Andariel-2019 Signed Rifdoor Command and control

Strike ID:
C19-B0831
False Positive:
f
Variants:
1
Year:
2019

Description

This strike simulates Andariel-2019 Command and Control traffic after installing the 'Signed Rifdoor' module. This Strike sends data over TCP port 443, although many packet capture tools like Wireshark will call this “encrypted data”, this is not actually “SSL Encrypted Data”. These are encrypted/encoded “command and control” exchanges, but they are not SSL.