1. Home
  2. Techniques
  3. Enterprise
  4. 加密通道

加密通道

ID Name
T1573.001 动态密钥轮换加密通道
T1573.002 协议模拟加密隧道
T1573.003 分布式代理链加密传输

加密通道是指攻击者使用密码学手段对通信内容进行加密,以保护命令控制(C2)流量免受窃听或分析的网络对抗技术。传统加密通道通常采用固定加密算法与静态密钥,通过与目标系统建立加密会话实现数据隐蔽传输。防御方可通过SSL/TLS解密、流量特征分析、异常协议检测等手段识别潜在恶意加密通信,例如检测不符合协议规范的加密握手过程、识别非常用端口上的加密流量或分析通信模式的时序异常。

当前加密通道匿迹技术的核心演进方向聚焦于加密体系动态化、协议行为拟真化与传输架构去中心化三大维度。动态密钥轮换技术通过密码学参数的持续更新破坏静态特征提取,使得传统基于特征签名的检测方法失效;协议模拟加密隧道在协议栈各层级精确复制合法应用行为,规避深度包检测设备的协议合规性审查;分布式代理链传输则通过多节点加密中继与动态路由机制,将通信特征分散至多个网络空间维度。三类技术的共性在于突破传统加密通道的"端到端"静态模型,构建具备环境自适应能力的弹性加密体系,通过密码学、协议工程与网络拓扑的协同创新,实现加密流量在协议合规性、行为合法性和拓扑隐蔽性层面的全面伪装。

ID: T1573
Sub-techniques:  T1573.001, T1573.002, T1573.003
Tactic: 命令控制
Platforms: Linux, Network, Windows, macOS
Version: 1.1
Created: 16 March 2020
Last Modified: 16 April 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议栈深度模拟技术,使加密通道在协议头结构、握手流程、数据封装等层面与合法加密应用(如HTTPS、SSH)完全一致。部分高级实现还能动态适配目标网络的主流协议类型,使得加密流量在协议解析层面无法与正常业务流量区分,实现通信特征的深度伪装。

数据遮蔽

采用符合行业标准的强加密算法(如AES-256、ChaCha20)对通信内容进行端到端加密,结合前向安全设计确保历史通信无法被破解。部分技术引入多层加密机制,在传输过程中对数据进行反复加密,使得任何单层解密都无法获取有效信息,实现数据内容的彻底遮蔽。

时空释痕

通过分布式代理链构建动态传输路径,将单一通信会话分散到多个地理节点与时间片段。利用云基础设施的弹性扩展特性,动态创建和销毁代理节点,使得加密通道的拓扑结构持续变化。这种时空维度上的动态分散策略,将通信特征稀释在广域网络空间与长时间运行过程中,传统基于单点采集的检测系统难以实施有效关联分析。

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used multiple layers of encryption within malware to protect C2 communication.[1]
G1002 BITTER

BITTER has encrypted their C2 communications.[2]
S0631 Chaes

Chaes has used encryption for its C2 channel.[3]

S0498 Cryptoistic

Cryptoistic can engage in encrypted communications with C2.[4]
S0367 Emotet

Emotet has encrypted data before sending to the C2 server.[5]
S0032 gh0st RAT

gh0st RAT has encrypted TCP communications to evade detection.[6]
C0035 KV Botnet Activity

KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.[7]
S0681 Lizar

Lizar can support encrypted communications between the client and server.[8][9]
S1016 MacMa

MacMa has used TLS encryption to initialize a custom protocol for C2 communications.[10]
G0059 Magic Hound

Magic Hound has used an encrypted http proxy in C2 communications.[11]
S0198 NETWIRE

NETWIRE can encrypt C2 communications.[12]
S1012 PowerLess

PowerLess can use an encrypted channel for C2 communications.[13]
S1046 PowGoop

PowGoop can receive encrypted commands from C2.[14]
S0662 RCSession

RCSession can use an encrypted beacon to check in with C2.[15]
C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.[16]
G0081 Tropic Trooper

Tropic Trooper has encrypted traffic with the C2 to prevent network detection.[17]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1020 SSL/TLS Inspection

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  2. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  3. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  4. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  5. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
  6. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  7. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  8. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  9. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  1. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  2. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  3. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  4. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  5. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  6. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  7. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
  8. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.