
Learn Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 11
- Tutorial
Command and Control
Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Credential Access
Part 7. Discovery.
Part 8. Lateral Movement.
Part 9. Data Collection.
Part 10. Exfiltration.
Part 11. Command and Control. Control)
The “Command and Control” section ( abbreviation - C2, C & C ) is the final stage of the attack chain, presented th inATT & CK Matrix for Enterprise .
Command and control includes techniques by which the adversary communicates with systems connected to and under the control of the attacked network. Depending on the configuration of the systems and the topology of the target network, there are many ways to organize the covert channel C2. The most common techniques are described under cat. General recommendations on the organization of measures to prevent and detect C2 are highlighted in a separate block and placed at the end of the section.
The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The published information is a free retelling of the contents of MITER ATT & CK .
Common Ports
System: Windows, Linux, macOS
Description: In order to bypass firewalls and mix malicious traffic with normal network activity, an adversary can communicate with the attacked system through standard ports commonly used by regular applications: Examples of ports for organizing network connections inside an enemy enclave, for example, between the proxy server and other nodes) are:
TCP: 80 (HTTP)
TCP: 443 (HTTPS)
TCP: 25 (SMTP)
TCP/UDP: 53 (DNS)
TCP/UDP: 135 (RPC)
TCP/UDP: 22
TCP/UDP: 3389
Communication Through Removable Media
System: Windows, Linux, macOS
Description: An adversary can organize a C2 infrastructure between physically isolated nodes using removable storage media to transfer commands from the system to the system. Both systems must be compromised. A system with an Internet connection is most likely to be compromised by the first, and the second system is compromised during lateral movement by replicating malware through removable media (see Part 8 ). Commands and files will be relayed from an isolated system to a system with an Internet connection, to which the adversary has direct access.
Protection Recommendations:Disable the autorun of removable devices. Prohibit or restrict the use of removable media at the organizational policy level. Organize an audit of the processes that are performed when connecting removable media.
Connection through a proxy (Connection Proxy)
System: Windows, Linux, macOS
Description: A proxy server can be used by an attacker to redirect network traffic between systems or as an intermediary for network communications. Many tools (such as HTRAN, ZXProxy, and ZXPortMap) allow you to redirect traffic or forward ports.
The concept of proxies can also encompass trusts in peer-to-peer (p2p), mesh networks or trusted connections between networks. A network can be within an organization or between organizations with trusts. An adversary can use network trusts to control the C2 channel, reduce the number of simultaneous outgoing network connections, provide fault tolerance, or use trusted connections to avoid suspicion.
Custom Command and Control Protocol
System: Windows, Linux, macOS
Description: An attacker can organize a C2 channel using his own network protocol instead of encapsulating commands / data in an existing standard application layer protocol. The enemy C2 protocol implementation can imitate well-known protocols or user protocols (including raw-sockets) on top of the underlying protocols presented in TCP / IP or another standard network stack.
Custom Cryptographic Protocol
System: Windows, Linux, macOS
Description: In order to hide the traffic transmitted through the C2 channel, the adversary can use his own cryptographic protocol or encryption algorithm. A simple scheme, such as XOR encryption of plain text with a fixed key, will give ciphertext (albeit very weak).
Proprietary encryption schemes can vary in complexity. Analysis and reverse engineering of malware samples can be used to successfully detect the algorithm used and the encryption key. Some attackers may try to implement their own version of a well-known cryptographic algorithm instead of using a well-known library, which can lead to unintended errors in the operation of enemy software.
Protection recommendations: If malware uses its own encryption with symmetric keys, then it is possible to obtain an algorithm and key from software samples in order to use them to decode network traffic and identify malware signatures.
Data Encoding
System: Windows, Linux, macOS
Description: Information transmitted via the C2 channel is encoded using standard data encoding systems. The use of data encoding is to comply with existing protocol specifications and includes the use of ASCII, Unicode, Base64, MIME, UTF-8 or other binary text and character encodings. Some encoding systems, such as gzip, can additionally compress data.
Data Obfuscation
System: Windows, Linux, macOS
Description: Data in the C2 channel can be hidden (but not necessarily using encryption) in order to make it difficult to detect and decrypt the transmitted content, as well as make the communication process less noticeable and hide the transmitted commands. There are many obfuscation methods, such as adding unnecessary data to protocol traffic, using steganography, combining legitimate traffic with C2 traffic, or using a non-standard data encoding system, for example, a modified Base64 in the body of an HTTP request message.
Hiding the end address of a connection (Domain Fronting)
System: Windows, Linux, macOS
Description: The essence of Domain Fronting is the ability to hide the real destination address of the HTTPs packet in CDNs networks (Content Delivery Netwoks).
Example: There are domain X and domain Y, which are clients of the same CDNs. A packet in which the domain address X is indicated in the TLS header and the domain Y address is in the HTTP header will most likely be delivered to the domain Y address, even if network communication between the source address and the destination address is prohibited.
An HTTPs packet contains two sets of headers: the first, TLS, is in the open part of the packet, the second, HTTP - refers to the encrypted part of the packet. In addition, each header has its own field for specifying the destination IP address. The essence of Domain Fronting is the deliberate use of different domain names in the “SNI” field of the TLS header and the “Host” field of the HTTP header. Thus, the allowed destination address is indicated in the “SNI” field, and the delivery destination address is indicated in the “Host” field. If both addresses belong to the same CDNs, then upon receipt of such a packet the routing node can relay the request to the target address.
There is another variation of this technique called domainless fronting. In this case, the “SNI” field (TLS header) is intentionally left blank, which allows the packet to achieve its goal even if the CDN checks for coincidence of the “SNI” and “HOST” fields (if empty SNI fields are ignored).
Protection Recommendations:If it is possible to inspect HTTPS traffic, then connections similar to Domain Fronting can be captured and analyzed. If SSL inspection is carried out or the traffic is not encrypted, the “HOST” field can be checked for coincidence with the “SNI” field or the presence of the specified address in white or black lists. To implement Domain Fronting, an adversary will probably need to deploy additional tools in a compromised system, the installation of which can be prevented by installing local host protection tools.
Fallback Channels
System: Windows, Linux, macOS
Description: In order to ensure the reliability of the control channel and to avoid exceeding the threshold values of the transmitted data, attackers can use redundant or alternative communication channels if the main channel C2 is compromised or inaccessible.
Multi-Stage Channels
System: Windows, Linux, macOS
Description: Attackers can create multi-stage C2 channels that are used in various conditions or for certain functions. The use of several steps can confuse and obfuscate the C2 channel, thereby making it difficult to detect.
RATs running on the target host initiate a connection to the first-tier server C2. The first step may have automated capabilities for collecting basic information about the host, running update tools, and downloading additional files. Next, a second RAT tool can be launched to redirect the host to the second-tier server C2. The second stage of C2, most likely, will be fully functional and will allow the enemy to interact with the target system through the revers shell and additional RAT functions.
Steps C2, most likely, will be placed separately from each other without crossing their infrastructure. The bootloader may also have redundant first-stage feedback or spare channels in case the original first-stage channel is detected and blocked.
Protection Recommendations:The C2 infrastructure used to organize multi-stage channels can be blocked if it is known in advance. If unique signatures are present in C2 traffic, they can be used to identify and block the channel.
Multiple proxy (Multi-hop Proxy)
System: Windows, Linux, macOS
Description: To disguise the source of malicious traffic, an adversary can use a chain of several proxy servers. As a rule, the defender will be able to determine only the last proxy. The use of multi-proxy makes identifying the source of malicious traffic more difficult, requiring the defending party to monitor for malicious traffic through multiple proxy servers.
Protection recommendations: Traffic to known anonymous networks (such as Tor) and C2 infrastructures can be blocked by organizing black and white lists. However, it is worth noting that this method of blocking can be circumvented using techniques similar to Domain Fronting.
Multiband Communication
System: Windows, Linux, macOS
Description: Some opponents may share a C2 data channel between different protocols. Incoming commands can be transmitted over one protocol, and outgoing data in a different way, which allows you to bypass certain firewall restrictions. Separation may also be accidental in order to avoid warnings about exceeding threshold values for any single message.
Security Recommendations: Analyze the contents of packets to find connections that do not match the expected protocol behavior for the port in use. Matching alerts between multiple communication channels can also help in detecting C2.
Multilayer Encryption
System: Windows, Linux, macOS
Description: An adversary can use several levels of C2 traffic encryption. As a rule (but other options are not excluded), in the framework of HTTPS or SMTPS encryption, additional tunneling is used by its own encryption scheme.
Security Tips: Using encryption protocols can complicate typical C2 discovery based on signature-based traffic analysis. If the malware uses a standard cryptographic protocol, SSL / TLS inspection can be used to detect C2 traffic on some encrypted channels. SSL / TLS verification involves certain risks that must be considered before implementation in order to avoid potential security problems, such as incomplete certificate verification.. After SSL / TLS verification, additional cryptographic analysis may be required for second-level encryption.
Port knocking
System: Linux, macOS
Rights: User
Description: Attackers can use Port Knocking methods to hide open ports that they use to connect to the system.
Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.
Remote Access Tools
System: Windows, Linux, macOS
Description: To establish an interactive command and control mode, an attacker can use legitimate software designed for those. workstation support and software for remote access, for example, TeamViewer, Go2Assist, LogMain, AmmyAdmin, etc., which are usually used by technical support services and can be whitelisted. Remote access tools, such as VNC, Ammy, and Teamview, are most commonly used by technical support engineers and are commonly used by attackers.
