Home >
Enterprise >
Participants >
Symantec >
Encrypted Channel (T1573)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.11
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
8.A.3
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.A.7
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
16.A.9
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
17.A.6
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
20.A.4
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.4
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||
3.B.5
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
11.A.15
|
Tactic Command and Control (TA0011) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).

