Command and Control (18 techniques)
Communicating with compromised systems to control them.
The Command and Control tactic groups MITRE ATT&CK techniques used by adversaries to communicating with compromised systems to control them. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1001 — Data Obfuscation ESXi, Linux, macOS, Windows
- T1008 — Fallback Channels ESXi, Linux, macOS, Windows
- T1071 — Application Layer Protocol Linux, macOS, Windows, Network Devices, ESXi
- T1090 — Proxy ESXi, Linux, macOS, Network Devices, Windows
- T1092 — Communication Through Removable Media Linux, macOS, Windows
- T1095 — Non-Application Layer Protocol ESXi, Linux, macOS, Network Devices, Windows
- T1102 — Web Service ESXi, Linux, macOS, Windows
- T1104 — Multi-Stage Channels Linux, macOS, Windows, ESXi
- T1105 — Ingress Tool Transfer ESXi, Linux, macOS, Network Devices, Windows
- T1132 — Data Encoding ESXi, Linux, macOS, Windows
- T1205 — Traffic Signaling Linux, macOS, Network Devices, Windows
- T1219 — Remote Access Tools Linux, macOS, Windows
- T1568 — Dynamic Resolution ESXi, Linux, macOS, Windows
- T1571 — Non-Standard Port ESXi, Linux, macOS, Windows
- T1572 — Protocol Tunneling ESXi, Linux, macOS, Windows
- T1573 — Encrypted Channel ESXi, Linux, macOS, Network Devices, Windows
- T1659 — Content Injection Linux, macOS, Windows
- T1665 — Hide Infrastructure ESXi, Linux, macOS, Network Devices, Windows
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses