Try in Splunk Security Cloud

Description

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Network_Traffic
  • Last Updated: 2018-06-01
  • Author: Rico Valdez, Splunk
  • ID: 943773c6-c4de-4f38-89a8-0b92f98804d8

Narrative

Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.
Because this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.

Detections

Name Technique Type
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect Spike in blocked Outbound Traffic from your AWS   Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
TOR Traffic Application Layer Protocol, Web Protocols TTP

Reference

source | version: 1