Esc
Symmetric Cryptography - T1573.001

(ATT&CK® Technique)
Definition

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1573001["Symmetric Cryptography"] --> |creates| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573001 OffensiveTechniqueNode;
        class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";
        click T1573001 href "/offensive-technique/attack/T1573.001/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";          T1573001["Symmetric Cryptography"] --> |produces| OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"]; class T1573001 OffensiveTechniqueNode;
        class OutboundInternetEncryptedTraffic ArtifactNode; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";
        click T1573001 href "/offensive-technique/attack/T1573.001/"; click OutboundInternetEncryptedTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedTraffic";    RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";         RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis";                               UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1573001["Symmetric Cryptography"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                                 Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1573001["Symmetric Cryptography"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                                                         OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedTraffic["Outbound Internet Encrypted Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1573001["Symmetric Cryptography"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";
json