Home  >  APT29  >  Results  >  Elastic  >  Command and Control

Tactic Results: Command and Control (TA0011) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Commonly Used Port
(T1043)
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Established network channel over port 443
3.B.3
Tactic (Alert, Correlated)
A Tactic alert detection (medium severity) called "Detected Command and Control" was generated due to PowerShell connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent General detection for malicious file execution. [1]
General (Correlated, Alert)
A General alert detection (medium severity) was generated for the first network connection for a known process. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent General detection for malicious file execution. [1]
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Established network channel over port 443
11.A.13
Tactic (Alert)
A Tactic alert detection (medium detection) for "Command and Control" with the rule name "PowerShell Network Activity" was generated for powershell.exe opening a network connection. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over TCP port 443. [1]
Standard Application Layer Protocol
(T1071)
Used HTTPS to transport C2 (192.168.0.5) traffic
Evidence that the network data sent over the C2 channel is HTTPS
3.B.4
None
No detection capability demonstrated for this procedure. Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Used HTTPS to transport C2 (192.168.0.4) traffic
Established network channel over the HTTPS protocol
11.A.14
None
No detection capability demonstrated for this procedure.
Standard Cryptographic Protocol
(T1032)
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Evidence that the network data sent over the C2 channel is encrypted
1.A.4
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Evidence that the network data sent over the C2 channel is encrypted
3.B.5
None
No detection capability demonstrated for this procedure.
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Evidence that the network data sent over the C2 channel is encrypted
11.A.15
None
No detection capability demonstrated for this procedure.
Uncommonly Used Port
(T1065)
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
1.A.3
Telemetry
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234. [1]