EXPLORE
Sign In
← Back to Explore
T1573

Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

ESXiLinuxmacOSNetwork DevicesWindows
31
Detections
4
Sources
4
Threat Actors

BY SOURCE

21sublime4elastic4sigma2splunk_escu

PROCEDURES (22)

Attachment4 detections

Auto-extracted: 4 detections for attachment

Cloud3 detections

Auto-extracted: 3 detections for cloud

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Bypass2 detections

Auto-extracted: 2 detections for bypass

Base642 detections

Auto-extracted: 2 detections for base64

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Credential1 detections

Auto-extracted: 1 detections for credential

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Phish1 detections

Auto-extracted: 1 detections for phish

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Office1 detections

Auto-extracted: 1 detections for office

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Download1 detections

Auto-extracted: 1 detections for download

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Office1 detections

Auto-extracted: 1 detections for office

THREAT ACTORS (4)

APT29BITTERMagic HoundTropic Trooper

DETECTIONS (31)

Activity from Anonymous IP Addresses
sigmamedium
Activity from Infrequent Country
sigmamedium
Activity from Suspicious IP Addresses
sigmamedium
Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with unscannable encrypted zip (unsolicited)
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Encrypted PDF with credential theft body
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with recipient email in link
sublimehigh
Connection to Commonly Abused Free SSL Certificate Providers
elasticlow
Default Cobalt Strike Team Server Certificate
elastichigh
Encrypted Microsoft Office files from untrusted sender
sublimemedium
IPSEC NAT Traversal Port Activity
elasticlow
Link to auto-download of a suspicious file type (unsolicited)
sublimemedium
Link to auto-downloaded disk image in encrypted zip
sublimemedium
Link to auto-downloaded DMG in encrypted zip
sublimehigh
Link: Base64 encoded recipient address in URL fragment with subject hash
sublimelow
Link: Excessive URL rewrite encoders
sublimehigh
Openssl Client or Server Activity
elasticmedium
SSL Certificates with Punycode
splunk_escu
Suspicious SSL Connection
sigmalow
Zeek x509 Certificate with Punycode
splunk_escu