Trusted Design戦術「Command and Control」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1001 | Data Obfuscation | Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDr… |
| T1001.001 | Junk Data | Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: Fire… |
| T1001.002 | Steganography | Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficu… |
| T1001.003 | Protocol or Service Impersonation | Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thw… |
| T1008 | Fallback Channels | Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible i… |
| T1024 | Custom Cryptographic Protocol | Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, s… |
| T1026 | Multiband Communication | **This technique has been deprecated and should no longer be used.** Some adversaries may split communications between … |
| T1032 | Standard Cryptographic Protocol | Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relyin… |
| T1043 | Commonly Used Port | **This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where ap… |
| T1065 | Uncommonly Used Port | Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improp… |
| T1071 | Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in wi… |
| T1071.001 | Web Protocols | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network fil… |
| T1071.002 | File Transfer Protocols | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/netw… |
| T1071.003 | Mail Protocols | Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detectio… |
| T1071.004 | DNS | Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network fil… |
| T1071.005 | Publish/Subscribe Protocols | Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network fil… |
| T1079 | Multilayer Encryption | An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a… |
| T1090 | Proxy | Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network c… |
| T1090.001 | Internal Proxy | Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised… |
| T1090.002 | External Proxy | Adversaries may use an external proxy to act as an intermediary for network communications to a command and control serv… |
| T1090.003 | Multi-hop Proxy | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will … |
| T1090.004 | Domain Fronting | Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mult… |
| T1092 | Communication Through Removable Media | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removab… |
| T1094 | Custom Command and Control Protocol | Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an exi… |
| T1095 | Non-Application Layer Protocol | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected… |
| T1102 | Web Service | Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised syst… |
| T1102.001 | Dead Drop Resolver | Adversaries may use an existing, legitimate external Web service to host information that points to additional command a… |
| T1102.002 | Bidirectional Communication | Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output… |
| T1102.003 | One-Way Communication | Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system… |
| T1104 | Multi-Stage Channels | Adversaries may create multiple stages for command and control that are employed under different conditions or for certa… |
| T1105 | Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may… |
| T1132 | Data Encoding | Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and con… |
| T1132.001 | Standard Encoding | Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more… |
| T1132.002 | Non-Standard Encoding | Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic … |
| T1172 | Domain Fronting | Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host mul… |
| T1188 | Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will… |
| T1219 | Remote Access Tools | An adversary may use legitimate remote access tools to establish an interactive command and control channel within a net… |
| T1219.001 | IDE Tunneling | Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an… |
| T1219.002 | Remote Desktop Software | An adversary may use legitimate desktop support software to establish an interactive command and control channel to targ… |
| T1219.003 | Remote Access Hardware | An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target… |
| T1483 | Domain Generation Algorithms | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and co… |
| T1568 | Dynamic Resolution | Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and r… |
| T1568.001 | Fast Flux DNS | Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses… |
| T1568.002 | Domain Generation Algorithms | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command… |
| T1568.003 | DNS Calculation | Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use … |
| T1571 | Non-Standard Port | Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over… |
| T1572 | Protocol Tunneling | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/… |
| T1573 | Encrypted Channel | Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inheren… |
| T1573.001 | Symmetric Cryptography | Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying… |
| T1573.002 | Asymmetric Cryptography | Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relyin… |
| T1665 | Hide Infrastructure | Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be … |