Obtain C&C Channel
Command and Control is a key role to most of the attackers because there are heavy chances this tactic can be detected/flagged If network rules are configured intellectually by NIDS tools and Incident handling team and once it was identified the C2C Channel will be completely blocked. After establishing persistence on the target system or network, to provide further instructions to compromised system or to modify their attack objectives and methods or to evade any new security countermeasures that the organization may attempt to deploy if attack artifacts are discovered. Communication is essential by means of a remote shell or automated C2C channel (which is common in DDoS attacks). let’s understand how C2 works. After the malware is installed, the malware will call out to the C2 server and wait for its next command. It is usually going to send out a beacon on a time basis to let the server know it is still alive and to see if there is anything it should do. When the server is ready, it will issue its command to execute on the infected host machine.
Red Team: Attack vectors and Techniques:
Upon execution, the malicious code sends a beacon out to the C&C servers to look for its next instruction set. Most malware is pre-programmed with an autonomous command to attempt to set up a communications channel that originates from the target machine, the malicious code can contain hundreds of fully qualified domain names and IP addresses that the malware will cycle through as it beacons out to the command-and-control network. If the target’s network has liberal outbound or egress firewall rules, the malware will establish a communication channel with the C&C server.
Command and Control attacks can compromise an entire network. In order to make your C2C successful you need to understand the network structure and Defenses of target whether which NIDS they are using of:
a) Signature based NIDS/NIPS — Detects if they have known signatures of malware communication indicators
b) Traffic Anomaly based NIDS/NIPS -Collect and analyse network traffic to identify activity that deviates from the expected, normal traffic profile of the monitored network. Therefore C&C traffic must be resilient and stealthy for an attack to succeed. For example, C&C traffic can occur through pages and images on Online Social Networks (OSNs), covert DNS traffic, and networks for anonymous communication, such as Tor.
Common C2C Communication Mechanisms:
1) Common Types — Bind Shell/Reverse Shell/Web Shell
2) Standard Protocols — HTTP/HTTPS, DNS, SMTP, SSH, ICMP, Telnet, SMB, FTP, IRC, Torrent
3) Various Techniques — Encryption, Circumvention [TOR(The Onion Router) & I2P(Invisible Internet Project)], Port Evasion, Fast Flux (Dynamic DNS)
“Here I will share my views which I can be able to make you understand”
a) IRC -Based C&C Channels which use a push-based model, where the bot-master pushes new commands to the botnet which then responds directly to the commands.
b) Spoofing legit domain names — To make C2C fail to catch from NIDS/NIPS/Blue Team, make sure that the malicious traffic blends into a regular one.
c) Hiding C&C location — Dynamic DNS services such as NoIP, DynDNS provides anonymity for attackers as no legitimate contact detailed are needed for domain registration.
Additionally, domain name and IP mappings can be quickly changed in case the initial IP gets blocked on the target’s infrastructure. This is possible due to short caching (TTL) values associated with such domains.
No-IP: The No-IP Free Dynamic DNS service takes your dynamic IP address and makes it act as though it is static by pointing a static hostname to it and checking every 5 minutes for changes to your IP address. We were using this method to access our hostel camera during my graduation but never thought this can be used as C2C…LoL🙄
d) P2P — Peer-to-peer communication is used to proxy commands or to locate a C&C server. It’s a distributed virtual network of participants that connect to each other instead of a central server. This makes tracking, blocking more difficult. A peer-to-peer network means that both “servers” and “hosts” are the same within the network, making identifying the actual source of the commands more difficult. The actual C&C servers would appear to be another peer of an infected botnet and could spread new information to other peers.
Eg: Emotet
e) C&C Proxies: APT groups commonly use intermediate servers(proxies) to increase stealth and for not exposing their C2C. In case of one server’s take-down, the communication between malware and C&C is restored over another chain. Redirecting of traffic is needed to achieve this.
f) Coverting HTTP/HTTPS: In order to mask communications crossing the target’s network perimeter APT groups often implement covert channels. These channels are often encrypted in order to hide the contents of the communications. While there are many ways to establish malicious C&C channels, ports 80 and 443 are usually used since only these ports are allowed for outgoing connections in properly secured corporate environments or governmental institutions.
Depending on the actual C&C and malware implementation, the communication which is being transmitted over HTTP/HTTPS ports can be a legit HTTP protocol or a binary communication. Additionally, malware might be connecting via proxies in order to mask the real location of the C&C server.
G) C&C via DNS: Before directly moving to how DNS Tunneling works, lets breakdown the Jordan it has
TXT Record -is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.
CNAME RECORD — is a record that points to another domain address rather than an IP address. For example, say you have several subdomains, like www.mydomain.com, ftp.mydomain.com, mail.mydomain.com etc and you want these sub domains to point to your main domain name mydomain.com.
A RECORD — A record is used to find the IP address of a domain name.
NS Record — The NS record will tell a top-level domain DNS server which nameserver holds the domain’s A record, MX record, etc.
Authoritative name server — An authoritative name server provides actual answer to your DNS queries such as — mail server IP address or web site IP address (A resource record).
A recursive DNS lookup is where one DNS server communicates with several other DNS servers to hunt down an IP address and return it to the client.
Web browsing and most other communication from local computers to the Internet relies on the DNS service. For that reason, restricting the DNS communication can cause disruption of legitimate connectivity. Attacker takes this advantage to employ DNS tunneling as covert communication channel for C&C server. Therefore, DNS protocol is always allowed to outbound/inbound in Firewall. And attacker takes this advantage to employ DNS tunneling as covert communication channel for C&C server. It’s very hard to differentiate the benign and malicious usage of DNS protocol for the traditional Firewall or IDS.
