Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0143: Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms

DET0143 is a MITRE detection strategy associated with adversary command-and-control traffic that is concealed using symmetric cryptography, such as AES, DE...

EnterpriseDET0143Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0143 is a MITRE detection strategy associated with adversary command-and-control traffic that is concealed using symmetric cryptography, such as AES, DES, 3DES, Blowfish, or RC4. The business significance is not the encryption algorithm itself; it is that encrypted C2 can reduce the value of simple content inspection and force defenders to rely on network behavior, endpoint context, and infrastructure patterns to decide whether communications are legitimate or hostile.

Executive priority

Security leaders should treat this as a coverage-validation item for command-and-control resilience. Ask whether SOC and incident response teams can investigate suspicious encrypted traffic on relevant related platforms—ESXi, Linux, macOS, and network devices—without depending only on plaintext inspection. This is especially important for business continuity because C2 visibility often affects containment speed, scoping confidence, and evidence quality during an incident.

Technical view

MITRE provides no official description or detection logic for DET0143, so teams should anchor validation to the relationship: it detects T1573.001, Symmetric Cryptography, under command-and-control. SOC and detection engineering teams should assess whether they can correlate encrypted session metadata, process or service ownership, destination reputation, beacon-like timing, unusual ports or protocols, and device role context across the related platforms. IR teams should confirm they can trace a suspicious encrypted connection back to a host, process, account, service, or network device configuration where local telemetry allows it.

Likely telemetry

  • Network flow metadata, including source, destination, port, protocol, byte counts, session duration, and timing patterns
  • DNS and destination enrichment data where available
  • Proxy, firewall, VPN, and network device logs
  • Endpoint process and network connection telemetry on Linux and macOS where deployed
  • ESXi host and management-plane logs where relevant to local architecture

Detection direction

  • Validate that encrypted outbound or lateral communications can be investigated using metadata and context, not only decrypted content.
  • Tune for suspicious command-and-control patterns such as unusual destinations, uncommon service relationships, repetitive timing, unexpected encrypted sessions from infrastructure systems, or traffic inconsistent with the asset role.
  • Correlate network observations with host or device telemetry to reduce false positives from legitimate encrypted applications and administrative tools.
  • Pay special attention to blind spots on ESXi, network devices, and non-Windows systems, where endpoint telemetry may be thinner or inconsistently deployed.
  • Use the T1573.001 relationship to prioritize coverage for command-and-control investigation workflows rather than treating DET0143 as a complete detection rule.

Mitigation priorities

  • Inventory where encrypted traffic visibility depends on logs, flow records, endpoint telemetry, or packet capture, and identify gaps on the related platforms.
  • Ensure egress monitoring and network logging are sufficient to support C2 triage and containment decisions.
  • Harden and monitor infrastructure assets such as ESXi hosts and network devices because limited telemetry can make encrypted C2 harder to validate.
  • Define incident response playbooks for suspicious encrypted communications, including ownership lookup, asset role review, destination analysis, and containment decision points.
  • Maintain compliance-ready evidence that encrypted traffic monitoring and investigation procedures exist, especially where decryption is not feasible or appropriate.
Analyst notes and limits

This take is based on the detection strategy object DET0143 and its relationship to T1573.001, Symmetric Cryptography. MITRE did not provide official detection text, platforms, tactics, aliases, or a description for the detection strategy itself. The related technique supplies the command-and-control context, related platforms, and examples of symmetric algorithms.

Because the official DET0143 object contains no detection logic or description, this summary cannot assert specific analytics, coverage, data-source requirements, or effectiveness. Local architecture, logging depth, encryption policy, and asset criticality determine what is practical to detect and investigate.

Official MITRE ATT&CK definition

Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1573.001 Symmetric Cryptography Sub-technique This object detects Symmetric Cryptography.
Relationship explorer

All related ATT&CK context

detects · Technique T1573.001: Symmetric Cryptography Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
97135a7e0613e17b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 97135a7e0613…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0143
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use