DFIR Global

The MITRE ATT&CK Command and Control (TA0011) tactic describes how adversaries communicate with compromised systems to issue commands, maintain control, and receive exfiltrated data. Attackers use various communication channels, such as web traffic, DNS tunneling, or custom protocols, often mimicking legitimate traffic to evade detection. Techniques include encryption to hide communications, using proxy servers, and leveraging cloud services to blend with normal network activity.

Key Techniques:

1. Standard Application Layer Protocols: Attackers may use HTTP, HTTPS, or DNS to communicate with a compromised system. These protocols often mimic legitimate traffic, making them harder to detect. For example, an adversary may embed malicious communications within regular web traffic (HTTP/HTTPS) to avoid triggering network security alerts.
2. Custom Command and Control Protocols: Attackers may develop custom protocols to communicate with the compromised system, making it difficult for security tools to recognize and block these protocols. These custom protocols often allow attackers to avoid detection by using unique communication methods.
3. Fallback Channels: Adversaries may establish multiple communication channels to ensure resilience. If one command and control (C2) channel is detected and blocked, the attacker can fall back on alternative methods such as different servers or encrypted tunnels.
4. Encryption for Communication: Many adversaries encrypt their communication channels to prevent security tools from analyzing the contents of the traffic. This can involve using standard encryption methods (e.g., SSL/TLS) or implementing custom encryption schemes to obfuscate their C2 traffic.
5. Domain Fronting: Attackers may disguise their C2 traffic by routing it through legitimate, well-known services, such as Content Delivery Networks (CDNs). Domain fronting allows malicious traffic to appear as though it originates from a trusted source, making it harder for defenders to block.
6. Proxy Servers: Attackers often use proxy servers to relay their communications, preventing defenders from tracing back the C2 traffic to its true origin. By routing traffic through compromised or controlled proxy systems, attackers mask the actual command and control infrastructure.
7. Exfiltration Over C2 Channel: Adversaries may exfiltrate sensitive data through the same channel used for C2 communication, further blending their activities with normal traffic. This minimizes the need for establishing separate channels for data exfiltration, reducing the chances of detection.

Mitigation Strategies:

1. Network Traffic Analysis: Continuously monitor network traffic for unusual patterns, such as encrypted traffic to uncommon domains or the use of non-standard protocols.
2. Blocking Known Malicious Domains/IPs: Implement threat intelligence feeds that provide updated lists of known malicious C2 domains, IP addresses, or signatures.
3. Endpoint Detection: Deploy endpoint detection and response (EDR) solutions to monitor system behavior, looking for suspicious processes or network connections that could indicate C2 activity.
4. Application Whitelisting: Restrict the use of unauthorized or non-standard communication applications, limiting the ability of attackers to establish custom C2 channels.

By understanding and implementing these strategies, organizations can reduce the likelihood of successful command and control operations within their network.

For further details, visit the full MITRE ATT&CK Command and Control page here.