# Comando e Controle ```mermaid graph TB A["🖥️ Sistema Comprometido"] --> B["🌐 Protocolos de Aplicacao<br/>T1071 - HTTP / DNS / Mail"] A --> C["🔒 Canal Criptografado<br/>T1573 - TLS / Assimetrico"] A --> D["🔄 Proxy e Tunelamento<br/>T1090 / T1572"] B --> E["📡 Infraestrutura C2<br/>Servidor do Atacante"] C --> E D --> E E --> F["🎯 Exfiltração<br/>TA0010"] E --> G["💻 Execução Remota<br/>TA0002"] ``` > [!info] Visão Geral > A tática de Comando e Controle (TA0011) abrange as técnicas usadas pelos atacantes para manter comunicação com sistemas comprometidos. O canal de C2 e o elo critico que permite ao atacante enviar instrucoes, receber dados coletados e manter o acesso persistente ao ambiente da vitima. > **Técnicas:** 41 técnicas cobrindo protocolos de aplicação, tunelamento, proxies encadeados e resolução dinâmica de dominios. > **Destaque LATAM:** O uso de infraestrutura C2 hospedada em provedores de cloud legitimos (AWS, Azure, Cloudflare) dificulta a detecção por soluções de segurança de rede no Brasil. > [!warning] Contexto Brasil/LATAM > Campanhas de RATs bancarios direcionadas ao Brasil, como as do grupo **Blind Eagle**, utilizam **T1071 (HTTP)** e **T1219 (Remote Access Tools)** para manter controle sobre sistemas de usuarios de internet banking. O **domain fronting (T1090.004)** também tem sido identificado em operações de espionagem contra entidades governamentais brasileiras. Grupos como **Lazarus** e **APT41** abusam de servicos legitimos como Discord e Telegram como canais C2 encobertos. > **41 técnicas** · Comúnicação com infraestrutura do atacante - protocolos de C2, tunneling, DNS. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/command-and-control" WHERE type = "technique" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/command-and-control" WHERE type = "technique" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/command-and-control" WHERE type = "technique" SORT title ASC --> | Nota | Nome | | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------- | | [[t1001-data-obfuscation\|T1001 - Data Obfuscation]] | T1001 - Data Obfuscation | | [[t1001-001-junk-data\|T1001.001 - Junk Data]] | T1001.001 - Junk Data | | [[t1001-002-steganography\|T1001.002 - Steganography]] | T1001.002 - Steganography | | [[t1001-003-protocol-or-service-impersonation\|T1001.003 - Protocol or Service Impersonation]] | T1001.003 - Protocol or Service Impersonation | | [[t1008-fallback-channels\|T1008 - Fallback Channels]] | T1008 - Fallback Channels | | [[t1071-application-layer-protocol\|T1071 - Application Layer Protocol]] | T1071 - Application Layer Protocol | | [[t1071-001-web-protocols\|T1071.001 - Web Protocols]] | T1071.001 - Web Protocols | | [[t1071-002-file-transfer-protocols\|T1071.002 - File Transfer Protocols]] | T1071.002 - File Transfer Protocols | | [[t1071-003-mail-protocols\|T1071.003 - Mail Protocols]] | T1071.003 - Mail Protocols | | [[t1071-004-dns\|T1071.004 - DNS]] | T1071.004 - DNS | | [[t1071-005-publishsubscribe-protocols\|T1071.005 - Publish/Subscribe Protocols]] | T1071.005 - Publish/Subscribe Protocols | | [[t1090-proxy\|T1090 - Proxy]] | T1090 - Proxy | | [[t1090-001-internal-proxy\|T1090.001 - Internal Proxy]] | T1090.001 - Internal Proxy | | [[t1090-002-external-proxy\|T1090.002 - External Proxy]] | T1090.002 - External Proxy | | [[t1090-003-multi-hop-proxy\|T1090.003 - Multi-hop Proxy]] | T1090.003 - Multi-hop Proxy | | [[t1090-004-domain-fronting\|T1090.004 - Domain Fronting]] | T1090.004 - Domain Fronting | | [[t1092-communication-through-removable-media\|T1092 - Commúnication Through Removable Media]] | T1092 - Commúnication Through Removable Media | | [[t1095-non-application-layer-protocol\|T1095 - Non-Application Layer Protocol]] | T1095 - Non-Application Layer Protocol | | [[t1102-web-service\|T1102 - Web Service]] | T1102 - Web Service | | [[t1102-001-dead-drop-resolver\|T1102.001 - Dead Drop Resolver]] | T1102.001 - Dead Drop Resolver | | [[t1102-002-bidirectional-communication\|T1102.002 - Bidirectional Commúnication]] | T1102.002 - Bidirectional Commúnication | | [[t1102-003-one-way-communication\|T1102.003 - One-Way Commúnication]] | T1102.003 - One-Way Commúnication | | [[t1104-multi-stage-channels\|T1104 - Multi-Stage Channels]] | T1104 - Multi-Stage Channels | | [[t1105-ingress-tool-transfer\|T1105 - Ingress Tool Transfer]] | T1105 - Ingress Tool Transfer | | [[t1132-data-encoding\|T1132 - Data Encoding]] | T1132 - Data Encoding | | [[t1132-001-standard-encoding\|T1132.001 - Standard Encoding]] | T1132.001 - Standard Encoding | | [[t1132-002-non-standard-encoding\|T1132.002 - Non-Standard Encoding]] | T1132.002 - Non-Standard Encoding | | [[t1219-remote-access-tools\|T1219 - Remote Access Tools]] | T1219 - Remote Access Tools | | [[t1219-001-ide-tunneling\|T1219.001 - IDE Tunneling]] | T1219.001 - IDE Tunneling | | [[t1219-002-remote-desktop-software\|T1219.002 - Remote Desktop Software]] | T1219.002 - Remote Desktop Software | | [[t1219-003-remote-access-hardware\|T1219.003 - Remote Access Hardware]] | T1219.003 - Remote Access Hardware | | [[t1437-application-layer-protocol\|T1437 - Application Layer Protocol]] | T1437 - Application Layer Protocol | | [[t1437-001-web-protocols\|T1437.001 - Application Layer Protocol: Web Protocols]] | T1437.001 - Application Layer Protocol: Web Protocols | | [[t1521-encrypted-channel\|T1521 - Encrypted Channel]] | T1521 - Encrypted Channel | | [[t1521-001-web-protocols\|T1521.001 - Encrypted Channel: Web Protocols]] | T1521.001 - Encrypted Channel: Web Protocols | | [[t1568-dynamic-resolution\|T1568 - Dynamic Resolution]] | T1568 - Dynamic Resolution | | [[t1568-001-fast-flux-dns\|T1568.001 - Fast Flux DNS]] | T1568.001 - Fast Flux DNS | | [[t1568-002-domain-generation-algorithms\|T1568.002 - Domain Generation Algorithms]] | T1568.002 - Domain Generation Algorithms | | [[t1568-003-dns-calculation\|T1568.003 - DNS Calculation]] | T1568.003 - DNS Calculation | | [[t1571-non-standard-port\|T1571 - Non-Standard Port]] | T1571 - Non-Standard Port | | [[t1572-protocol-tunneling\|T1572 - Protocol Tunneling]] | T1572 - Protocol Tunneling | | [[t1573-encrypted-channel\|T1573 - Encrypted Channel]] | T1573 - Encrypted Channel | | [[t1573-symmetric-cryptography\|T1573 - Encrypted Channel (Mobile)]] | T1573 - Encrypted Channel (Mobile) | | [[t1573-001-symmetric-cryptography\|T1573.001 - Encrypted Channel: Symmetric Cryptography]] | T1573.001 - Encrypted Channel: Symmetric Cryptography | | [[t1573-002-asymmetric-cryptography\|T1573.002 - Asymmetric Cryptography]] | T1573.002 - Asymmetric Cryptography | | [[t1665-hide-infrastructure\|T1665 - Hide Infrastructure]] | T1665 - Hide Infrastructure | <!-- SerializedQuery END --> --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]