We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 11

Command and Control

Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Getting Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)
Part 9. Data Collection (Collection)
Part 10. Exfiltration or Data Leakage (Exfiltration)
Part 11. Command and control (Command and Control)

The Command and Control section ( abbrev. - C2, C & C ) is the final step in the attack chain presented in ATT & CK Matrix for Enterprise .

Command and control includes the techniques by which the enemy communicates with systems connected to the attacked network and under its control. Depending on the system configuration and topology of the target network, there are many ways to organize the C2 hidden channel. The most common techniques are described under the cut. General recommendations on the organization of measures for the prevention and detection of C2 are allocated in a separate block and are located at the end of the section.
')

The author is not responsible for the possible consequences of the application of information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of MITER ATT & CK content.

Common ports (Commonly Used Port)

System: Windows, Linux, macOS
Description: In order to bypass firewalls and mix malicious traffic with normal network activity, an adversary can communicate with the system under attack through standard ports commonly used by regular applications:
TCP: 80 (HTTP)
TCP: 443 (HTTPS)
TCP: 25 (SMTP)
TCP/UDP: 53 (DNS)

Examples of ports for organizing network connections within an enemy enclave, for example, between a proxy server and other nodes) are:
TCP/UDP: 135 (RPC)
TCP/UDP: 22
TCP/UDP: 3389

Communication Through Removable Media

System: Windows, Linux, macOS
Description: An adversary can organize the C2 infrastructure between physically isolated nodes using removable storage media to transfer commands from the system to the system. Both systems must be compromised. The system with an Internet connection is likely to be compromised first, and the second system is compromised during lateral movement by replicating malware through removable media (see Part 8 ). Commands and files will be relayed from an isolated system to a system with an Internet connection, to which the adversary has direct access.

Security Tips: Disable autorun removable devices. Ban or restrict the use of removable media at the organization’s policy level. Audit processes that are performed when removable media is connected.

Connection through a proxy (Connection Proxy)

System: Windows, Linux, macOS
Description: A proxy server can be used by an attacker to redirect network traffic between systems or as an intermediary for network communications. Many tools (for example, HTRAN, ZXProxy and ZXPortMap) allow you to redirect traffic or forward ports.

The concept of a proxy can also encompass trust relationships in peer-to-peer (p2p), mesh (mesh) networks or trusted connections between networks. The network can be within an organization or between organizations with trust relationships. An adversary can use network trust relationships to control the C2 channel, reduce the number of simultaneous outgoing network connections, ensure fault tolerance, or use trusted connections to avoid suspicion.

Custom Command and Control Protocol

System: Windows, Linux, macOS
Description: An attacker can create a C2 channel using his own network protocol instead of encapsulating commands / data into an existing standard application layer protocol. An enemy C2 protocol implementation can mimic known protocols or user protocols (including raw-sockets) on top of the basic protocols presented in TCP / IP or another standard network stack.

Own cryptographic protocol (Custom Cryptographic Protocol)

System: Windows, Linux, macOS
Description: In order to hide the traffic transmitted over the C2 channel, the adversary can use its own cryptographic protocol or encryption algorithm. A simple scheme, such as plain text XOR encryption with a fixed key, will provide ciphertext (albeit very weak).

The intruders' own encryption schemes can vary in complexity. Analysis and reverse engineering of malware samples can be used to successfully detect the algorithm and encryption key used. Some attackers may try to implement their own version of a well-known cryptographic algorithm instead of using a well-known library, which can lead to unintended errors in the operation of enemy software.

Protection recommendations: If the malware uses its own encryption with symmetric keys, then it is possible to obtain an algorithm and a key from software samples for use in decoding network traffic and detecting malware signatures.

Data Encoding

System: Windows, Linux, macOS
Description: Information transmitted over the C2 channel is encoded using standard data coding systems. The use of data encoding is to comply with the existing protocol specifications and includes the use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary text encodings and symbols. Some coding systems, such as gzip, can optionally compress data.

Data Obfuscation

System: Windows, Linux, macOS
Description: Data on channel C2 can be hidden (but not necessarily using encryption) in order to make it difficult to detect and decrypt the transmitted content, as well as to make the communication process less noticeable and to hide the transmitted commands. There are many methods of obfuscation, such as adding unnecessary data to protocol traffic, using steganography, combining legitimate traffic with C2 traffic, or using a non-standard data encoding system, for example, a modified Base64 in the body of an HTTP request message.

Hiding the final address of the connection (Domain Fronting)

System: Windows, Linux, macOS
Description: The essence of Domain Fronting is the ability to hide the real destination address of an HTTPs packet in CDNs networks (Content Delivery Netwoks).