Eg: DNSCat2 provides great features for C2.
DNS Tunneling program (or malware) encodes the payload data within DNS Query packet by using base64 encoding scheme then transmits the payload data as DNS Query to the server. Payload data is prepended as the hostname of a DNS Query. The server responds the query with its base64 encoded payload data in DNS Response packet.
Understanding Oilrig malware: Started with phishing emails & had malware embedded in it, That was dropper that installed extra stuff, some of the extra Stuff had tasks in it that used DNS as C&C and Data Exfiltration & infiltration n/w and it is really smart that it had 3 different C2 channels
1. DNS A record
2. DNS TXT
3. Custom UDP on port 53 (manually crafted packet)
Eg: Botnets like Zues, BetaBot had built intelligence C&C.
Skynet is a moderately-sized ( ̃12000 machines) botnet based upon the Zeus family of malware. The interesting thing (apart from the usage of Tor) about Skynet is that its operator hosted an (Q&A) platform Reddit.
Another further development that is beginning to appear in the wild is the use of the Namecoin service. Namecoin is related to Bitcoin, and provides a decentralised method to register and control domain names. Domains that belong to the Namecoin service use the “.bit” top-level domain. The advantage to a malicious user is that is provides the means to anonymously purchase a domain outside the control of any international body, and it is expected that it will become more widespread.
Let’s consider a TTP in an EDR environment, wherein the client changes the code of an application for improvements and rather asking his security team every time to allow it, he gets permitted not to strengthen the security policies on his system, So if an Fileless malware attack happens on his machine and finally attacker understand victim application making connections to certain Domain/IP, Then attacker adds malicious payload(hooking/Process injection) in the client application in such a way that the victim work will not be disturbed and payload will connect to C2C. Thereafter attacker to circumvent his IP/Domain, mimics the legit domain or makes communication through the proxy or establishes a P2P communication or coverting communication through standard protocols. It will be tough or takes long time even for blue teamers to identify such attacks reason is they could not be able to view the content because of SLL/TLS
How many of you seen MoneyHiest series where professor implements similar technologies like Proxies and P2P for communicating which was even shown hard for NIA to identify the source.
Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or gCat that uses Gmail as C2 or Callidus as C2 for Office 365 Services or Domain Fronting techniques etc even hard for Blue teamers to identify.
BLUE TEAM: Detective and Preventive Controls
A variety of techniques for the detection and disruption of C&C channels have been proposed. They typically rely on the automated monitoring and analysis of network traffic to identify indicators of compromise, malicious traffic, or anomalous communication patterns. The importance of human involvement in this activity cannot be overstated. As attackers constantly adapt their strategies, it is critical to gain a thorough understanding of the traffic flow patterns followed by manual tuning of monitoring, detection, and response infrastructure at periodic intervals.
The following is a checklist of measures that help detecting and denying C&C in your organisation.
Network Level:
1) Detect Known-bad network activity: Collect and analyse network traffic to identify activity that is known to be caused by an active C2 channel.
1a) Monitor DNS Traffic — This measure involves collection of DNS traffic information (either through a passive DNS collector or via the nameservers logs) and matching of requests against one or more blacklists of malicious domain names.
1b) Monitor IP traffic — To identify internal devices that attempt to connect to end points that are known to be involved in C2 activity.
1c) Monitor traffic content to identify content that matches known C2 traffic (e.g., specific network request/responses signatures). This measure involves collection of full traffic content (for example, enabling a network sniffer) and matching of the collected data against traffic signatures.
These measures enable the detection of C2 channels that are set up by known malware families, leverage known infrastructure, or employ known communication techniques.
2) Detect anomalous network activity: Collect and analyse network traffic to identify activity that deviates from the expected, normal traffic profile of the monitored network.
2a) Establish traffic baselines to determine the “normal” profile of the network (normal communication patterns, data exchange volumes, etc.). This measure can be implemented by determining baselines for different time windows (e.g., hour, day), internal devices, and network services.
2b) Evaluate current network activity against the established baselines to identify deviations that may be indicative of C2 activity. Pay particular attention to anomalies such as periodic beaconing, surge in the amount of exchanged traffic, suspicious network behaviours.
For example, C2 activity that relies on fast-flux techniques can be detected by searching DNS data for patterns of fast-changing associations between domain names and IP addresses; Dynamic DGA-based(Domain Generation Algorithm) C2 activity is revealed in DNS data by use-and-discard patterns of domain names; data exfiltration may be detected in Net-Flow data by unusually large volumes of data exchanges.
These measures enable the detection of C2 channels that are set up by never-seen-before malware families and that do not re-use any known malicious infrastructure.
3) Deny C2 activity: Architect and operate the network in such a way that C2 activity is effectively denied or greatly impaired.
3a) Segment the network to separate devices with different trust and risk values (e.g., front-facing, publicly servers vs. internal hosts storing sensitive documents).
3b) Introduce rate-limit policies to slow down traffic directed to disreputable or un- trusted endpoints.
3c) Block unwanted or unused communications mechanisms that may be used to piggy back C2 activity (e.g., anonymization networks, P2P overlays, social net- works)
4) Implementing DNS Sink hole: DNS Sink hole is a technology to block communication to malicious websites from internal systems. When a user system tries to resolve a malicious website ,the DNS sinkhole server will responds with a fake IP address instead of the original IP address. The fake IP will be a Private IP address therefore the malware will not be able to connect back to the C&C server.
5.Web Filtering (github)
Endpoint Level:
1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.
2. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.
3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)
4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.
5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM)
Process level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Train staff on the latest security threat and security tools.
3. Use a separate domain user and server admin accounts.
