- Tactics
- Command and Control
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1001.001
Description
Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Command and Control tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1001 — Data Obfuscation
- T1008 — Fallback Channels
- T1071 — Application Layer Protocol
- T1090 — Proxy
- T1092 — Communication Through Removable Media
- T1095 — Non-Application Layer Protocol
- T1102 — Web Service
- T1104 — Multi-Stage Channels
- T1105 — Ingress Tool Transfer
- T1132 — Data Encoding
- T1205 — Traffic Signaling
- T1219 — Remote Access Tools