Esc
Encrypted Channel - T1573

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1573["Encrypted Channel"] --> |may-transfer| CertificateFile["Certificate File"]; class T1573 OffensiveTechniqueNode;
        class CertificateFile ArtifactNode; click CertificateFile href "../../../dao/artifact/d3f:CertificateFile";
        click T1573 href "../../../offensive-technique/attack/T1573/"; click CertificateFile href "../../../dao/artifact/d3f:CertificateFile"; T1573["Encrypted Channel"] --> |creates| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573 OffensiveTechniqueNode;
        class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedTraffic";
        click T1573 href "../../../offensive-technique/attack/T1573/"; click OutboundInternetEncryptedTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedTraffic"; T1573["Encrypted Channel"] --> |produces| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573 OffensiveTechniqueNode;
        class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedTraffic";
        click T1573 href "../../../offensive-technique/attack/T1573/"; click OutboundInternetEncryptedTraffic href "../../../dao/artifact/d3f:OutboundInternetEncryptedTraffic";                                       DecoyFile["Decoy File"] -->
          | spoofs | CertificateFile["Certificate File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1573["Encrypted Channel"] ;
          class DecoyFile DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click DecoyFile href "../../../technique/d3f:DecoyFile";              ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection";  CertificateAnalysis["Certificate Analysis"] -->
          | analyzes | CertificateFile["Certificate File"];

          CertificateAnalysis["Certificate Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class CertificateAnalysis DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click CertificateAnalysis href "../../../technique/d3f:CertificateAnalysis";                                        NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis";      Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling";  RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection";                                                           NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation";                                    RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click RelayPatternAnalysis href "../../../technique/d3f:RelayPatternAnalysis";                   PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis";                                              UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis";                            FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | CertificateFile["Certificate File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring";              ContentQuarantine["Content Quarantine"] -->
          | quarantines | CertificateFile["Certificate File"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
          | modifies | CertificateFile["Certificate File"];

          ContentModification["Content Modification"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class ContentModification DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click ContentModification href "../../../technique/d3f:ContentModification";                           FileEviction["File Eviction"] -->
          | deletes | CertificateFile["Certificate File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1573["Encrypted Channel"] ;
          class FileEviction DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | CertificateFile["Certificate File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1573["Encrypted Channel"] ;
          class FileEncryption DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click FileEncryption href "../../../technique/d3f:FileEncryption";                           RestoreFile["Restore File"] -->
          | restores | CertificateFile["Certificate File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1573["Encrypted Channel"] ;
          class RestoreFile DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click RestoreFile href "../../../technique/d3f:RestoreFile";              NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering";                            LocalFilePermissions["Local File Permissions"] -->
          | restricts | CertificateFile["Certificate File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions";              FileAnalysis["File Analysis"] -->
          | analyzes | CertificateFile["Certificate File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1573["Encrypted Channel"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click FileAnalysis href "../../../technique/d3f:FileAnalysis";              ContentFiltering["Content Filtering"] -->
          | filters | CertificateFile["Certificate File"];

          ContentFiltering["Content Filtering"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class ContentFiltering DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click ContentFiltering href "../../../technique/d3f:ContentFiltering";      OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click OutboundTrafficFiltering href "../../../technique/d3f:OutboundTrafficFiltering";                                    RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | CertificateFile["Certificate File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1573["Encrypted Channel"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class CertificateFile ArtifactNode;
          click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";
json