title: Encrypted Channel (T1573)
id: df00tech-t1573
status: experimental
description: "This detection identifies adversaries using custom or non-standard encryption to conceal command and control (C2) traffic. Unlike legitimate TLS/HTTPS, malware implementing encrypted channels often exhibits behavioral anomalies: unusual processes making encrypted connections, connections to raw IP addresses without SNI, self-signed or short-lived certificates, high-frequency beaconing intervals, non-browser processes using port 443/8443 with atypical TLS fingerprints (JA3), and data volumes inconsistent with the application type. This detection correlates process lineage, network destinations, certificate characteristics, and traffic timing to surface encrypted C2 channels used by threat actors such as Tropic Trooper, Lazarus Group, and malware families including RCSession, Cryptoistic, Gomir, and Chaes."
references:
  - https://attack.mitre.org/techniques/T1573/
  - https://df00tech.com/detections/T1573
author: df00tech
date: 2026/03/19
tags:
  - attack.t1573
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Custom internal applications or agents that connect to known infrastructure over HTTPS but are not in the allowlist (add to LegitimateEncryptedApps)
  - "IT monitoring and management tools (SCCM, Ansible, Puppet) that make frequent scheduled encrypted connections to management infrastructure"
  - "Security products (EDR agents, vulnerability scanners, DLP solutions) that beacon home over encrypted channels on non-standard ports"
  - Cloud sync clients or backup agents connecting to cloud storage endpoints on port 443 at regular intervals
  - VPN clients and network tunneling software that establish persistent encrypted connections as part of normal operation
level: high