Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1573: Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

EnterpriseT1573TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Encrypted Channel (T1573) matters because it lets command-and-control traffic blend into environments where encryption is normal. The business issue is not simply “encrypted traffic exists”; it is whether the organization can distinguish legitimate encrypted communications from malware-controlled sessions when payload content may be hidden. This affects SOC visibility, incident response speed, and—where operational technology or network devices are in scope—resilience decisions during a suspected compromise.

Executive priority

Leaders should treat this as a visibility and control-prioritization question. Ask whether critical platforms listed by ATT&CK—Windows, Linux, macOS, ESXi, and network devices—generate enough network and endpoint evidence to investigate encrypted C2 without relying only on content inspection. Budget and risk decisions should balance SSL/TLS inspection and network intrusion prevention against privacy, operational, and inspection-risk considerations noted by ATT&CK’s references and mitigation relationships. The relationship to the Triton Safety Instrumented System Attack and KV Botnet Activity makes this especially relevant for organizations with cyber-physical operations, critical infrastructure exposure, or unmanaged/end-of-life network equipment.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around command-and-control over encrypted channels rather than assuming protocol encryption is benign. ATT&CK does not provide native detection text for T1573, so teams should anchor detection work to the related detection strategy DET0273, the mitigation relationships for SSL/TLS Inspection (M1020) and Network Intrusion Prevention (M1031), and the sub-techniques for symmetric and asymmetric cryptography. Practical validation should include whether analysts can correlate encrypted network sessions with process, host, user, destination, certificate, and device context across Windows, Linux, macOS, ESXi, and network devices. Malware relationships such as gh0st RAT, NETWIRE, Emotet, Cryptoistic, Chaes, RCSession, Lizar, PowerLess, MacMa, and PowGoop show that this behavior is not limited to one operating system or tool family.

Likely telemetry

  • Network flow records and connection metadata for encrypted outbound and lateral communications
  • TLS/SSL inspection logs where inspection is authorized and technically feasible
  • Network intrusion detection/prevention alerts and signature matches at boundaries
  • DNS, proxy, and secure web gateway logs associated with encrypted sessions
  • Endpoint process-to-network connection telemetry on Windows, Linux, macOS, and ESXi where available

Detection direction

  • Do not depend only on decrypting payloads; validate metadata-based detections for unusual encrypted session patterns, rare destinations, unexpected processes initiating encrypted connections, and abnormal timing or volume.
  • Where SSL/TLS inspection is deployed, confirm scope, exclusions, privacy constraints, certificate handling, and operational risks; inspection gaps can become blind spots.
  • Tune detections by platform and asset role. Encrypted traffic from servers, ESXi hosts, network devices, or administrative systems should be baselined differently from normal user browsing.
  • Use relationship context to test coverage against both symmetric and asymmetric encrypted C2 patterns, without assuming a single protocol or algorithm.
  • Correlate network alerts with endpoint and identity context to reduce false positives from legitimate encrypted business applications.

Mitigation priorities

  • Prioritize network intrusion prevention at network boundaries where signatures and policy controls can block known malicious traffic patterns.
  • Evaluate SSL/TLS inspection for high-risk network segments, egress paths, and investigative workflows, while accounting for the inspection risks and limitations identified in ATT&CK references.
  • Strengthen egress visibility and policy enforcement for critical assets, network devices, ESXi infrastructure, and systems supporting operational resilience.
  • Maintain endpoint-to-network correlation so encrypted C2 investigations are not blocked when payload inspection is unavailable or inappropriate.
  • For environments with critical infrastructure or cyber-physical exposure, include encrypted C2 scenarios in incident response and business continuity exercises.
Analyst notes and limits

T1573 consolidates earlier revoked techniques for custom cryptographic protocol, standard cryptographic protocol, and multilayer encryption, so historical analytics may need ATT&CK mapping updates. The supplied relationships show usage by multiple groups, campaigns, and software families, but they should be used for contextual prioritization, not as proof of current activity in any given environment.

ATT&CK provides no official detection text for this technique in the supplied object. Specific detection logic, thresholds, and inspection feasibility require local network architecture, privacy policy, asset criticality, and telemetry validation. The supplied relationship descriptions are partial in places, and this take does not infer exposure or active exploitation beyond the listed ATT&CK relationships.

