212 indexed
ATT&CKATT&CK techniques
212 top-level MITRE ATT&CK Enterprise techniques (T-IDs), grouped by tactic. Filter to a tactic or browse the full kill chain, then click into a technique for sub-techniques and mitigations. Authored by Adam Lundqvist.
15 in Command and Control · 212 total
| ID | Title | Summary |
|---|---|---|
| T1001 | Data Obfuscation | Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessar… |
| T1008 | Fallback Channels | Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command an… |
| T1071 | Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the re… |
| T1090 | Proxy | Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control … |
| T1092 | Communication Through Removable Media | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from syst… |
| T1095 | Non-Application Layer Protocol | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of po… |
| T1102 | Web Service | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media a… |
| T1104 | Multi-Stage Channels | Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages ma… |
| T1105 | Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-c… |
| T1132 | Data Encoding | Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded us… |
| T1219 | Remote Access Software | An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within net… |
| T1568 | Dynamic Resolution | Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by us… |
| T1571 | Non-Standard Port | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar… |
| T1572 | Protocol Tunneling | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access … |
| T1573 | Encrypted Channel | Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a commun… |