This site has been deprecated in favor of and will remain in place until 11/1/22.

Command and Control

From attackics
Jump to navigation Jump to search


The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.

Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.

Techniques in this Tactics Category

Below is a list of all the Command and Control techniques in ATT&CK for ICS:

NameTacticsTechnical Description
Commonly Used PortCommand and ControlAdversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.
  • TCP:80 (HTTP)
  • TCP:443 (HTTPS)
  • TCP/UDP:53 (DNS)
  • TCP:1024-4999 (OPC on XP/Win2k3)
  • TCP:49152-65535 (OPC on Vista and later)
  • TCP:23 (TELNET)
  • UDP:161 (SNMP)
  • TCP:502 (MODBUS)
  • TCP:102 (S7comm/ISO-TSAP)
  • TCP:20000 (DNP3)
  • TCP:44818 (Ethernet/IP)
Connection ProxyCommand and ControlAdversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.

The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.

The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.1
Standard Application Layer ProtocolCommand and ControlAdversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.