MalChain Detections GitHub
EXT-07 Extraction · Exfiltration & C2 KQL YARA

Encrypted Command-and-Control Channels

Encrypted Command-and-Control Channels refers to the establishment of secure communication pathways between compromised systems and external infrastructure using encryption to protect transmitted commands and data..

Mappings

CVE examples
Not vulnerability-based — this capability is behavioural.
MalwareBazaar

Summary

Encrypted Command-and-Control Channels refers to the establishment of secure communication pathways between compromised systems and external infrastructure using encryption to protect transmitted commands and data. This includes using encrypted network protocols, secure messaging mechanisms, or custom encryption routines to maintain persistent control while preventing inspection of communication content. Within MalChain, this capability begins once encrypted communication is actively used to exchange instructions, status information, or operational data between systems and remote controllers. Attackers exploit implicit trust in encrypted communication and privacy-preserving technologies to conceal malicious coordination within routine network traffic. Routine reliance on secure communication protocols often allows encrypted sessions to pass through network defenses without detailed inspection. Trust abuse may involve embedding commands within encrypted traffic, maintaining persistent connections to remote infrastructure, or using secure channels presented as legitimate application communication. Common command-and-control methods include:

  • Establishing encrypted sessions with remote command servers
  • Exchanging instructions through secure communication protocols
  • Maintaining persistent encrypted connections to external infrastructure
  • Using custom encryption to protect command traffic
  • Embedding command data within encrypted network sessions

Real world usage includes:

  • Persistent remote control of compromised systems
  • Coordinated intrusion campaigns using secure communication channels
  • Ransomware operations maintaining encrypted command coordination
  • Advanced threats managing distributed infrastructure remotely

Detection Guidance

Detection relies on monitoring encrypted communication behavior, connection persistence, and network traffic anomalies associated with command-and-control activity. Contextual correlation between encrypted traffic and system behavior is essential to reduce false positives.

  • Monitor long-lived encrypted network connections
  • Detect repeated communication with external infrastructure
  • Correlate encrypted traffic with system command execution
  • Alert on unusual encrypted sessions to unfamiliar endpoints
  • Identify rare or unauthorized encrypted communication patterns

KQL Detection Concepts

  • Network events indicating persistent encrypted connections
  • Repeated outbound communication to remote infrastructure
  • Encrypted traffic associated with unusual system activity

YARA Detection Concepts

  • Scripts or binaries implementing encrypted communication routines
  • Code patterns associated with secure command transmission
  • Executable components maintaining encrypted sessions

KQL Detection Rule

kql
// Encrypted C2: periodic beaconing (regular interval, small jitter) to one host
DeviceNetworkEvents
| where Timestamp > ago(2d) and RemoteIPType == "Public" and ActionType == "ConnectionSuccess"
| summarize Beacons=count(), Intervals=make_list(Timestamp,200) by DeviceName, RemoteIP, InitiatingProcessFileName
| where Beacons > 50
| project DeviceName, RemoteIP, InitiatingProcessFileName, Beacons
// Post-process Intervals for low standard-deviation to confirm beaconing

YARA Detection Rule

yara
rule MC_EXT_07_Encrypted_C2_Config
{
    meta:
        author = "MalChain"
        technique = "MC-EXT-07 Encrypted Command-and-Control Channels"
        description = "Beacon/C2 config primitives and known malleable markers"
    strings:
        $a = "User-Agent:" ascii
        $b = "WinHttpConnect" ascii
        $c = "InternetOpenA" ascii
        $bk = "beacon.dll" ascii nocase
        $mz = "ReflectiveLoader" ascii
    condition:
        uint16(0) == 0x5A4D and ($bk or $mz or (2 of ($a,$b,$c)))
}

Mitigation

  • Implement network monitoring capable of detecting anomalous encrypted traffic
  • Restrict outbound communication to approved destinations
  • Enforce network segmentation and communication controls
  • Monitor persistent connections to external infrastructure

Incident Response

  • Identify systems maintaining encrypted command channels
  • Block communication with suspicious remote infrastructure
  • Analyze encrypted traffic patterns and system activity
  • Review connection logs and operational timelines

Chain Linking