# T1573 Encrypted Channel

-----------------------------------------------------------------------

## Technique Description

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

## Technique Detection

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Trooper May 2020)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used multiple layers of encryption within malware to protect C2 communication.(Citation: Secureworks IRON HEMLOCK Profile)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1573)

  * [Sans Decrypting Ssl](http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840), Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.

  * [Sei Ssl Inspection Risks](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html), Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 23 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Mr. Aaron Diaz CTR

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- N/A

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | | |
| APT29 | | |
| Turla | | |


## Detection Blindspots

- Depending on the encryption used, it may not be possible to identify what the traffic is doing. Even with SSL/TLS inspection capability, malware authors have been known (especially nation state actors) to employ multiple layers of encryption over their C2 channel. They may use legitimate HTTP/S traffic for communications but employ and custom crypto algorithm for the actual data before being sent over HTTP/S. The best way to "defeat" this or investigate it further requires reverse engineering of malware sample itself. Aside from the possibility of not being able to decrypt the data, there is also the probability of traffic "impersonating" legitimate users browsing websites making ja3 and other TLS inspection less effective.

## Analytical References

- https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
- https://github.com/bryant-treacle/SSL_Traffic_Hunting
- https://www.netresec.com/?page=Blog&month=2017-09&post=Hunting-AdwindRAT-with-SSL-Heuristics
- https://idsips.files.wordpress.com/2020/05/suricata-and-tls.pdf
- https://ja3er.com/
- https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
- https://medium.com/cu-cyber/impersonating-ja3-fingerprints-b9f555880e42
- https://www.bc-security.org/post/ja3-s-signatures-and-how-to-avoid-them
- https://www.defensive-security.com/blog/hiding-behind-ja3-hash
- https://www.splunk.com/en_us/blog/security/finding-new-evil-detecting-new-domains-with-splunk.html
- https://blog.fox-it.com/2019/06/11/using-anomaly-detection-to-find-malicious-domains/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- N/A

#### Analytic 1

  * **Information:** Microsoft CryptoAPI

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Query is logic/pseudo-query, **needs conversion** to proper Kibana syntax.

  * **Query:** ```event_id: 7 (image load) of Crypt32.dll or related CryptoAPI functions followed by a network request or additional event_id: 7 && *Http* related DLL```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels. SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.

- In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

- Identify unique certificates not part of Alexa 1 Million top sites. This can help identify odd ssl_issuer and ssl_subject_common_name fields. There is also sslbl.abuse that can be used to identify commonly abused certificates in use.

#### Analytic 1

  * **Information:** SSL comm outbound over non-standard port

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** Query is logic/pseudo-query, **needs conversion** to proper Moloch syntax.

  * **Query:** ```tcp contains ssl_cert_sha1=* && not tcp.dstport==443```

