Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.
Tactic Overview
Tactic ID: TA0011 — Matrix: Enterprise — Techniques: 18
The Command and Control tactic represents a phase in the adversary lifecycle where the adversary is trying to communicate with compromised systems to control them. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 18 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (18)
The following techniques are categorized under the Command and Control tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1071 | Application Layer Protocol (5 sub-techniques) | Adversaries communicate over standard application layer protocols (HTTP/S, DNS, SMTP, FTP, MQTT) to blend C2 traffic with legitimate communications and evade network filtering. | T1071 |
T1092 | Communication Through Removable Media | Adversaries use removable media to establish C2 channels with air-gapped or disconnected systems. | T1092 |
T1659 | Content Injection | Adversaries inject malicious content into legitimate web traffic or communications to gain initial access to victim systems. | T1659 |
T1132 | Data Encoding (2 sub-techniques) | Adversaries encode C2 traffic data using standard (Base64) or non-standard encoding to make it harder to detect. | T1132 |
T1001 | Data Obfuscation (3 sub-techniques) | Adversaries obfuscate C2 communications using junk data, steganography, or protocol impersonation to evade detection. | T1001 |
T1568 | Dynamic Resolution (3 sub-techniques) | Adversaries use dynamic domain resolution (DGA, DNS calculation, fast flux) to vary their C2 infrastructure. | T1568 |
T1573 | Encrypted Channel (2 sub-techniques) | Adversaries encrypt C2 communications using symmetric or asymmetric cryptography to prevent content inspection. | T1573 |
T1008 | Fallback Channels | Adversaries configure multiple C2 channels to maintain communication if primary channels are blocked or discovered. | T1008 |
T1665 | Hide Infrastructure | Adversaries use techniques to hide their C2 infrastructure including CDN fronting, proxy services, and anonymization networks. | T1665 |
T1105 | Ingress Tool Transfer | Adversaries transfer tools and payloads from external systems into compromised environments using certutil, PowerShell, curl, wget, and other utilities. Widely used across APTs and ransomware operations. | T1105 |
T1104 | Multi-Stage Channels | Adversaries establish multiple stages of C2 channels to separate initial callbacks from operational C2 traffic. | T1104 |
T1095 | Non-Application Layer Protocol | Adversaries use non-application layer protocols (ICMP, UDP raw sockets) for C2 to evade application-layer filtering. | T1095 |
T1571 | Non-Standard Port | Adversaries communicate over non-standard ports to bypass firewall rules and network filtering based on expected port usage. | T1571 |
T1572 | Protocol Tunneling | Adversaries tunnel C2 traffic within other protocols (DNS tunneling, SSH tunneling, ICMP tunneling) to evade network monitoring. | T1572 |
T1090 | Proxy (4 sub-techniques) | Adversaries use proxy connections (SOCKS, internal proxies, multi-hop proxies, domain fronting) to route C2 traffic and disguise its origin. | T1090 |
T1219 | Remote Access Tools | Adversaries install legitimate remote access tools (TeamViewer, AnyDesk, ScreenConnect) as C2 mechanisms that blend with normal activity. | T1219 |
T1205 | Traffic Signaling (2 sub-techniques) | Adversaries use specially crafted network packets to trigger hidden functionality on compromised systems (port knocking, wake-on-LAN abuse). | T1205 |
T1102 | Web Service (3 sub-techniques) | Adversaries use legitimate web services (social media, cloud storage, paste sites) for C2 to blend traffic with normal web usage. | T1102 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Network intrusion detection
- SSL/TLS inspection
- DNS monitoring and sinkholing
- Block known C2 infrastructure
- Restrict outbound traffic
Detection Strategies
Effective detection of Command and Control techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Command and Control tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Command and Control Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026