Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1573 | Encrypted Channel | |
| CA-7 | Continuous Monitoring | Protects | T1573 | Encrypted Channel | |
| CM-2 | Baseline Configuration | Protects | T1573 | Encrypted Channel | |
| CM-6 | Configuration Settings | Protects | T1573 | Encrypted Channel | |
| CM-7 | Least Functionality | Protects | T1573 | Encrypted Channel | |
| SC-12 | Cryptographic Key Establishment and Management | Protects | T1573 | Encrypted Channel | |
| SC-16 | Transmission of Security and Privacy Attributes | Protects | T1573 | Encrypted Channel | |
| SC-23 | Session Authenticity | Protects | T1573 | Encrypted Channel | |
| SC-7 | Boundary Protection | Protects | T1573 | Encrypted Channel | |
| SI-3 | Malicious Code Protection | Protects | T1573 | Encrypted Channel | |
| SI-4 | System Monitoring | Protects | T1573 | Encrypted Channel |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1573 | Encrypted Channels | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1573 | Encrypted Channels | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1573 | Encrypted Channels |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1573.002 | Asymmetric Cryptography | 13 |
| T1573.001 | Symmetric Cryptography | 13 |