Encrypted Channel

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.[2] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.[3]

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[4]

References

Attachments

ID
VT0027
MITRE ID
Sub-techniques
Tactic
Command And Control
Platforms
Linux
Windows
macOS
Data Sources
Malware reverse engineering
Netflow/Enclave netflow
Packet capture
Process monitoring
Process use of network
SSL/TLS inspection
Version
1.0

Created: 05 January 2021

Last Modified: 05 January 2021