The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1071 | Application Layer Protocol | 38 | 5 |
| T1219 | Remote Access Software | 25 | 0 |
| T1659 | Content Injection | 12 | 0 |
| T1205 | Traffic Signaling | 19 | 2 |
| T1572 | Protocol Tunneling | 26 | 0 |
| T1092 | Communication Through Removable Media | 14 | 0 |
| T1090 | Proxy | 30 | 4 |
| T1568 | Dynamic Resolution | 20 | 3 |
| T1102 | Web Service | 17 | 3 |
| T1104 | Multi-Stage Channels | 17 | 0 |
| T1001 | Data Obfuscation | 12 | 3 |
| T1571 | Non-Standard Port | 24 | 0 |
| T1573 | Encrypted Channel | 20 | 2 |
| T1095 | Non-Application Layer Protocol | 29 | 0 |
| T1132 | Data Encoding | 13 | 2 |
| T1105 | Ingress Tool Transfer | 21 | 0 |
| T1665 | Hide Infrastructure | 2 | 0 |
| T1008 | Fallback Channels | 20 | 0 |