Analytics Story: Command And Control

Date: 2018-06-01 ID: 943773c6-c4de-4f38-89a8-0b92f98804d8 Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Why it matters

Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker. Because this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Spike in blocked Outbound Traffic from your AWS None Anomaly
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Windows Remote Access Software Hunt Remote Access Software Hunting
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
TOR Traffic Proxy, Multi-hop Proxy TTP
Detect Remote Access Software Usage URL Remote Access Software Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1