MITRE ATT&CK Technique
Command and Control T1024
Description

Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:31.197Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use a custom cryptographic protocol or '
                'algorithm to hide command and control traffic. A simple '
                'scheme, such as XOR-ing the plaintext with a fixed key, will '
                'produce a very weak ciphertext.\n'
                '\n'
                'Custom encryption schemes may vary in sophistication. '
                'Analysis and reverse engineering of malware samples may be '
                'enough to discover the algorithm and encryption key used.\n'
                '\n'
                'Some adversaries may also attempt to implement their own '
                'version of a well-known cryptographic algorithm instead of '
                'using a known implementation library, which may lead to '
                'unintentional errors. (Citation: F-Secure Cosmicduke)',
 'external_references': [{'external_id': 'T1024',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1024'},
                         {'description': 'F-Secure Labs. (2014, July). '
                                         'COSMICDUKE Cosmu with a twist of '
                                         'MiniDuke. Retrieved July 3, 2014.',
                          'source_name': 'F-Secure Cosmicduke',
                          'url': 'https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf'},
                         {'description': 'Fidelis Cybersecurity. (2015, August '
                                         '4). Looking at the Sky for a '
                                         'DarkComet. Retrieved April 5, 2016.',
                          'source_name': 'Fidelis DarkComet',
                          'url': 'https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf'},
                         {'description': 'Gardiner, J.,  Cova, M., Nagaraja, '
                                         'S. (2014, February). Command & '
                                         'Control Understanding, Denying and '
                                         'Detecting. Retrieved April 20, 2016.',
                          'source_name': 'University of Birmingham C2',
                          'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'}],
 'id': 'attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'command-and-control'}],
 'modified': '2025-10-24T17:48:40.583Z',
 'name': 'Custom Cryptographic Protocol',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About