T1573.001: Symmetric Cryptography
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
Positive Technologies products that cover the technique
Detection
PT NAD can automatically detect and mark encrypted connections, as well as detect communication with C2 servers via encrypted channels with symmetric encryption, using rules and reputation lists. PT NAD has multiple rules detecting communication between malware and C2 servers as well as activities related to post-exploitation and hacking tools.
Examples of PT NAD detection rules
- REMOTE [PTsecurity] Xworm Ping (sid 10008313)
Examples of PT NAD filters
- app_proto == "encrypted"
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
|---|
Mitigation
| ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
|---|