命令与控制
攻击者正试图与受感染的系统进行通信以控制它们。
命令和控制包括攻击者可能用来与受害者网络中受其控制的系统进行通信的技术。攻击者通常会尝试模拟正常的预期流量以避免检测。攻击者可以通过多种方式建立具有不同隐身级别的指挥和控制,具体取决于受害者的网络结构和防御能力。
技术: 16
编号 | 名字 | 描述 | |
---|---|---|---|
T1071 | 应用层协议 | 攻击者可以使用 OSI 应用层协议进行通信,以通过与现有流量混合来避免检测/网络过滤。对远程系统的命令(通常是这些命令的结果)将嵌入到客户端和服务器之间的协议流量中。 | |
.001 | 网络协议 | 攻击者可以使用与 Web 流量关联的应用层协议进行通信,以避免通过与现有流量混合来避免检测/网络过滤。对远程系统的命令(通常是这些命令的结果)将嵌入到客户端和服务器之间的协议流量中。 | |
.002 | 文件传输协议 | 攻击者可以使用与传输文件关联的应用层协议进行通信,以避免通过与现有流量混合来避免检测/网络过滤。对远程系统的命令(通常是这些命令的结果)将嵌入到客户端和服务器之间的协议流量中。 | |
.003 | 邮件协议 | 攻击者可以使用与电子邮件传递关联的应用层协议进行通信,以避免通过与现有通信混合来避免检测/网络过滤。对远程系统的命令(通常是这些命令的结果)将嵌入到客户端和服务器之间的协议流量中。 | |
.004 | 域名解析 | 攻击者可以使用域名系统 (DNS) 应用层协议进行通信,以避免通过与现有流量混合来避免检测/网络过滤。对远程系统的命令(通常是这些命令的结果)将嵌入到客户端和服务器之间的协议流量中。 | |
T1092 | 通过可移动媒体进行通信 | 攻击者可以使用可移动媒体在可能断开连接的网络上的受感染主机之间执行命令和控制,以在系统之间传输命令。这两个系统都需要受到损害,连接 Internet 的系统可能会首先受到损害,第二次是通过通过可移动介质进行复制的横向移动而受到损害。命令和文件将从断开连接的系统中继到攻击者可以直接访问的互联网连接系统。 | |
T1132 | 数据编码 | 攻击者可能会对数据进行编码,使命令和控制流量的内容更难检测。命令和控制(C2)信息可以使用标准数据编码系统进行编码。数据编码的使用可能遵循现有的协议规范,包括使用 ASCII、Unicode、Base64、MIME 或其他二进制到文本和字符编码系统。某些数据编码系统也可能导致数据压缩,例如 gzip。 | |
.001 | 标准编码 | 攻击者可以使用标准数据编码系统对数据进行编码,以使命令和控制流量的内容更难检测。命令和控制 (C2) 信息可以使用符合现有协议规范的标准数据编码系统进行编码。常见的数据编码方案包括 ASCII、Unicode、十六进制、Base64 和 MIME。某些数据编码系统也可能导致数据压缩,例如 gzip。 | |
.002 | 非标准编码 | 攻击者可能会使用非标准数据编码系统对数据进行编码,以使命令和控制流量的内容更难检测。命令和控制(C2)信息可以使用与现有协议规范不同的非标准数据编码系统进行编码。非标准数据编码方案可能基于标准数据编码方案或与标准数据编码方案相关,例如 HTTP 请求的消息正文的修改后的 Base64 编码。 | |
T1001 | 数据混淆 | 攻击者可能会混淆命令和控制流量,使其更难检测。命令和控制(C2)通信是隐藏的(但不一定是加密的),试图使内容更难发现或破译,并使通信不那么显眼,并隐藏命令不被看到。这包括许多方法,例如将垃圾数据添加到协议流量、使用隐写术或模拟合法协议。 | |
.001 | 垃圾数据 | 攻击者可能会将垃圾数据添加到用于命令和控制的协议中,以使检测更加困难。通过将随机或无意义的数据添加到用于命令和控制的协议中,攻击者可以阻止用于解码、破译或以其他方式分析流量的琐碎方法。示例可能包括使用垃圾字符附加/预置数据或在有效字符之间写入垃圾字符。 | |
.002 | 隐写术 | 对手可能会使用隐写技术来隐藏命令和控制流量,从而使检测工作更加困难。隐写技术可用于隐藏在系统之间传输的数字消息中的数据。这些隐藏的信息可用于命令和控制受感染的系统。在某些情况下,传递使用隐写术嵌入的文件(如图像或文档文件)可用于命令和控制。 | |
.003 | 协议模拟 | 攻击者可能会模拟合法协议或 Web 服务流量,以伪装命令和控制活动并阻止分析工作。通过模拟合法协议或 Web 服务,攻击者可以使其命令和控制流量与合法网络流量混合在一起。 | |
T1568 | 动态分辨率 | 攻击者可以动态建立与指挥和控制基础设施的连接,以逃避常见的检测和补救。这可以通过使用与攻击者用于接收恶意软件通信的基础设施共享通用算法的恶意软件来实现。这些计算可用于动态调整参数,例如恶意软件用于命令和控制的域名、IP 地址或端口号。 | |
.001 | 快速通量 DNS | 攻击者可能会使用 Fast Flux DNS 将命令和控制通道隐藏在链接到单个域解析的快速变化的 IP 地址数组后面。此技术使用完全限定的域名,并为其分配多个 IP 地址,这些地址以高频率交换,结合使用轮循机制 IP 寻址和 DNS 资源记录的短生存时间 (TTL)。 | |
.002 | 域生成算法 | 攻击者可以利用域生成算法 (DGA) 来动态识别命令和控制流量的目标域,而不是依赖于静态 IP 地址或域的列表。这样做的好处是,防御者更难阻止、跟踪或接管命令和控制通道,因为恶意软件可能会检查数千个域的指令。 | |
.003 | 域名解析计算 | 攻击者可能会对 DNS 结果中返回的地址执行计算,以确定用于命令和控制的端口和 IP 地址,而不是依赖于预先确定的端口号或实际返回的 IP 地址。IP 和/或端口号计算可用于绕过 C2 通道上的出口过滤。 | |
