MITRE ATT&CK Technique
Command and Control T1032
Description

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:35.334Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may explicitly employ a known encryption '
                'algorithm to conceal command and control traffic rather than '
                'relying on any inherent protections provided by a '
                'communication protocol. Despite the use of a secure '
                'algorithm, these implementations may be vulnerable to reverse '
                'engineering if necessary secret keys are encoded and/or '
                'generated within malware samples/configuration files.',
 'external_references': [{'external_id': 'T1032',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1032'},
                         {'description': 'Butler, M. (2013, November). Finding '
                                         'Hidden Threats by Decrypting SSL. '
                                         'Retrieved April 5, 2016.',
                          'source_name': 'SANS Decrypting SSL',
                          'url': 'http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840'},
                         {'description': 'Dormann, W. (2015, March 13). The '
                                         'Risks of SSL Inspection. Retrieved '
                                         'April 5, 2016.',
                          'source_name': 'SEI SSL Inspection Risks',
                          'url': 'https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html'},
                         {'description': 'Fidelis Cybersecurity. (2015, August '
                                         '4). Looking at the Sky for a '
                                         'DarkComet. Retrieved April 5, 2016.',
                          'source_name': 'Fidelis DarkComet',
                          'url': 'https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf'},
                         {'description': 'Gardiner, J.,  Cova, M., Nagaraja, '
                                         'S. (2014, February). Command & '
                                         'Control Understanding, Denying and '
                                         'Detecting. Retrieved April 20, 2016.',
                          'source_name': 'University of Birmingham C2',
                          'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'}],
 'id': 'attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'command-and-control'}],
 'modified': '2025-10-24T17:48:44.574Z',
 'name': 'Standard Cryptographic Protocol',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About