015) |
| S0081 | Elise | Malware | [Elise](https://attack.mitre.org/software/S0081) encrypts exfiltrated data with RC4.(Citation: Lotus Blossom Jun 2015) |
| S0141 | Winnti for Windows | Malware | [Winnti for Windows](https://attack.mitre.org/software/S0141) can XOR encrypt C2 traffic.(Citation: Novetta Winnti April 2015) |
| S0664 | Pandora | Malware | [Pandora](https://attack.mitre.org/software/S0664) has the ability to encrypt communications with D3DES.(Citation: Trend Micro Iron Tiger April 2021) |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) encrypts C2 data with a ROR by 3 and an XOR by 0x23.(Citation: Forcepoint Monsoon)(Citation: TrendM... |
| S0272 | NDiskMonitor | Malware | [NDiskMonitor](https://attack.mitre.org/software/S0272) uses AES to encrypt certain information sent over its C2 channel.(Citation: TrendMicro Patchwo... |
| S1076 | QUIETCANARY | Malware | [QUIETCANARY](https://attack.mitre.org/software/S1076) can RC4 encrypt C2 communications.(Citation: Mandiant Suspected Turla Campaign February 2023) |
References
Frequently Asked Questions
What is T1573.001 (Symmetric Cryptography)?
T1573.001 is a MITRE ATT&CK technique named 'Symmetric Cryptography'. It belongs to the Command and Control tactic(s). Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric enc...
How can T1573.001 be detected?
Detection of T1573.001 (Symmetric Cryptography) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1573.001?
There are 1 documented mitigations for T1573.001. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1573.001?
Known threat groups using T1573.001 include: Mustang Panda, Darkhotel, Lazarus Group, ZIRCONIUM, Volt Typhoon, RedCurl, Stealth Falcon, MuddyWater.