T1573 | 加密通道 | 攻击者可能会采用已知的加密算法来隐藏命令和控制流量,而不是依赖通信协议提供的任何固有保护。尽管使用了安全算法,但如果在恶意软件样本/配置文件中编码和/或生成密钥,这些实现可能容易受到逆向工程的影响。 | |
.001 | 对称密码学 | 攻击者可能会采用已知的对称加密算法来隐藏命令和控制流量,而不是依赖通信协议提供的任何固有保护。对称加密算法使用相同的密钥进行明文加密和密文解密。常见的对称加密算法包括 AES、DES、3DES、Blowfish 和 RC4。 | |
.002 | 非对称加密 | 攻击者可能会采用已知的非对称加密算法来隐藏命令和控制流量,而不是依赖通信协议提供的任何固有保护。非对称加密,也称为公钥加密,每方使用一个密钥对:一个可以自由分发的公钥和一个私有的密钥对。由于密钥的生成方式,发送方使用接收方的公钥加密数据,接收方使用其私钥解密数据。这可确保只有预期的收件人才能读取加密的数据。常见的公钥加密算法包括RSA和ElGamal。 | |
T1008 | 回退通道 | 如果主信道遭到破坏或无法访问,攻击者可能会使用回退或备用通信信道,以保持可靠的命令和控制并避免数据传输阈值。 | |
T1105 | 入口工具传输 | 攻击者可能会将工具或其他文件从外部系统传输到受感染的环境中。工具或文件可以通过命令和控制通道或通过备用协议(如 ftp)从外部对手控制系统复制到受害者网络。一旦存在,攻击者还可能在受感染环境中的受害者设备之间转移/传播工具(即横向工具转移)。 | |
T1104 | 多级通道 | 对手可能会创建多个在不同条件下或用于某些功能的命令和控制阶段。使用多个阶段可能会混淆命令和控制通道,使检测更加困难。 | |
T1095 | 非应用层协议 | 攻击者可以使用 OSI 非应用层协议在主机和 C2 服务器之间或网络中受感染的主机之间进行通信。可能的协议列表非常广泛。具体示例包括使用网络层协议,例如 Internet 控制消息协议 (ICMP)、传输层协议(例如用户数据报协议 (UDP)、会话层协议(例如套接字安全 (SOCKS))以及重定向/隧道协议(例如 LAN 串连 (SOL)。 | |
T1571 | 非标端口 | 攻击者可能会使用通常不关联的协议和端口配对进行通信。例如,通过端口 8088 或端口 587 的 HTTPS,而不是传统的端口 443。攻击者可能会更改协议使用的标准端口,以绕过网络数据的过滤或混淆分析/解析。 | |
T1572 | 协议隧道 | 攻击者可能会在单独的协议中通过隧道与受害系统进行网络通信,以避免检测/网络过滤和/或启用对其他无法访问系统的访问。隧道涉及将一个协议显式封装在另一个协议中。此行为可能会通过与现有流量混合和/或提供外部加密层(类似于 VPN)来隐藏恶意流量。隧道还可以路由网络数据包,否则这些数据包将无法到达其预期目标,例如 SMB、RDP 或其他将被网络设备过滤或未通过 Internet 路由的流量。 | |
T1090 | 代理 | 攻击者可以使用连接代理将系统之间的网络流量定向,或充当与命令和控制服务器进行网络通信的中介,以避免直接连接到其基础结构。存在许多工具,可以通过代理或端口重定向实现流量重定向,包括HTRAN,ZXProxy和ZXPortMap。攻击者使用这些类型的代理来管理命令和控制通信,减少同时出站网络连接的数量,在连接丢失时提供弹性,或者绕过受害者之间现有的受信任通信路径以避免怀疑。攻击者可能会将多个代理链接在一起,以进一步伪装恶意流量的来源。 | |
.001 | 内部代理 | 攻击者可以使用内部代理来指挥和控制受感染环境中两个或多个系统之间的流量。存在许多工具,可以通过代理或端口重定向实现流量重定向,包括HTRAN,ZXProxy和ZXPortMap。攻击者使用内部代理来管理受损环境中的命令和控制通信,减少同时出站网络连接的数量,在连接丢失时提供弹性,或者绕过受感染系统之间的现有受信任通信路径以避免怀疑。内部代理连接可以使用常见的对等 (p2p) 网络协议(如 SMB)来更好地融入环境。 | |
.002 | 外部代理 | 攻击者可以使用外部代理充当与命令和控制服务器进行网络通信的中介,以避免直接连接到其基础结构。存在许多工具,可以通过代理或端口重定向实现流量重定向,包括HTRAN,ZXProxy和ZXPortMap。攻击者使用这些类型的代理来管理命令和控制通信,在连接丢失时提供弹性,或绕过现有的可信通信路径以避免怀疑。 | |
.003 | 多跳代理 | 为了掩盖恶意流量的来源,攻击者可能会将多个代理链接在一起。通常,防御者将能够识别在代理流量进入其网络之前经过的最后一个代理流量;防御者可能无法在最后一跃点代理之前识别任何以前的代理。此技术要求防御者通过多个代理跟踪恶意流量以识别其来源,从而使识别恶意流量的原始来源变得更加困难。此行为的一个特定变体是使用洋葱路由网络,例如公开可用的 TOR 网络。 | |
.004 | 域名前置 | 攻击者可能会利用内容交付网络 (CDN) 和其他托管多个域的服务中的路由方案来混淆 HTTPS 流量或通过 HTTPS 隧道传输的流量的预期目标。域前端涉及在 TLS 标头的 SNI 字段和 HTTP 标头的主机字段中使用不同的域名。如果两个域都由同一个 CDN 提供,则在解开 TLS 标头包装后,CDN 可能会路由到 HTTP 标头中指定的地址。该技术的一种变体,即“无域”前端,利用留空的SNI字段;即使 CDN 尝试验证 SNI 和 HTTP 主机字段是否匹配(如果忽略空白 SNI 字段),这可能允许前端工作。 | |
T1219 | 远程访问软件 | 攻击者可以使用合法的桌面支持和远程访问软件,例如Team Viewer,AnyDesk,Go2Assist,LogMein,AmmyyAdmin等,以建立与网络中目标系统的交互式命令和控制通道。这些服务通常用作合法的技术支持软件,并且目标环境中的应用程序控制可能允许这些服务。与对手常用的其他合法软件相比,VNC,Ammyy和Teamviewer等远程访问工具经常使用。 | |
