Description
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Platforms
Sub-Techniques (2)
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
SSL/TLS InspectionM1020
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Tr... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used an encrypted http proxy in C2 communications.(Citation: DFIR Phosphorus November 2021) |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has encrypted their C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used multiple layers of encryption within malware to protect C2 communication.(Citation: Securework... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S0662 | RCSession | Malware | [RCSession](https://attack.mitre.org/software/S0662) can use an encrypted beacon to check in with C2.(Citation: Secureworks BRONZE PRESIDENT December ... |
| S0498 | Cryptoistic | Malware | [Cryptoistic](https://attack.mitre.org/software/S0498) can engage in encrypted communications with C2.(Citation: SentinelOne Lazarus macOS July 2020) |
| S1198 | Gomir | Malware | [Gomir](https://attack.mitre.org/software/S1198) uses a custom encryption algorithm for content sent to command and control infrastructure.(Citation: ... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used encryption for its C2 channel.(Citation: Cybereason Chaes Nov 2020) |
| S1046 | PowGoop | Malware | [PowGoop](https://attack.mitre.org/software/S1046) can receive encrypted commands from C2.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| S1012 | PowerLess | Malware | [PowerLess](https://attack.mitre.org/software/S1012) can use an encrypted channel for C2 communications.(Citation: Cybereason PowerLess February 2022) |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can support encrypted communications between the client and server.(Citation: Threatpost Lizar May 20... |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) has encrypted TCP communications to evade detection.(Citation: Gh0stRAT ATT March 2019) |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can encrypt C2 communications.(Citation: Red Canary NETWIRE January 2020) |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleS... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has encrypted data before sending to the C2 server.(Citation: Fortinet Emotet May 2017) |
References
- Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
- Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1573 (Encrypted Channel)?
T1573 is a MITRE ATT&CK technique named 'Encrypted Channel'. It belongs to the Command and Control tactic(s). Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure...
How can T1573 be detected?
Detection of T1573 (Encrypted Channel) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1573?
There are 2 documented mitigations for T1573. Key mitigations include: Network Intrusion Prevention, SSL/TLS Inspection.
Which threat groups use T1573?
Known threat groups using T1573 include: Tropic Trooper, Magic Hound, BITTER, APT29.