In our last post, we explored how attackers gather valuable information through the Collection tactic. Once adversaries have a foothold and have collected data, they need a way to maintain control over compromised systems and coordinate their activities. In military operations, you’ll see a mix of overt and covert forms of communications. But we know they are happening. Without them, the various units involved would be uncoordinated and the attack would fail before major objectives could be accomplished. Cyber adversaries need this sustained control as well. Payloads are unable to act autonomously for long. And exfiltrating data without it is futile. This is where the next MITRE ATT&CK Tactic comes into play: Command and Control (C2). Let’s dive into how attackers use C2 to orchestrate their operations and why it’s a critical component of almost every sophisticated cyber attack.

The Importance of Command and Control

Command and Control is term for communication and coordination in an attack. Whether orchestrated from an attacker’s Kali box or a military command post, C2 allows attackers to issue orders, receive information, and manage their operations from afar. Without effective C2, attackers have to build more into their deployed assets. This isn’t impossible – some recent military and cyber attacks have used this strategy, but the preparation is insane, and the possible outcomes limited. Prior to the ubiquity of the internet and satellite communications, covert operators would spends months or years to prepare for a mission. Threat actors may also forego C2 as a last resort, most often limited to fire-and-forget malware or simple scripts. These conditions are dangerous, but lacking the adaptability and persistence that characterize today’s most threatening adversaries.

C2 infrastructure serves several crucial purposes for attackers:

  • Persistence: It allows malware to maintain a connection with the attacker’s systems, ensuring long-term access to the compromised network.
  • Updates: Attackers can push new instructions or malware variants to evade detection.
  • Data Exfiltration: C2 channels are often used to steal sensitive information from the target network.
  • Lateral Movement: Coordinating the spread of an attack across multiple systems often relies on C2.

Historical Context: The Telegraph of War

To understand the significance of C2 in cyber operations, it’s helpful to look at its roots in military history. During the American Civil War, both Union and Confederate forces recognized the game-changing potential of the telegraph for military communications. General Ulysses S. Grant, in particular, used telegraph networks extensively to coordinate troop movements and relay intelligence. Leaning into these communications helped him maneuver three armies across great distances while keeping supply chains synchronized.

In an era before the Internet and radio communications, coordinating actions across such a wide area was near impossible. Grant’s use of the telegraph as a C2 workhorse changed warfare forever.

However, this new form of rapid long-distance communication also introduced vulnerabilities. Confederate cavalry raids often targeted Union telegraph lines, disrupting communications and gathering intelligence. In one famous incident, Confederate General John Hunt Morgan’s raiders tapped into Union telegraph lines, intercepting messages and sending false orders to confuse enemy forces. If only Grant’s operators had cryptography! It should also be noted that horse messengers, ships, semaphore flags, and even messaging via the printed press were used to link up other assets like scouts, spies, and more mobile forces.

The Union’s use of telegraph to provide C2 mirrors modern cyber C2 in several ways:

  • Rapid communication allows for coordinated, large-scale operations
  • The communication channel itself becomes a critical asset and potential vulnerability
  • Intercepting or disrupting the enemy’s communications provides significant tactical advantages
  • The main mode was far from the only mode used – backup communications and redundancy are evergreen needs
Having a C2 of choice is one thing, but what made Union forces so effective with the telegraph was their well-rehearsed use of it and their pragmatic use of backup means to maintain persistent contact.

Command and Control in Modern Cyberspace

In the digital realm, C2 infrastructure has evolved into a sophisticated ecosystem of tools and techniques. Modern attackers use a variety of methods to establish and maintain control over compromised systems, often employing multiple redundant channels to ensure persistence. These channels are not just to hand down orders, but are also used to provide updated Recon and Discovery, Exfiltrate data, and inform Lateral Movement.