T1205 | 交通信号 | 攻击者可以使用流量信号来隐藏用于持久性或命令和控制的开放端口或其他恶意功能。流量信令涉及使用魔术值或序列,必须将其发送到系统以触发特殊响应,例如打开关闭的端口或执行恶意任务。这可以采取在打开对手可用于命令和控制的端口之前发送一系列具有某些特征的数据包的形式。通常,这一系列数据包包括尝试连接到预定义的封闭端口序列(即端口敲击),但可能涉及异常标志、特定字符串或其他独特特征。序列完成后,打开端口可以通过基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
.001 | 端口敲门 | 攻击者可能会使用端口敲击来隐藏用于持久性或命令和控制的开放端口。为了启用端口,攻击者会向预定义的关闭端口序列发送一系列尝试的连接。序列完成后,打开端口通常由基于主机的防火墙完成,但也可以通过自定义软件实现。 | |
.002 | 插座过滤器 | 攻击者可以将过滤器连接到网络套接字,以监视然后激活用于持久性或命令和控制的后门。通过提升的权限,攻击者可以使用库等功能打开套接字并安装筛选器,以允许或禁止某些类型的数据通过套接字。过滤器可能适用于通过指定网络接口(如果未指定,则应用于每个接口)的所有流量。当网络接口收到与筛选条件匹配的数据包时,可以在主机上触发其他操作,例如激活反向外壳。libpcap |
|
T1102 | 网络服务 | 攻击者可能会使用现有的合法外部 Web 服务作为将数据中继到受感染系统/从受感染系统中继数据的方法。作为 C2 机制的流行网站和社交媒体可能会提供大量掩护,因为网络中的主机可能在入侵之前已经与它们通信。使用常见的服务,例如谷歌或Twitter提供的服务,可以让对手更容易隐藏在预期的噪音中。Web 服务提供商通常使用 SSL/TLS 加密,为攻击者提供额外的保护级别。 | |
.001 | 死点滴旋转变压器 | 攻击者可以使用现有的合法外部 Web 服务来承载指向其他命令和控制 (C2) 基础结构的信息。攻击者可能会在具有嵌入式(通常是混淆/编码)域或 IP 地址的 Web 服务上发布内容(称为死点解析器)。一旦被感染,受害者将联系这些解析器并被重定向。 | |
.002 | 双向通信 | 攻击者可以使用现有的合法外部 Web 服务作为通过 Web 服务通道向受感染系统发送命令和从受感染系统接收输出的方法。受感染的系统可能会利用流行的网站和社交媒体来托管命令和控制 (C2) 指令。然后,这些受感染的系统可以通过该 Web 服务通道将这些命令的输出发送回去。返回通信可能以多种方式发生,具体取决于所使用的 Web 服务。例如,返回流量可能采用以下形式:受感染的系统在论坛上发表评论、向开发项目发出拉取请求、更新 Web 服务上托管的文档或通过发送推文。 | |
.003 | 单向通信 | 攻击者可以使用现有的合法外部 Web 服务作为向受感染系统发送命令的方法,而无需通过 Web 服务通道接收返回输出。受感染的系统可能会利用流行的网站和社交媒体来托管命令和控制 (C2) 指令。这些受感染的系统可能会选择通过不同的 C2 通道(包括另一个不同的 Web 服务)将这些命令的输出发送回去。或者,在对手想要向系统发送指令并且不需要响应的情况下,受感染的系统可能根本不返回任何输出。 |
The adversary is trying to communicate with compromised systems to control them.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
Techniques: 16
ID | Name | Description | |
---|---|---|---|
T1071 | Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
.001 | Web Protocols | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
.002 | File Transfer Protocols | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
.003 | Mail Protocols | Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
.004 | DNS | Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. | |
T1092 | Communication Through Removable Media | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. | |
T1132 | Data Encoding | Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. | |
.001 | Standard Encoding | Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. | |
.002 | Non-Standard Encoding | Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request. | |
T1001 | Data Obfuscation | Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. | |
