Symmetric Cryptography

Information

• Name: Symmetric Cryptography

• ID: T1573.001

• Tactics: TA0011

• Technique: T1573

Introduction

Symmetric Cryptography (T1573.001) is a sub-technique defined within the MITRE ATT&CK framework under the broader category of encrypted communication. Symmetric cryptography employs encryption algorithms that use the same cryptographic keys for both encryption and decryption processes. Attackers leverage symmetric encryption methods to conceal command-and-control (C2) channels, exfiltrate sensitive data, and evade detection by security monitoring tools. Due to the simplicity, speed, and efficiency of symmetric encryption algorithms, adversaries frequently adopt them to protect their communications and maintain stealth within compromised environments.

Deep Dive Into Technique

Symmetric cryptography involves the use of a single shared key to encrypt and decrypt data, thereby ensuring confidentiality and integrity of the communication channel. Attackers typically execute this technique through the following methods:

• Pre-shared Keys: Attackers embed symmetric encryption keys within malware binaries or configuration files, enabling encrypted communication with command-and-control servers.

• Dynamic Key Generation: Attackers may dynamically generate symmetric keys at runtime, exchanging keys through secure or obfuscated channels to avoid detection.

• Common Algorithms: Common symmetric encryption algorithms leveraged by attackers include:

  • AES (Advanced Encryption Standard)

  • DES (Data Encryption Standard)

  • 3DES (Triple DES)

  • RC4 (Rivest Cipher 4)

  • Blowfish

  • Twofish

  • ChaCha20

• Obfuscation and Encoding: Attackers often combine symmetric encryption with encoding methods (such as Base64 or hexadecimal encoding) to further obfuscate encrypted payloads and evade detection.

• Encrypted Payload Delivery: Malware payloads and malicious scripts may be encrypted using symmetric cryptography to bypass signature-based detection mechanisms, ensuring payload integrity and confidentiality during transmission.

Attackers commonly integrate symmetric cryptographic routines into malware or scripts to establish secure, encrypted communication channels for command-and-control, data exfiltration, and lateral movement activities.

When this Technique is Usually Used

Symmetric cryptography sub-technique is typically seen across multiple stages of an attack campaign:

• Initial Access and Delivery Stage:

  • Malware payloads encrypted using symmetric keys to evade detection by security products.

  • Phishing emails or malicious documents containing encrypted payloads.

• Command-and-Control (C2) Communications:

  • Attackers use symmetric cryptography to encrypt C2 traffic, making detection and analysis more difficult.

  • Malware families frequently rely on symmetric encryption to secure communication channels and payload delivery.

• Data Exfiltration Stage:

  • Sensitive data exfiltrated from victim networks encrypted using symmetric encryption to evade network monitoring and data loss prevention (DLP) systems.

• Persistence and Lateral Movement:

  • Attackers encrypt scripts, tools, or configuration files with symmetric encryption to evade endpoint detection and response (EDR) tools and maintain persistence.

How this Technique is Usually Detected

Detection of symmetric cryptography usage by attackers typically involves a combination of network monitoring, endpoint analysis, and behavioral detection methods:

• Network Traffic Analysis:

  • Use network monitoring tools (e.g., Wireshark, Zeek, Suricata) to identify encrypted traffic patterns.

  • Identify anomalous encrypted communications between internal hosts and external IP addresses or domains.

  • Analyze entropy levels of network traffic to detect highly randomized or encrypted data streams.

• Endpoint Detection and Response (EDR):

  • Monitor endpoints for suspicious cryptographic API calls or libraries (e.g., OpenSSL, CryptoAPI).

  • Identify unusual processes or scripts invoking encryption functions or loading cryptographic libraries.

  • Detect anomalous file creation or modification activities involving encrypted payloads or configuration files.

• Behavioral Anomaly Detection:

  • Deploy behavioral analytics tools to detect deviations from normal communication patterns or data transfer volumes.

  • Identify anomalous processes or scripts initiating encrypted communication channels.

• Indicators of Compromise (IoCs):

  • Suspicious cryptographic libraries or binaries present on endpoints.

  • Known malware families or tools that utilize symmetric encryption (e.g., TrickBot, Emotet, Cobalt Strike payloads).

  • Unusual encrypted files or payloads stored on endpoints or network shares.

  • High-entropy files or traffic indicative of encrypted data streams.

Why it is Important to Detect This Technique

Early detection of symmetric cryptography usage by adversaries is critical due to multiple factors:

• Preventing Data Exfiltration:

  • Encrypted channels allow attackers to exfiltrate sensitive data undetected, causing significant financial and reputational damage to organizations.

• Reducing Incident Response Complexity:

  • Early detection allows incident responders to quickly identify and contain compromised endpoints and communication channels, reducing the scope and complexity of investigations.

• Limiting Attacker Persistence:

  • Identifying encrypted payloads and scripts helps organizations quickly remove attacker footholds, limiting lateral movement and persistence within the network.

• Improving Security Posture:

  • Detecting encrypted malicious communication channels enhances visibility into threats, allowing organizations to strengthen monitoring capabilities and proactively defend against future attacks.

• Compliance and Regulatory Requirements:

  • Early detection helps organizations comply with regulatory frameworks and data protection requirements by mitigating the risk of unauthorized data disclosure.

Examples

Several real-world examples illustrate the use of symmetric cryptography in cyberattacks and malware campaigns:

• TrickBot Malware:

  • TrickBot uses AES symmetric encryption to encrypt payloads and configuration files, evading detection by antivirus and endpoint security solutions.

  • Encrypted C2 communication channels allow attackers to securely send commands and receive stolen data from infected endpoints.

• Emotet Malware:

  • Emotet leverages symmetric encryption algorithms (AES, RC4) to encrypt payloads, modules, and configuration data.

  • Encrypted communication channels facilitate secure data exfiltration and command-and-control operations.

• Cobalt Strike Framework:

  • Cobalt Strike payloads (Beacon) utilize AES symmetric encryption to protect communication between compromised hosts and attacker-controlled servers.

  • Attackers frequently use Cobalt Strike to establish persistent, encrypted C2 channels during penetration testing engagements and malicious cyber operations.

• DarkSide Ransomware:

  • DarkSide ransomware employs AES symmetric encryption combined with asymmetric encryption (RSA) to encrypt victim files, making recovery without attacker-provided keys nearly impossible.

  • Encrypted exfiltration channels enable attackers to securely transfer stolen data to external servers.

• FIN7 Group Attacks:

  • FIN7 threat group has used symmetric encryption (AES, RC4) to encrypt payloads, scripts, and C2 communications in financial sector breaches.

  • Encrypted communication channels enabled the group to evade detection, maintain persistence, and exfiltrate financial and sensitive data undetected.

These examples highlight the widespread adoption of symmetric cryptography by sophisticated attackers, emphasizing the importance of detection and mitigation strategies for this sub-technique.