Official MITRE ATT&CK definition

Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1573.002 Asymmetric Cryptography Sub-technique Asymmetric Cryptography subtechnique of this object.
Enterprise T1024 Custom Cryptographic Protocol Custom Cryptographic Protocol revoked by this object.
Enterprise T1032 Standard Cryptographic Protocol Standard Cryptographic Protocol revoked by this object.
Enterprise T1573.001 Symmetric Cryptography Sub-technique Symmetric Cryptography subtechnique of this object.
Enterprise T1079 Multilayer Encryption Multilayer Encryption revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G1002: BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Malware Enterprise

S0631: Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]

Windows
Malware Enterprise

S0681: Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[1][2][3]

Windows
Malware Enterprise

S0198: NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[1][2][3]

WindowsLinuxmacOS
Malware Enterprise

S1016: MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]

macOS
Malware Enterprise

S0367: Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

Windows
Campaign Enterprise

C0035: KV Botnet Activity

KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]

Campaign Enterprise

C0030: Triton Safety Instrumented System Attack

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]

Relationship explorer

All related ATT&CK context

uses · Malware S0662: RCSession Enterprise uses · Malware S0498: Cryptoistic Enterprise uses · Malware S1198: Gomir Enterprise uses · Malware S0631: Chaes Enterprise detects · Detection Strategy DET0273: Detection Strategy for Encrypted Channel across OS Platforms Enterprise uses · Group G0081: Tropic Trooper Enterprise uses · Malware S1046: PowGoop Enterprise subtechnique of · Technique T1573.002: Asymmetric Cryptography Enterprise revoked by · Technique T1024: Custom Cryptographic Protocol Enterprise uses · Group G0059: Magic Hound Enterprise uses · Malware S1012: PowerLess Enterprise revoked by · Technique T1032: Standard Cryptographic Protocol Enterprise uses · Group G1002: BITTER Enterprise uses · Campaign C0035: KV Botnet Activity Enterprise uses · Group G0016: APT29 Enterprise subtechnique of · Technique T1573.001: Symmetric Cryptography Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise uses · Malware S0681: Lizar Enterprise uses · Malware S0032: gh0st RAT Enterprise mitigates · Mitigation M1020: SSL/TLS Inspection Enterprise revoked by · Technique T1079: Multilayer Encryption Enterprise uses · Campaign C0030: Triton Safety Instrumented System Attack Enterprise uses · Malware S0198: NETWIRE Enterprise uses · Malware S1016: MacMa Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1020: SSL/TLS Inspection

SSL/TLS inspection involves decrypting encrypted network traffic to examine its content for signs of malicious activity. This capability is crucial for detecting threats that use encryption to evade detection, such as phishing, malware, or data exfiltration. After inspection, the traffic is re-encrypted and forwarded to its destination. This mitigation can be implemented through the following measures:

Deploy SSL/TLS Inspection Appliances:

- Implement SSL/TLS inspection solutions to decrypt and inspect encrypted traffic. - Ensure appliances are placed at critical network choke points for maximum coverage.

Configure Decryption Policies:

- Define rules to decrypt traffic for specific applications, ports, or domains. - Avoid decrypting sensitive or privacy-related traffic, such as financial or healthcare websites, to comply with regulations.

Integrate Threat Intelligence:

- Use threat intelligence feeds to correlate inspected traffic with known indicators of compromise (IOCs).

Integrate with Security Tools:

- Combine SSL/TLS inspection with SIEM and NDR tools to analyze decrypted traffic and generate alerts for suspicious activity. - Example Tools: Splunk, Darktrace

Implement Certificate Management:

- Use trusted internal or third-party certificates for traffic re-encryption after inspection. - Regularly update certificate authorities (CAs) to ensure secure re-encryption.

Monitor and Tune:

- Continuously monitor SSL/TLS inspection logs for anomalies and fine-tune policies to reduce false positives.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
118c1231f501f60b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 118c1231f501…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SANS Decrypting SSL

    Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.

    Open source URL
  2. [2]
    SEI SSL Inspection Risks

    Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.

    Open source URL
  3. [3]
    University of Birmingham C2

    Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

    Open source URL
  4. [4]
    mitre-attack T1573
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use