Ralph Mudge developer of Cobalt Strike Red Team hacking software outlines from the hackers perspective 4 key processes that need to happen in sequential order for a successful hack.
Artifact on Target
Code Execution
Positive C&C
Post Exploitation
Positive C&C is positive Command & Control also known as C2 between the hacker/red team operator and the target/victim.
The primary goal of C&C is to manage remote implants in hacked systems. The features that make C&C advantageous for adversaries are when they are: asynchronous, allow for varying communications channels, flexible, and C&C messages are encrypted.
Birth of C&C tools
Red Teamers, perfecting their craft, began developing specialized software to assist in managing their engagements. Some of the features of this specialized software include:
The creation and deployment of malware agents.
The management of C&C control communications and listeners.
The facilitation of collaboration among multiple individuals working with the compromised infrastructure via a centralized 'Team server.'
There is a project called the C2 Matrix https://howto.thec2matrix.com/ that lists various C&C frameworks and the features and capabilities they support.
The example diagram below illustrates the C2 tool in the far-left column and the C&C protocols that the tool supports for malware agent redirection to the redirector/team server listener communications.
There are many C&C frameworks. Some of the most popular C2 frameworks are:
Sliver - https://bishopfox.com/tools/sliver
Bruteratel - https://bruteratel.com/
The Recorded Future 2022 Adversary Infrastructure Report lists the most common C&Cs found year over year. As shown in the graph Cobalt Strike is a very popular C&C framework.
Connecting back to the SOC Triad displays how NSM/NDR instrumentation and telemetry is a crucial component of detecting C&C traffic.
The malware agents most commonly use protocols that are allowed out of the network. Some of the most common protocols allowed out of the network are DNS and web traffic (HTTP, and encrypted web traffic HTTPS).
Firewalls and proxies can be useful security controls, but they have known detection limitations. Firewalls and proxies primarily protect devices from connecting to known bad infrastructure and known Intrusion Prevention System (IPS) signatures.
Attackers go to great lengths to hide/prevent their infrastructure from being detected through Cyber Threat Intelligence (CTI) detections and also try to make sure their beacon traffic bends in with normal traffic and does not match IPS signatures.
The focus for detecting this malware C&C traffic on your network becomes the detecting the beaconing behavior of the malware agent. The malware agent has to check in with its C&C server for instructions. That check-in connection (i.e., beacon) is created programmatically so it is likely to have some consistencies in time, protocol, source/destination, size, and duration. Common traffic patterns analyzed for beacons include:
Connection consistency
Data Size of connections
Malware coders developed techniques to hide the timing of beacons by jittering them. Additional analysis of beacons include:
Dispersion of connections
Skew of connections
Dispersion quantifies how data spreads out from the central point (average variation of latencies), while skewness measures the degree of asymmetry in a statistical distribution)
For effective analysis of traffic, capturing the traffic and parsing into a structured format such as Zeek logs allows for statistical analysis to identify beacon-like behavior. Zeek logs capture key fields such as protocol, size, and connection timestamps, enabling this analysis.
A popular tool for conducting this type of statistical analysis on zeek logs is https://www.activecountermeasures.com/ac-hunter/
Commentaires