Remote access tools can be installed after the system has been compromised for use as an alternative C2 channel. They can also be used as a component of malware to establish a reverse connection with a server or system controlled by an adversary.
Administration tools, such as TeamViewer, were used by several groups targeted at government agencies in countries of interest to Russian state and criminal companies.
Protection recommendations: Remote access tools can be used in conjunction with Domain Fronting techniques, so it is advisable to prevent the adversary from installing RAT tools using host security tools.
Remote File Copy
System: Windows, Linux, macOS
Description: Files can be copied from one system to another to deploy enemy tools or other files. Files can be copied from an external system controlled by an attacker, via the C&C channel or using other tools using alternative protocols, such as FTP. Files can also be copied to Mac and Linux using built-in tools such as scp, rsync, sftp.
Opponents can also copy files laterally between internal victim systems to support network movement and remote command execution. This can be done using file sharing protocols by connecting network resources via SMB or using authenticated connections to Windows Admin Shares or RDP.
Protection recommendations: As a means of detection, it is recommended to monitor the creation and transfer of files over the network via the SMB protocol. Unusual processes with external network connections that create files within the system should also be suspicious. The atypical use of utilities like FTP can also be suspicious.
Standard Application Layer Protocol
System: Windows, Linux, macOS
Description: To avoid detecting and mixing C2 traffic with existing network traffic, attackers can use standard application-level protocols such as HTTP, HTTPS, SMTP or DNS. For connections within the C2 channel (enclave), for example, between a proxy server and a master node and other nodes, the RPC, SSH, or RDP protocols are usually used.
Standard Cryptographic Protocol
System: Windows, Linux, macOS
Description: To hide the C2 traffic, opponents can use well-known encryption algorithms. Despite using a robust algorithm, if secret keys are encrypted and generated by malware and / or stored in configuration files, then C2 traffic can be disclosed using reverse engineering.
Standard Non-Application Layer Protocol
System: Windows, Linux, macOS
Description: Non-application level protocols of the OSI model can be used for communication between the infected host and server or for the interaction of infected hosts on the network. In well-known implementations, the network layer protocol — ICMP, the transport layer — UDP, the session layer — SOCKS, and protocols such as redirected / tunneled, such as Serial over LAN (SOL), were used.
ICMP is often used by cybercriminals to hide communication between hosts. Since ICMP is part of the Internet Protocol Suite and must be implemented by all IP-compatible devices, it is not as often monitored as other protocols, such as TCP or UDP.
Fancy Ports (Uncommonly Used Port)
System: Windows, Linux, macOS
Description: Adversaries can communicate via C2 through a non-standard port to bypass proxy servers and firewalls that were not configured correctly.
Web Service
System: Windows
Rights: User
Description: Attackers can use a running, legitimate external Web service as a means of sending commands to control an infected system. Management servers are called Command and control (C&C or C2). Popular websites and social networks can act as a mechanism for C2, and various public services such as Google or Twitter can also be used. All this helps to hide malicious activity in the general traffic flow. Web services typically use SSL / TLS, so adversaries get an extra layer of protection.
Security recommendations: Firewalls and web proxies can be used to implement policies to restrict external network communications.
General recommendations on the organization of measures for the prevention and detection of C2
• IDS / DLP systems that use signature-based traffic analysis can be used to detect and block known specific C2 tools and malware, so the adversary will most likely change the tools used over time or configure the data transfer protocol so as to avoid detection by means known to him protection;
• Use anti-virus endpoint protection tools to block known specific C2 tools and malware;
• Ensure that hosts on the internal network are accessible only through authorized interfaces;
• Limit outgoing traffic by allowing only necessary ports on the firewalls and proxies through the corresponding network gateways;
• Block domains and IP addresses of known C2 infrastructures. However, it should be noted that this is not an effective and long-term solution, as opponents can often change the infrastructure of C2;
• Use application whitelisting tools to make it difficult to install and run third-party software;
• Using firewalling, application firewalls and proxies, limit outgoing traffic to sites and services used by well-known remote access tools (TeamViewer, Go2Assist, LogMain, AmmyAdmin, etc.);
• If malware uses its own encryption with symmetric keys, then using reverse engineering of software samples it is possible to obtain an algorithm and a key in order to decode network traffic and identify malware signatures;
• Monitor calls to API functions related to the inclusion or use of alternative communication channels;
• Analyze network traffic for ICMP messages or other protocols that contain abnormal data or that are usually not visible on the network or out of it;
• Analyze network flows to identify abnormal flows, for example, when a client sends significantly more data than it receives from a server or when a process that usually does not use a network opens network connections;
• Analyze network flows to identify packets that do not comply with the protocol standard for the port used.