Home/ MITRE Matrix/ Command and Control/ T1573

T1573Encrypted Channel

T1573 — Encrypted Channel is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 7 detection use cases covering it and 6 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

7Use cases

6Articles

2Sub-techniques

1Tactic

Sub-techniques (2)

T1573.002 · Asymmetric Cryptography T1573.001 · Symmetric Cryptography

Use cases covering this technique (7)

SSL Certificates with Punycode ESCU actions · hunting P Zeek x509 Certificate with Punycode ESCU actions · hunting P [LLM] GS-Netcat Relay C2 (gs.thc.org) + systemd Persistence Service Bespoke c2 · alerting DSΣPDDCS [LLM] Atomic Arch: non-Tor-aware process connecting to local SOCKS proxy on 9050/9150 Bespoke c2 · hunting DSΣPDDCS [LLM] Sustained low-volume beaconing to OceanLotus SPECTRALVIPER C2 (long-tail persistence) Bespoke c2 · hunting DSPDDCS [LLM] HTTPS POST to /startlog with codexui User-Agent (Codex exfil over the wire) Bespoke actions · alerting DSΣPDDCS [LLM] C2 beacon or stage-2 fetch to updatenet[.]work / 172.86.73.139 / dothebest[.]store Bespoke c2 · hunting DSΣPDDCS

Articles citing this technique (6)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

crit OceanLotus: From external espionage to domestic targeting art-54

high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194

crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608

crit PlushDaemon compromises network devices for adversary-in-the-middle attacks art-695