Popular C2 frameworks like Cobalt Strike, Empire, and Metasploit provide attackers with powerful, flexible tools for managing their operations. The C2 Matrix project does a great job getting you familiar with a lot of them. These frameworks offer features like:

  • Multiple communication protocols and encryption methods
  • Modular payloads for different tasks
  • User-friendly interfaces for managing compromised hosts
  • Evasion techniques to avoid detection

However, the principles remain the same as in General Grant’s day: establish reliable communications, coordinate actions across multiple assets, and protect your own command infrastructure while seeking to disrupt the enemy’s.

C2: the attacker’s puppet strings

The MITRE ATT&CK framework identifies 16 techniques and 27 sub-techniques under the Command and Control (TA0011) tactic. This diversity reflects the many ways attackers can implement C2, adapting their methods to evade detection and maintain persistence.

There are a lot of techniques to chew on. Let’s try another view…

Here’s an attempt at categorizing those same techniques based on a general focus area:

CategoryTechniques
Existing Communication Channel Abuse– Application Layer Protocol (T1071)
– Web Service (T1102)
– Proxy (T1090)
– Traffic Signaling (T1205)
– Remote Access Software (T1219)
– Content Injection (T1659)
Custom Communication Methods– Protocol Tunneling (T1572)
– Non-Standard Port (T1571)
– Custom Command and Control Protocol (T1094)
– Data Encoding (T1132)
– Steganography (T1001)
– Ingress Tool Transfer (T1105)
– Non-App Layer Protocol (T1095)
Indirect or Asynchronous Communication– Dead Drop Resolver (T1102.001)
– One-Way Communication (T1102.003)
– Multi-Stage Channels (T1104)
– Removable Media (T1092)
Evasion and Obfuscation Focused– Dynamic Resolution (T1568)
– Fallback Channels (T1008)
– Ingress Tool Transfer (T1105)
– Traffic Signaling (T1205)
– Data Obfuscation (T1001)
– Encrypted Channel (T1573)
– Hide Infrastructure (T1008)
Exploitation of External Services– Proxy (T1090)
– Hide Infrastructure (T1008)
– Dead Drop Resolver (T1102.001)
Some of the techniques appear in multiple spots, but you get the idea. Lots of ways to signal intentions, exfiltrate data, and sustain chaos in a target environment!

As you can see above, there are a ton of ways adversaries may combine techniques to provide unfettered access to an environment. Even worse, they may use multiple combinations in concert to ensure they have redundant access.

Examples of Techniques in action

Want to see some of the more common C2 scenarios out there?

  • Application Layer Protocol (T1071) Attackers often use common application layer protocols like HTTP, HTTPS, or DNS to blend their C2 traffic with normal network activity.
    • Example: The Havex malware, used in industrial espionage, uses HTTP POST requests to exfiltrate data and receive commands, making it difficult to distinguish from legitimate web traffic.
  • Data Encoding (T1132) To further obfuscate their communications, attackers may encode or encrypt their C2 traffic. This can range from simple base64 encoding to sophisticated custom encryption schemes.
    • Example: The Ursnif banking trojan uses a custom encryption algorithm over HTTPS to protect its C2 communications, making it challenging for defenders to analyze the traffic.
  • Non-Standard Port (T1571) While using common protocols helps hide C2 traffic, using non-standard ports can help evade port-based filtering and monitoring.
    • Example: The Carbanak malware, infamous for targeting financial institutions, has been observed using port 443 (typically reserved for HTTPS) for its C2 communications, but with a custom binary protocol instead of actual HTTPS.
  • Protocol Tunneling (T1572) Attackers may tunnel their C2 traffic through other protocols, essentially hiding one protocol inside another. This technique can bypass firewalls and other security controls that aren’t inspecting traffic deeply enough.
    • Example: Cyclops Blink has been know to abuse DNS over HTTPS (DoH) in order to evade firewall and other DNS security measures and reach C2 nodes.

