ID | Name |
---|---|
T1573.001 | Symmetric Cryptography |
T1573.002 | Asymmetric Cryptography |
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
攻撃者は、通信プロトコルが備える保護に依存するのではなく、コマンドや制御トラフィックを隠すために既知の非対称暗号化アルゴリズムを使用する可能性があります。非対称暗号は公開鍵暗号としても知られ、当事者ごとに自由に配布できる公開鍵と秘密鍵のペアを使用します。鍵の生成方法によって、送信者は受信者の公開鍵でデータを暗号化し、受信者は自分の秘密鍵でデータを復号化します。これにより、意図した受信者だけが暗号化されたデータを読むことができるようになります。一般的な公開鍵暗号化アルゴリズムには、RSAとElGamalが含まれます。
For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As
such, these protocols are classified as Asymmetric Cryptography.
効率を上げるため、多くのプロトコル(SSL/TLSを含む)では、接続が確立されると対称暗号を使用しますが、鍵の確立や送信には非対称暗号を使用します。そのため、これらのプロトコルは非対称暗号方式に分類されます。
ID | Name | Description |
---|---|---|
S0202 | adbupd |
adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.[1] |
S0045 | ADVSTORESHELL |
A variant of ADVSTORESHELL encrypts some C2 with RSA.[2] |
S0438 | Attor | |
S0534 | Bazar | |
S0017 | BISCUIT | |
S0335 | Carbon | |
S0023 | CHOPSTICK | |
G0080 | Cobalt Group |
Cobalt Group has used the Plink utility to create SSH tunnels.[8] |
S0154 | Cobalt Strike |
Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.[9] |
S0126 | ComRAT |
ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[10][11] |
S0687 | Cyclops Blink |
Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.[12] |
S0673 | DarkWatchman |
DarkWatchman can use TLS to encrypt its C2 channel.[13] |
S0600 | Doki |
Doki has used the embedTLS library for network communications.[14] |
S0384 | Dridex | |
S0367 | Emotet |
Emotet is known to use RSA keys for encrypting C2 traffic. [16] |
S0363 | Empire | |
G0037 | FIN6 |
FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[18] |
G0061 | FIN8 |
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[19] |
S0168 | Gazer | |
S0588 | GoldMax |
GoldMax has RSA-encrypted its communication with the C2 server.[22] |
S0531 | Grandoreiro |
Grandoreiro can use SSL in C2 communication.[23] |
S0342 | GreyEnergy |
GreyEnergy encrypts communications using RSA-2048.[24] |
S0632 | GrimAgent |
GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[25] |
S0087 | Hi-Zor | |
S0483 | IcedID |
IcedID has used SSL and TLS in communications with C2.[27][28] |
S0250 | Koadic | |
S0641 | Kobalos |
Kobalos's authentication and key exchange is performed using RSA-512.[30][31] |
S0409 | Machete | |
S0455 | Metamorfo |
Metamorfo's C2 communication has been encrypted using OpenSSL.[33] |
S0699 | Mythic | |
G0049 | OilRig |
OilRig used the Plink utility and other tools to create tunnels to C2 servers.[35] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors' proxy implementation "Agent" upgraded the socket in use to a TLS socket.[36] |
S0556 | Pay2Key | |
S0587 | Penquin |
Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[38] |
S0428 | PoetRAT |
PoetRAT used TLS to encrypt command and control (C2) communications.[39] |
S0150 | POSHSPY | |
S0223 | POWERSTATS |
POWERSTATS has encrypted C2 traffic with RSA.[41] |
S0192 | Pupy |
Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[42] |
S0496 | REvil |
REvil has encrypted C2 communications with the ECIES algorithm.[43] |
S0448 | Rising Sun |
Rising Sun variants can use SSL for encrypting C2 communications.[44] |
S0382 | ServHelper |
ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[45] |
S0633 | Sliver |
Sliver can use mutual TLS and RSA cryptography to exchange a session key.[46][47][48] |
S1035 | Small Sieve |
Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.[49] |
S0627 | SodaMaster |
SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.[50] |
S0615 | SombRAT | |
S0491 | StrongPity |
StrongPity has encrypted C2 traffic using SSL/TLS.[54] |
S0018 | Sykipot | |
S0668 | TinyTurla |
TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[56] |
S0183 | Tor |
Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[57] |
S0094 | Trojan.Karagany |
Trojan.Karagany can secure C2 communications with SSL and TLS.[58] |
G0081 | Tropic Trooper |
Tropic Trooper has used SSL to connect to C2 servers.[59][60] |
S0180 | Volgmer |
Some Volgmer variants use SSL to encrypt C2 communications.[61] |
S0366 | WannaCry |
WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[62] |
S0515 | WellMail |
WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[63][64] |
S0514 | WellMess |
WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[65][66][67][64] |
S0117 | XTunnel | |
S0251 | Zebrocy |
Zebrocy uses SSL and AES ECB for encrypting C2 communications.[69][70][71] |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
M1020 | SSL/TLS Inspection |
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |