# TA0011 — Command and Control ## Descrição O Comando e Controle (C2) engloba as técnicas que permitem ao adversário **comúnicar-se com sistemas comprometidos** dentro da rede da vítima. O canal C2 é a linha de vida da operação — através dele o adversário envia instruções, recebe outputs de comandos, entrega novos payloads e exfiltra dados. A arquitetura C2 moderna prioriza **resistência e discrição**: uso de protocolos legítimos ([[HTTPS, DNS]]) para misturar tráfego malicioso com tráfego normal de negócios; criptografia de comúnicações ([[t1573-001-symmetric-cryptography|T1573]]); uso de serviços web legítimos como intermediários ([[t1102-web-service|GitHub, Twitter, Pastebin]]); e rotação de domínios via Domain Generation Algorithms ([[t1568-002-domain-generation-algorithms|DGAs]]) para evitar bloqueios baseados em IoCs. Frameworks C2 como Cobalt Strike, Sliver, Brute Ratel e Havoc são amplamente usados tanto por grupos APT quanto por operadores de ransomware. O tráfego Cobalt Strike Beacon é um dos IoCs mais detectados em incidentes avançados globalmente — tornando a customização do perfil de C2 (Malleable C2) uma habilidade essencial para adversários que precisam evitar detecção. ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["Execução"]:::inactive EX --> PE["Persistência"]:::inactive PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["Evasão de Defesas"]:::inactive DE --> CA["Acesso a<br/>Credenciais"]:::inactive CA --> DI["Descoberta"]:::inactive DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["📡 Comando e<br/>Controle"]:::active C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Command and Control") SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Command and Control") SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Command and Control") SORT mitre-id ASC --> | Nota | ID | Técnica | Plataformas | | ------------------------------------------------------------------------------------------------------------------------------------ | --------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------------ | | [[t1001-data-obfuscation\|T1001 - Data Obfuscation]] | T1001 | T1001 - Data Obfuscation | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1001-001-junk-data\|T1001.001 - Junk Data]] | T1001.001 | T1001.001 - Junk Data | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1001-002-steganography\|T1001.002 - Steganography]] | T1001.002 | T1001.002 - Steganography | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1001-003-protocol-or-service-impersonation\|T1001.003 - Protocol or Service Impersonation]] | T1001.003 | T1001.003 - Protocol or Service Impersonation | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1008-fallback-channels\|T1008 - Fallback Channels]] | T1008 | T1008 - Fallback Channels | <ul><li>Linux</li><li>Windows</li><li>macOS</li><li>ESXi</li></ul> | | [[t1071-application-layer-protocol\|T1071 - Application Layer Protocol]] | T1071 | T1071 - Application Layer Protocol | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1071-001-web-protocols\|T1071.001 - Web Protocols]] | T1071.001 | T1071.001 - Web Protocols | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1071-002-file-transfer-protocols\|T1071.002 - File Transfer Protocols]] | T1071.002 | T1071.002 - File Transfer Protocols | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1071-003-mail-protocols\|T1071.003 - Mail Protocols]] | T1071.003 | T1071.003 - Mail Protocols | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1071-004-dns\|T1071.004 - DNS]] | T1071.004 | T1071.004 - DNS | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>Network Devices</li><li>ESXi</li></ul> | | [[t1071-005-publishsubscribe-protocols\|T1071.005 - Publish/Subscribe Protocols]] | T1071.005 | T1071.005 - Publish/Subscribe Protocols | <ul><li>macOS</li><li>Linux</li><li>Windows</li><li>Network Devices</li></ul> | | [[t1090-proxy\|T1090 - Proxy]] | T1090 | T1090 - Proxy | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1090-001-internal-proxy\|T1090.001 - Internal Proxy]] | T1090.001 | T1090.001 - Internal Proxy | <ul><li>Linux</li><li>Network Devices</li><li>Windows</li><li>macOS</li><li>ESXi</li></ul> | | [[t1090-002-external-proxy\|T1090.002 - External Proxy]] | T1090.002 | T1090.002 - External Proxy | <ul><li>ESXi</li><li>Linux</li><li>Network Devices</li><li>Windows</li><li>macOS</li></ul> | | [[t1090-003-multi-hop-proxy\|T1090.003 - Multi-hop Proxy]] | T1090.003 | T1090.003 - Multi-hop Proxy | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1090-004-domain-fronting\|T1090.004 - Domain Fronting]] | T1090.004 | T1090.004 - Domain Fronting | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1092-communication-through-removable-media\|T1092 - Commúnication Through Removable Media]] | T1092 | T1092 - Commúnication Through Removable Media | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1095-non-application-layer-protocol\|T1095 - Non-Application Layer Protocol]] | T1095 | T1095 - Non-Application Layer Protocol | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1102-web-service\|T1102 - Web Service]] | T1102 | T1102 - Web Service | <ul><li>ESXi</li><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1102-001-dead-drop-resolver\|T1102.001 - Dead Drop Resolver]] | T1102.001 | T1102.001 - Dead Drop Resolver | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1102-002-bidirectional-communication\|T1102.002 - Bidirectional Commúnication]] | T1102.002 | T1102.002 - Bidirectional Commúnication | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1102-003-one-way-communication\|T1102.003 - One-Way Commúnication]] | T1102.003 | T1102.003 - One-Way Commúnication | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1104-multi-stage-channels\|T1104 - Multi-Stage Channels]] | T1104 | T1104 - Multi-Stage Channels | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1105-ingress-tool-transfer\|T1105 - Ingress Tool Transfer]] | T1105 | T1105 - Ingress Tool Transfer | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1132-data-encoding\|T1132 - Data Encoding]] | T1132 | T1132 - Data Encoding | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1132-001-standard-encoding\|T1132.001 - Standard Encoding]] | T1132.001 | T1132.001 - Standard Encoding | <ul><li>ESXi</li><li>Linux</li><li>Windows</li><li>macOS</li></ul> | | [[t1132-002-non-standard-encoding\|T1132.002 - Non-Standard Encoding]] | T1132.002 | T1132.002 - Non-Standard Encoding | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1219-remote-access-tools\|T1219 - Remote Access Tools]] | T1219 | T1219 - Remote Access Tools | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1219-001-ide-tunneling\|T1219.001 - IDE Tunneling]] | T1219.001 | T1219.001 - IDE Tunneling | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1219-002-remote-desktop-software\|T1219.002 - Remote Desktop Software]] | T1219.002 | T1219.002 - Remote Desktop Software | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1219-003-remote-access-hardware\|T1219.003 - Remote Access Hardware]] | T1219.003 | T1219.003 - Remote Access Hardware | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1437-application-layer-protocol\|T1437 - Application Layer Protocol]] | T1437 | T1437 - Application Layer Protocol | <ul><li>Android</li><li>iOS</li></ul> | | [[t1437-001-web-protocols\|T1437.001 - Application Layer Protocol: Web Protocols]] | T1437.001 | T1437.001 - Application Layer Protocol: Web Protocols | <ul><li>Android</li><li>iOS</li></ul> | | [[t1521-encrypted-channel\|T1521 - Encrypted Channel]] | T1521 | T1521 - Encrypted Channel | <ul><li>Android</li><li>iOS</li></ul> | | [[t1521-001-web-protocols\|T1521.001 - Encrypted Channel: Web Protocols]] | T1521.001 | T1521.001 - Encrypted Channel: Web Protocols | <ul><li>Android</li><li>iOS</li></ul> | | [[t1568-dynamic-resolution\|T1568 - Dynamic Resolution]] | T1568 | T1568 - Dynamic Resolution | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1568-001-fast-flux-dns\|T1568.001 - Fast Flux DNS]] | T1568.001 | T1568.001 - Fast Flux DNS | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1568-002-domain-generation-algorithms\|T1568.002 - Domain Generation Algorithms]] | T1568.002 | T1568.002 - Domain Generation Algorithms | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1568-003-dns-calculation\|T1568.003 - DNS Calculation]] | T1568.003 | T1568.003 - DNS Calculation | <ul><li>Linux</li><li>macOS</li><li>Windows</li><li>ESXi</li></ul> | | [[t1571-non-standard-port\|T1571 - Non-Standard Port]] | T1571 | T1571 - Non-Standard Port | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1572-protocol-tunneling\|T1572 - Protocol Tunneling]] | T1572 | T1572 - Protocol Tunneling | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1573-encrypted-channel\|T1573 - Encrypted Channel]] | T1573 | T1573 - Encrypted Channel | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1573-symmetric-cryptography\|T1573 - Encrypted Channel (Mobile)]] | T1573 | T1573 - Encrypted Channel (Mobile) | <ul><li>Android</li><li>iOS</li></ul> | | [[t1573-001-symmetric-cryptography\|T1573.001 - Encrypted Channel: Symmetric Cryptography]] | T1573.001 | T1573.001 - Encrypted Channel: Symmetric Cryptography | <ul><li>Android</li><li>iOS</li><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1573-002-asymmetric-cryptography\|T1573.002 - Asymmetric Cryptography]] | T1573.002 | T1573.002 - Asymmetric Cryptography | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Windows</li></ul> | | [[t1665-hide-infrastructure\|T1665 - Hide Infrastructure]] | T1665 | T1665 - Hide Infrastructure | <ul><li>ESXi</li><li>Linux</li><li>Network Devices</li><li>Windows</li><li>macOS</li></ul> | <!-- SerializedQuery END --> ## Mindmap — Técnicas de C2 ```mermaid mindmap root((TA0011<br/>Command and Control)) Protocolos Web T1071 Application Layer Protocol T1071.001 HTTP/HTTPS T1071.004 DNS Beaconing periódico Serviços Legítimos T1102 Web Service GitHub Dead Drop Pastebin C2 Twitter/Discord Evasão de Detecção T1568.002 DGA T1573 Encrypted Channel T1573.001 Symmetric Crypto T1001 Data Obfuscation Proxy e Túnel T1090 Proxy T1572 Protocol Tunneling T1090.002 External Proxy T1090.003 Multi-hop Proxy Transferência T1105 Ingress Tool Transfer Download Stage 2 Dropper → Loader → RAT Frameworks C2 Cobalt Strike Beacon Sliver Brute Ratel C4 Havoc Metasploit ``` ## Atores que Utilizam esta Tática | Ator | Infraestrutura C2 Característica | |------|----------------------------------| | [[Cozy Bear]] | HTTPS sobre serviços legítimos, Cobalt Strike com perfil customizado | | [[g0032-lazarus-group\|Lazarus Group]] | C2 multi-camada, domínios comprometidos, malware C2 proprietário | | [[g1017-volt-typhoon\|Volt Typhoon]] | Roteadores SOHO comprometidos como proxies, LOTL sem C2 explícito | | [[g0096-apt41\|APT41]] | Múltiplos frameworks, C2 em cloud providers legítimos | | [[g0034-sandworm\|Sandworm]] | Infraestrutura dedicada, C2 em VPS anônimos, DGAs | ## Detecção e Mitigação ### Detecção - **DNS Monitoring:** Domínios recém-registrados, DGA patterns (entropia alta, sem palavras reais) - **Proxy Logs / SSL Inspection:** Inspecionar tráfego HTTPS para detectar beaconing periódico - **Threat Intel:** Blocklist de IPs/domínios de infraestrutura C2 conhecida (Abuse.ch, EmergingThreats) - **Network Behavioral Analytics:** Detectar beaconing — conexões regulares com jitter baixo para mesmo destino - **SIEM:** Alertas para conexões a serviços web legítimos (Pastebin, GitHub) de processos incomuns ### Mitigação - **Web Proxy com SSL Inspection:** Inspecionar todo tráfego HTTPS de saída - **DNS Filtering:** Bloquear domínios maliciosos conhecidos e DGAs (Cisco Umbrella, Cloudflare Gateway) - **Egress Filtering:** Restringir quais hosts/processos podem fazer conexões externas - **Network Segmentation:** Servidores de alto valor sem acesso direto à internet (apenas via proxy) ## Relevância LATAM/Brasil Malware bancário brasileiro usa C2 hospedado em provedores nacionais (LocaWeb, HostGator Brasil, Uol Host) para evitar bloqueios geográficos e latência. Serviços de DNS dinâmico (No-IP, DynDNS) são amplamente usados para C2 resiliente — permitindo rotação de IP sem mudança de domínio. [[s0531-grandoreiro|Grandoreiro]] e similar utilizam serviços de cloud storage brasileiro e APIs de redes sociais para download de configuração e atualizações de módulo — técnica de "Dead Drop Resolver" que dificulta o bloqueio sem impactar serviços legítimos. - [[ta0009-collection|TA0009 - Collection]] — fase anterior (dados a exfiltrar) - [[ta0010-exfiltration|TA0010 - Exfiltration]] — fase seguinte (envio dos dados) - [[t1071-application-layer-protocol|T1071 - Application Layer Protocol]] — C2 via HTTP/DNS - [[t1090-proxy|T1090 - Proxy]] — proxying de tráfego C2 - [[t1102-web-service|T1102 - Web Service]] — uso de serviços legítimos como C2 - [[t1572-protocol-tunneling|T1572 - Protocol Tunneling]] — tunelamento de protocolos - [[t1568-002-domain-generation-algorithms|T1568.002 - Domain Generation Algorithms]] — DGA para resiliência - [[t1573-001-symmetric-cryptography|T1573.001 - Symmetric Cryptography]] — criptografia de canal C2 - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0011-*|MITRE ATT&CK - TA0011 Command and Control]] - [Abuse.ch — C2 Tracker](https://abuse.ch/) - [Cobalt Strike Threat Intelligence](https://www.cobaltstrike.com/blog/)