Custom Cryptographic Protocol - T1024 (3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d)
Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.
Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.
Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) | Attack Pattern | Custom Cryptographic Protocol - T1024 (3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d) | Attack Pattern | 1 |