Example: There is a domain X and a domain Y, which are clients of the same CDNs. A packet in which the address of the domain X is specified in the TLS header and the address of the domain Y in the HTTP header is likely to be delivered to the address of the domain Y, even if network communication between the source address and the destination address is prohibited.

The HTTPs packet contains two sets of headers: the first, TLS, is in the open part of the packet, the second, HTTP - refers to the encrypted part of the packet. In addition, each header has its own field to specify the destination IP address. The essence of Domain Fronting is to deliberately use different domain names in the SNI field of the TLS header and the Host field of the HTTP header. Thus, the allowed destination address is specified in the SNI field, and the target delivery address is specified in the Host field. If both addresses belong to the same CDNs, then upon receiving such a packet, the routing node may relay a request to the target address.

There is another type of this technique, called domainless fronting. In this case, the SNI field (TLS header) is intentionally left blank, which allows the packet to reach the target even if the CDN checks the SNI and HOST fields (if the empty SNI fields are ignored).

Security Tips : If you can inspect HTTPS traffic, connections that are similar to Domain Fronting can be captured and analyzed. If SSL inspection is performed or the traffic is not encrypted, the “HOST” field can be checked for a match with the “SNI” field or the presence of the specified address in white or black lists. To implement Domain Fronting, the adversary may need to deploy additional tools in a compromised system, the installation of which can be prevented by installing local host protection tools.

Spare Channels (Fallback Channels)

System: Windows, Linux, macOS
Description: In order to ensure the reliability of the control channel and to avoid exceeding the threshold values ​​of the transmitted data, attackers can use backup or alternative communication channels if the main C2 channel is compromised or unavailable.

Multistage Channels (Multi-Stage Channels)

System: Windows, Linux, macOS
Description: Attackers can create multistage C2 channels that are used in various environments or for specific functions. The use of several steps can confuse and obfuscate the channel C2, thereby making it difficult to detect.

The RAT tools running on the target host initiate a connection to the first-level C2 server. The first step may have automated capabilities for collecting basic information about the host, running the update tools, and downloading additional files. Next, a second RAT tool can be launched to redirect the host to the second-level server C2. The second stage of C2 is likely to be fully functional and will allow the enemy to interact with the target system through the revers shell and additional RAT functions.

Steps C2 are likely to be placed separately from each other without intersecting their infrastructure. The loader may also have backup first stage feedback or spare channels in case the original channel of the first stage is detected and blocked.

Protection recommendations: The C2 infrastructure used to organize multi-stage channels can be blocked if it is known in advance. If unique signatures are present in C2 traffic, then they can be used to identify and block the channel.

Repeated proxying (Multi-hop Proxy)

System: Windows, Linux, macOS
Description: To disguise the source of malicious traffic, an adversary can use a chain of several proxy servers. As a rule, the defending party will be able to determine only the last proxy. The use of multiproxying makes the identification of the source of malicious traffic more complex, requiring the defensive party to track malicious traffic through several proxy servers.

Security Tips : Traffic to known anonymous networks (like Tor) and C2 infrastructures can be blocked by organizing black and white lists. However, it should be noted that this method of blocking can be circumvented using techniques like Domain Fronting.

Multiband Communication

System: Windows, Linux, macOS
Description: Some opponents can divide the C2 data channel between different protocols. Incoming commands can be transmitted by one protocol, and outgoing data in a different way, which allows you to bypass certain firewall restrictions. Splitting can also be random to avoid warnings about exceeding thresholds for any single message.

Security Tips: Analyze the contents of the packets to detect connections that do not match the expected protocol behavior for the port being used. Mapping alerts between multiple communication channels can also help in detecting C2.

Multilayer Encryption

System: Windows, Linux, macOS
Description: An adversary can use several levels of C2 traffic encryption. As a rule (but other options are not excluded), in the framework of HTTPS or SMTPS encryption additional tunneling is used with its own encryption scheme.

Security Tips: Using encryption protocols can complicate typical C2 detection based on signature traffic analysis. If the malware uses standard cryptographic protocol, the SSL / TLS inspection can be used to detect C2 traffic on some encrypted channels. SSL / TLS verification involves certain risks that should be considered before implementation to avoid potential security problems, such as incomplete certificate validation . After SSL / TLS verification, additional cryptographic analysis may be required for second level encryption.

Port knocking

System: Linux, macOS
Rights: User
Description: Attackers can use the Port Knocking methods to hide the open ports that they use to connect to the system.

Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.

Remote Access Tools

System: Windows, Linux, macOS
Description: To establish an interactive command and control mode, an attacker can use legitimate software designed for those. Workstation support and software for remote access, for example, TeamViewer, Go2Assist, LogMain, AmmyAdmin, etc., which are usually used by technical support services and can be added to the white list. Remote access tools such as VNC, Ammy and Teamviewe are most often used by technical support engineers and are commonly used by intruders.

