# T1573.001 Symmetric Cryptography

-----------------------------------------------------------------------

## Technique Description

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

## Technique Detection

With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * Windows

  * macOS

### Data Sources:

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used AES encrypted communications in C2.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware encrypts C2 traffic using RC4 with a hard-coded key.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample XORs C2 traffic. Other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses Caracachs encryption to encrypt C2 payloads. [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: McAfee Lazarus Jul 2020)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1573/001)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 07 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- The adversary has been know to use Symmetric encryption when deploying their malware for C2. Hex-encoded strings have been know to hold their command and control address. Network connections made by multiple systems to an external source should be analyzed and filtered with possible SSL/TLS certificates that are self signed or know to be associated to APT 28 TTPs. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 1 | 1, 2 |

## Detection Blindspots

- Encrypted will need further analysis with host event logs.
- Incorrect sensor placement may make detecting this TTP difficult.

## Analytical References

  * [Journey to zebrocy land](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** Detect specific commands used in their backdoor Zebrocy.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** APT28

  * **Query:** ```Event_ID:1 AND command.line(screenshot OR Sys_info OR Get_Network OR Scan_all)```




-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).

- Arkime does capture what cipher is used if it recognizes it so it may be worth using cipher == EXISTS! annotating what ciphers are used on the network. Exclude the known ciphers and look for tcp connections that are encrypted.
- Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
- Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
- Analyze the metadata surrounding encrypted traffic, this can give you slight insight into suspicious activity that can be correlated with host operators.

#### Analytic 1

  * **Information:** Identify encrypted channels that use symmetric encrytpion, common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** List out ciphers suits being used across the network, identify possible deprecated algorithms. Triple DES (3DES) has been deprecated by NIST in 2017, detecting deprecated encryption algorithms should be investigated as an adversary may take advangate of these communications. If possible associate ja3 and ja3s fields for network connections being made to suspicious or known bad external hosts. Identify certificate meta data of observed connections.

  * **Query Arkime:** ```tls.cipher == EXISTS! && ip.dst != [10/8, 172.16/12, 192.168/16]```
  * **Query Arkime:** ```tls.cipher == [value] && tls.ja3 == [value] && tls.ja3s == [value]```
  * **Query Kibana:** ```tls.cipher: * AND NOT dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```
  * **Query Kibana:** ```tls.cipher: [value] AND tls.ja3: [value] AND tls.ja3s: [value]```
#### Analytic 2

  * **Information:** Identify certificate metadata of encrypted connections

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** After identify suspicious or know bad traffic, gather certificate metatdata to possibly correlate other internal to external host connections across the network with the same certificate information.

  * **Query Arkime:** ```cert.issuer.on == [value] || cert.subject.cn == [value] || cert.subject.on == [value] ||  cert.alt == [value]```
  * **Query Kibana:** ```cert.issuerON: [value] OR cert.issuerCN: [value] OR cert.subjectON: [value] OR cert.alt: [value]```

