PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1573: Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

Positive Technologies products that cover the technique

Detection

PT NAD can automatically detect and mark encrypted connections, as well as detect communication with C2 servers via encrypted channels, using rules and reputation lists. PT NAD has multiple rules detecting malware communication and activities related to post-exploitation or hacking tools.

Examples of PT NAD detection rules

  • REMOTE [PTsecurity] Xworm Ping (sid 10008313)
  • TOOLS [PTsecurity] Sliver C2. mTLS Beacon Polling (sid 10008556)

Examples of PT NAD filters

  • app_proto == "encrypted"

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mitigation

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

IDM1020NameSSL/TLS InspectionDescription

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.