The Mitre Att&ck Matrix has 16 techniques in the Command and Control Category.
Application Layer Protocol is when a command and control system utilizes an application layer protocol such as DNS or HTTP to attempt to avoid detection.
Communication Through Removeable Media is when a threat actor loads malware including a command and control system on a removable media stick configured to automatically launch the malware onto a system to which it’s connected, thus establishing another system into a command and control network.
Data Encoding is when a command and control system encodes its commands to avoid detection or analyze what it’s doing.
Data Obfuscation is when a command and control system obfuscates commands to avoid detection. This technique is employed to make it harder to be analyzed.
Dynamic Resolution is when a command and control system gets configured to randomly reconnect to different ports or IPs in a mutually agreed order between server and client. This technique helps the command and control system avoid detection. Also, this technique is helpful in evading defensive measures such as blocking ports or IPs.
Encrypted Channel is when a command and control system encrypts the data transferring between server and client. This technique helps to evade systems that can’t scan encrypted traffic and to avoid contents from being analyzed.
Fallback Channels are when a command and control system sets a fallback port number and-or IP address to reestablish a connection if the originating connection terminates for whatever reason.
Ingress Tool Transfer is when a threat actor instructs a command and control system to upload malware or other tools onto a client. This technique is executed through a command and control system or from utilities installed on the target system like PowerShell or wget
Multi-Stage channels are when a command and control system executes a stager component which then contacts the command and control server to download the primary executables of the command and control server, which is, finally, run on the newly compromised client.
Non-Application Layer Protocol is when a command and Control System is, configured to use a non-application protocol to issue commands. Some common examples of this would be ICMP, TCP, or UDP.
Non-Standard Ports are when a command and control system is, configured to use a port not used for similar services. One example of this would be using port 8088 instead of 80. This technique gets used as an attempt to bypass filtering that filters based on port number and not scanning everything.
Protocol Tunneling is when a command and control system tunnels connections through a separate service. DNS tunneling and SSH tunneling are two common examples. This technique is employed to avoid detection and network filtering.
Proxy is when a command and control server has a separate proxy server to act as an intermediary between the client and server as part of an attempt to prevent the discovery of the source of the malicious traffic. This technique can also get performed as an attempt to make something look not as suspicious.
Remote Access Software is when a threat actor uses legitimate remote access software such as Team Viewer, AnyDesk, ETC, to establish an initial connection to a command and control system, thus compromising the affected system.
Traffic Signaling is when a command and control client sends a specially crafted packet to a specific port or multiple ports in a particular order to open up the port used to connect to a command and control server.
Web Service is when a command and control system utilizes legitimate external web services to be a proxy to help prevent detection and have the traffic appear legitimate. This technique will also make it harder to discover where the origin of the command and control server is actually from.