We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Mapping To Command and Control

When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK activity, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. The following table outlines the Adversary Vulnerabilities and Engagement Activities that are available to the defender when the adversary engages in Command and Control behaviors.

Details
ATT&CK ID: TA0011

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Data Obfuscation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Data Obfuscation When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Obfuscation When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Fallback Channels When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Fallback Channels When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Fallback Channels When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Fallback Channels When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Fallback Channels When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Application Layer Protocol When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Application Layer Protocol When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Proxy When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Proxy When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Communication Through Removable Media When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Communication Through Removable Media When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Communication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Communication Through Removable Media When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Communication Through Removable Media When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Communication Through Removable Media When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Non-Application Layer Protocol When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Non-Application Layer Protocol When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Web Service When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Web Service When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Web Service When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Web Service When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Multi-Stage Channels When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Multi-Stage Channels When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Multi-Stage Channels When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Ingress Tool Transfer When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Ingress Tool Transfer When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Ingress Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data Encoding When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Data Encoding When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Data Encoding When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Monitoring Monitor network traffic in order to detect adversary activity.
Data Encoding When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Data Encoding When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Data Encoding When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Traffic Signaling When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Traffic Signaling When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Traffic Signaling When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Remote Access Software When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Access Software When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote Access Software When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Remote Access Software When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Detonate Malware Execute malware under controlled conditions to analyze its functionality.
Remote Access Software When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Dynamic Resolution When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Dynamic Resolution When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Non-Standard Port When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Non-Standard Port When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity. Network Monitoring Monitor network traffic in order to detect adversary activity.
Protocol Tunneling When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Protocol Tunneling When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Encrypted Channel When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Encrypted Channel When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Encrypted Channel When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities. Network Analysis Analyze network traffic to gain intelligence on communications between systems.
Stay tuned for more mappings with this tactic.