How Attackers Establish and Maintain C2

Setting up effective C2 infrastructure is a crucial step for attackers. Here’s a typical process:

TinyTurlaNG had great success against some government targets in the Winter of 2024, and did so by leveraging multiple C2 paths to help facilitate their theft of sensitive materials and credentials. (from our CLUS2024 session BRKSEC-3026)
  1. Infrastructure Setup: Attackers often use compromised servers, cloud services, or anonymizing networks like Tor to host their C2 servers. They may employ domain generation algorithms (DGAs) to create a constantly changing list of domain names for their C2 servers.
  2. Initial Compromise: Once a system is compromised, the attacker’s malware establishes an initial connection to the C2 server, often using hardcoded addresses or DGA-generated domains.
  3. Beacon and Registration: The compromised system sends a beacon to the C2 server, providing information about the system and potentially receiving initial instructions.
  4. Ongoing Communication: The malware maintains periodic communication with the C2 server, checking for new commands and potentially exfiltrating collected data.
  5. Adapting and Evading: Sophisticated attackers continuously modify their C2 techniques to avoid detection, using tactics like traffic mimicry, domain fronting, or piggybacking on legitimate services.

TinyTurlaNG is a great case study. They not only conduct the steps above, but they do it for two disparate C2 mechanisms (TTNG and Chisel) in addition to a whole host of parallel back doors that they are implementing. Below is just one of those (TTNG), which uses a compromised WordPress server to act as the C2 head end and builds in a custom HTTP parser to coordinate actions. Below is look at some of the logic in that C2, as covered by a wonderful Cisco Talos post:

If you look closely, you can see the sorts of commands Turla is using to conduct their operations via the TTNG C2. (H/T to Cisco Talos)

How can we Mitigate Command and Control?

Defending against C2 activities requires a multi-layered approach, and if it seems they rhyme well with previous tactics we’ve covered, you are spot on! The good news? You get a lot of bang for the buck when you do the ‘simple’ things well. The bad news? Doing the ‘simple’ things can be hard culturally:

  • Network Segmentation: Limit the ability of compromised systems to communicate across the network. This single thing can ensure C2’s tentacles are limited in reach and save your bacon!
  • Firewall Rules and Application Whitelisting: Strictly control what can communicate externally and which applications can run. If you don’t know, enlist a network behavior and/or application dependency mapping tool to help!
  • Traffic Analysis and Anomaly Detection: Use tools to identify unusual patterns in network traffic that could indicate C2 activity. Beacons and long-lived sessions are weird. We need to find the strange and scrutinize it.
  • Regular System Updates and Patch Management: Keep systems updated to prevent exploitation of known vulnerabilities. A lot of C2 takes advantage of flaws, vulns, and misconfiguration.
  • DNS Monitoring: Watch for unusual DNS queries that could indicate use of DGAs or DNS tunneling. Firewalls and Secure Web Gateways are particularly helpful here. Also – enforce strict ACLs for what resolvers are trusted!
  • SSL/TLS Inspection: For environments where it’s feasible, inspect encrypted traffic for signs of C2 communications. It is costly and compute intensive, so maybe use it in higher-risk areas?
  • User Education: Train users to recognize and report suspicious system behavior that could indicate a compromise.

Conclusion

Command and Control is a critical tactic for adversaries, serving as the nervous system of their operations. By understanding C2 techniques and implementing robust defenses, organizations can disrupt attackers’ ability to maintain their grip on compromised assets.

Ulysses S. Grant: Soldier. General. President. And C2 revolutionary.

Just as General Grant’s use of the telegraph revolutionized military communications, modern cyber attackers leverage robust C2 infrastructures to coordinate their campaigns. However, unlike Civil War-era telegraph lines, today’s C2 channels are often hidden in plain sight, masquerading as normal network traffic. And rather than diversifying with flags, riders on horseback, and smoke, cyber adversaries just add additional channels using different TTP recipes. Can you tell the difference?

As defenders, our challenge is to spot these disguised communications, sever the attacker’s control, and fortify our systems against future intrusions. By focusing on a good mix of C2 detection and prevention, we significantly increase the cost and complexity for attackers and force them to make mistakes. Which is super helpful to our detection efforts!

I hope this ATT&CK Command and Control entry in the series has been helpful. Whatever you decide to do, think about all the ways you need communications to happen and aim to allow only those to happen. Thank you for reading and feel free to comment below!