.001 | Junk Data | Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. | |
.002 | Steganography | Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. | |
.003 | Protocol Impersonation | Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. | |
T1568 | Dynamic Resolution | Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. | |
.001 | Fast Flux DNS | Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record. | |
.002 | Domain Generation Algorithms | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. | |
.003 | DNS Calculation | Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. | |
T1573 | Encrypted Channel | Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. | |
.001 | Symmetric Cryptography | Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. | |
.002 | Asymmetric Cryptography | Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. | |
T1008 | Fallback Channels | Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. | |
T1105 | Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer). | |
T1104 | Multi-Stage Channels | Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. | |
T1095 | Non-Application Layer Protocol | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). | |
T1571 | Non-Standard Port | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. | |
T1572 | Protocol Tunneling | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. | |
T1090 | Proxy | Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. | |
.001 | Internal Proxy | Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. | |
.002 | External Proxy | Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. | |
.003 | Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. | |
.004 | Domain Fronting | Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). | |
T1219 | Remote Access Software | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. | |
T1205 | Traffic Signaling | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. | |
.001 | Port Knocking | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. | |
.002 | Socket Filters | Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the libpcap library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. |
|
T1102 | Web Service | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. | |
.001 | Dead Drop Resolver | Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. | |
.002 | Bidirectional Communication | Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. | |
.003 | One-Way Communication | Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. |