Remote access tools can be installed after the system is compromised for use as an alternative C2 channel. They can also be used as a malware component to establish a reverse connection with a server or system controlled by an adversary.

Administration tools, such as TeamViewer, were used by several groups focused on government agencies in countries of interest to Russian state and criminal companies.

Security Tips : Remote access tools can be used in conjunction with Domain Fronting techniques (Domain Fronting), so it is advisable to prevent the enemy from installing RAT tools using host protection tools.

Remote File Copy

System: Windows, Linux, macOS
Description: Files can be copied from one system to another to deploy enemy tools or other files. Files can be copied from an external system controlled by an attacker through a C & C channel or using other tools over alternative protocols, such as FTP. Files can also be copied to Mac and Linux using built-in tools such as scp, rsync, sftp.

Opponents can also copy files in the lateral direction between internal victim systems to support network navigation and remote command execution. This can be done using file sharing protocols, connecting network resources through SMB or using authenticated connections to Windows Admin Shares or RDP.

Security Tips: As detection tools, monitoring the creation and transfer of files over the network via the SMB protocol is recommended. Unusual external network connection processes that create files within the system should also be suspicious. Unusual use of utilities like FTP can also be suspicious.

Standard Application Layer Protocol (Standard Application Layer Protocol)

System: Windows, Linux, macOS
Description: To avoid detecting and mixing C2 traffic with existing network traffic, attackers can use standard application layer protocols such as HTTP, HTTPS, SMTP or DNS. For connections within the C2 (enclave) channel, for example, between a proxy server and a summary node and other nodes, RPC, SSH or RDP protocols are commonly used.

Standard Cryptographic Protocol (Standard Cryptographic Protocol)

System: Windows, Linux, macOS
Description: To hide C2 traffic, opponents can use well-known encryption algorithms. Despite the use of a robust algorithm, if secret keys are encrypted and generated by malware and / or stored in configuration files, then C2 traffic can be revealed using reverse engineering.

Standard Non-Application Layer Protocol

System: Windows, Linux, macOS
Description: For communication between an infected host and a server or the interaction of infected hosts on a network, non-application layer protocols of the OSI model can be used. In the well-known implementations, the network layer protocol — ICMP, the transport layer — UDP, the session layer — SOCKS, as well as protocols such as redirected / tunneled, such as Serial over LAN (SOL), were used.

ICMP is often used by attackers to hide communication between hosts. Since ICMP is part of the Internet Protocol Suite and needs to be implemented by all IP-compatible devices, it is not as often controlled as other protocols, such as TCP or UDP.

Uncommonly Used Port

System: Windows, Linux, macOS
Description: Opponents can communicate over C2 through a nonstandard port to bypass proxy servers and firewalls that have been misconfigured.

Web Service

System: Windows
Rights: User
Description: Attackers can use a running, legitimate external Web service as a means of sending commands to control an infected system. Management servers are called Command and control (C & C or C2). Popular websites and social networks can act as a mechanism for C2, various publicly accessible services like Google or Twitter can also be used. All this helps to hide malicious activity in the general traffic flow. Web services typically use SSL / TLS, so opponents get an extra level of protection.

Security recommendations: Firewalls and web proxies can be used to implement external network communication restriction policies.

General recommendations on the organization of measures for the prevention and detection of C2

• IDS / DLP systems using traffic signature-based analysis can be used to detect and block known specific C2 tools and malware, so the adversary is likely to change the tools used over time or set up a data transfer protocol to avoid detection by known means protection;

• Use anti-virus endpoint protection tools to block known specific C2, malicious programs;

• Ensure that the internal network hosts are accessible only through authorized interfaces;

• Limit outgoing traffic by allowing only necessary ports on firewalls and proxy servers through the appropriate network gateways;

• Block domains and IP addresses of well-known C2 infrastructures. However, it should be noted that this is not an effective and long-term solution, becauseopponents can often change the C2 infrastructure;

• Use the tools for organizing white lists of applications to complicate the installation and launch of third-party software;

• Using firewalling, application firewalls and proxy servers, limit outbound traffic for sites and services used by known remote access tools (TeamViewer, Go2Assist, LogMain, AmmyAdmin, etc.);

• If the malware uses its own encryption with symmetric keys, then using reverse engineering of software samples, it is possible to obtain an algorithm and a key in order to decode network traffic and identify malware signatures;

• Organize monitoring of API function calls related to the inclusion or use of alternative communication channels;

• Analyze network traffic for the presence of ICMP messages or other protocols that contain abnormal data or that are usually not visible on or leave the network;

• Analyze network streams for abnormal flows, for example, when a client sends significantly more data than it receives from a server or when a process that does not normally use a network opens network connections;

• Analyze network streams to identify packets that do not comply with the protocol standard for the port used.