EXPLORE
← Back to Explore
T1573

Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

ESXiLinuxmacOSNetwork DevicesWindows
35
Detections
4
Sources
4
Threat Actors

BY SOURCE

24sublime5elastic4sigma2splunk_escu

PROCEDURES (23)

Attachment4 detections

Auto-extracted: 4 detections for attachment

Cloud3 detections

Auto-extracted: 3 detections for cloud

Base643 detections

Auto-extracted: 3 detections for base64

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Bypass2 detections

Auto-extracted: 2 detections for bypass

Download1 detections

Auto-extracted: 1 detections for download

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Office1 detections

Auto-extracted: 1 detections for office

Credential1 detections

Auto-extracted: 1 detections for credential

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Phish1 detections

Auto-extracted: 1 detections for phish

Service1 detections

Auto-extracted: 1 detections for service

Office1 detections

Auto-extracted: 1 detections for office

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Download1 detections

Auto-extracted: 1 detections for download

DETECTIONS (35)

Activity from Anonymous IP Addresses
sigmamedium
Activity from Infrequent Country
sigmamedium
Activity from Suspicious IP Addresses
sigmamedium
Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with unscannable encrypted zip
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Encrypted PDF With Credential Harvesting Indicators
sublimemedium
Attachment: Encrypted PDF with credential theft body
sublimemedium
Attachment: Encrypted PDF with credential theft language in EML
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with recipient email in link
sublimehigh
Connection to Commonly Abused Free SSL Certificate Providers
elasticlow
Default Cobalt Strike Team Server Certificate
elastichigh
Deprecated TLS Version or Weak Cipher Negotiated Externally
elasticmedium
Encrypted Microsoft Office files from untrusted sender
sublimemedium
IPSEC NAT Traversal Port Activity
elasticlow
Link to auto-download of a suspicious file type (unsolicited)
sublimemedium
Link to auto-downloaded disk image in encrypted zip
sublimemedium
Link to auto-downloaded DMG in encrypted zip
sublimehigh
Link: Base64 encoded recipient address in URL fragment with subject hash
sublimelow
Link: Excessive URL rewrite encoders
sublimehigh
Link: Suspicious Family fragment parameter with encoded recipient data
sublimehigh
Openssl Client or Server Activity
elasticmedium
SSL Certificates with Punycode
splunk_escu
Suspicious SSL Connection
sigmalow
Zeek x509 Certificate with Punycode
splunk_escu