Command and Control
Techniques
| ID | Name | Description |
|---|---|---|
| EST000166 | Communication Through Removable Media | A Cyber Embedded Technique in which an adversary performs command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that a target system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed to and/or from the disconnected system to the target system to which the adversary has direct access. |
| EST000167 | C2 Connection Proxy | A Cyber Embedded Technique in which an adversary uses a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. An adversary may develop a tool to utilize an LRU which has multiple embedded peripheral interfaces (internal (PCI/VME) and external (serial buses i.e. ARINC 429 and RF interfaces)) to pivot through and/or redirect traffic through the other interfaces to establish multiple access points into the embedded system. Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. |
| EST000168 | Custom Command and Control Protocol | A Cyber Embedded Technique in which an adversary communicates using a custom command and control protocol instead of encapsulating commands and data in an existing protocol. Implementations include mimicking well-known protocols or developing custom protocols and/or data streams (including raw sockets) on top of fundamental protocols provided by the network stack. |
| EST000169 | Custom Cryptographic Protocol | A Cyber Embedded Technique in which an adversary uses a custom cryptographic protocol or algorithm to hide command and control traffic or utilize a standard cryptographic protocol where the serial bus specification does not call for any encryption. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. Due to limited bit-space in serial networks it is likely that Format Preserving Encryption (FPE) will be used, which makes it easier as a defender to detect because of chosen plaintext attacks. |
| EST000170 | Data Encoding | A Cyber Embedded Technique in which an adversary encodes data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. |
| EST000171 | Data Obfuscation | A Cyber Embedded Technique in which an adversary obfuscates command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. |
| EST000172 | C2 Fallback Channels | A Cyber Embedded Technique in which an adversary uses a fallback or alternate communication channel if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. |
| EST000173 | Multi-Stage Command and Control Channels | A Cyber Embedded Technique in which an adversary uses multiple available RF channels to create multiple stages for command and control on a system. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. An example of this would utilizing the civil ACARS network, which has L-band (Inmarsat and Iridium), VHF (VLDM2 and POA), and HF channels that all route through the same Communications Management Unit (CMU) on an aircraft. |
| EST000174 | Multiband Communication | A Cyber Embedded Technique in which an adversary uses multiple available RF channels for command and control on a embedded system. An example of this would utilizing the civil ACARS network, which has L-band (Inmarsat and Iridium), VHF (VLDM2 and POA), and HF channels that all route through the same Communications Management Unit (CMU) on an aircraft. |
| EST000175 | Serial Port Knocking | A Cyber Embedded Technique in which an adversary utilizes the concept of TCP/IP port knocking, in a similar manner in an embedded serial interface. An adversary sends a command and/or exploit to an existing open ‘port’ (i.e., label on ARINC 429) in order to open a new communication channel on another port to avoid detection by serial bus monitors and/or whitelisting applications and be used for persistent command and control. |
| EST000176 | Standard Non-Application Layer Protocol | A Cyber Embedded Technique in which an adversary communicates using a non-application layer protocol for command and control of an implant or other compromised LRU. An example would be an adversary causes an external effect on a subsystem that causes an error to be sent out on the serial bus. The implant receives the error, which is largely ignored by the rest of LRUs, but the implant is activated and continues to talk through error messages as they are triggered. |