Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1008 | Fallback Channels | |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1008 | Fallback Channels | |
| action.malware.variety.Backdoor or C2 | Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. | related-to | T1008 | Fallback Channels | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1008 | Fallback Channels | |
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1008 | Fallback Channels |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication channels. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1008 | Fallback Channels |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.
References
|