In this article we will focus on identifying c2 server IOCs in the network layer, connection to c2 server was demonstrated in the C2 server Anti-Virus evasion techniques.
In any corporate network we can be assumed that one of the two situations exists:
- Hackers /Malware is already connected to computer systems
- It’s only a matter of time compute system will be under attack
Imagine a world without mail distribution by postmen who need to go door to door day after day What then? What will be the solutions for mail distribution? Denying the use of an existing solution is a great way to reach various advanced solutions.
Now imagine a world without antivirus
If an attacker found a way to bypass company antivirus, like we demonstrated at c2 server implementation part, the control systems that were relevant are not anymore.
in our example of c2 server implementation ,we bypassed the AV AMSI feature and run our Powershell Empire agent code directly to the memory without touching disk, we succeeded to infect the system and gain remote control, after gaining control, we established connection to the C2 server and add persistence key by adding a new scheduled task the task run every day at 9:00 AM and allow us to keep stable connection to םור C2 server in any agent Crash or kill by admin .
when attacker takeover of the computer systems there are always indicator and behavior we can detect in the operating system layer and in the network layer , identifying these, will allow us to block the hacker’s connection to the our computer systems.
IOCS in the network layer
A attacker usually takes care of changing most of the default values of the c2 server to avoid detection, but for the most part the details that are difficult to change will remain.
An example of a value that is difficult to change is the TTL value of the server, you can see in the picture below that the TTL in the agent’s requests to the c2 server is equal to 128 and belongs to the Linux system and not to the IIS server which has a value of 64.
C2 beaconing detection
The URLs that the agent accesses every few seconds are identified with a PowerShell Empire server, beaconing detection is an important behavior and IOC for identifying any type of C2 server.
Additional findings that may indicate that there is a connection to server C2.
- User agent
- Web server type
More security controls system
To be able to detect and stop the attack, we need additional control systems, these control systems will provide a solution when the antivirus fails to block the initial connection to any C2 server
Independent control system:
- Access control system require jump server cant be access from client devices
- attacker/malware activities can not avoid being monitored by the control system
- The control system can detect threats and stop them in real time
A dependent control system is a system that operates on top of the operating system, so we assume that it can also be manipulated by attackers or malware.
IPS / IDS Independent System General Infrastructure
Detection and prevention of connection to c2 server by Snort3
The computer network has a lot of information that moves from place to place, the information can include DNS requests, access to sites at http / https, downloading and uploading files, sending data for printing, data sent by e-mail, network packets sent any time to anywhere, locally and externally.
Using Snort allows us to “sit on the network” and monitor all network traffic as IDS and even prevent real-time threats as IPS.
Traffic analysis by Snort
Each network packet we pass through snort , test by a numbers of conditions, check and identify as normal traffic or unwanted traffic by multiple rules.
General chart of network packet analysis by Snort3
Use of buffers in writing terms
Snort3 has the ability to use Buffers that allow us to search more easily within any network packet.
All types of Buffers can be seen on our Github, see example at pictured below.
Example of a condition with http buffers, the condition looks for IOCs such as user agent in network packets,
alert http (
msg: “powershell empire was detected”;
flow: to_server, established;
content: “/ login / process.php”, nocase;
content: “Mozilla / 5.0 (Windows NT 6.1; WOW64; Trident / 7.0; rv: 11.0) like Gecko “, nocase;
content:” session “, nocase;
reference: url, attack.mitre.org / techniques / T1086;
reference: url, powershellempire.com;
classtype: trojan- activity;
sid: 56465; rev: 5;
user agent indicator we found confirm there is a connection to a PowerShell Empire c2 server on the network.
beaconing in the network
Our agent communicates via a secure https connection so identifying c2 server indicators such as user agent as exemplified by snort is not possible without setting up SSL inspection and proxy.
The C2 server in our lab contain address belonging to azure.com to increase the chances this address is not access over proxy and certificate brake by ssl inspection, identification of C2 server indicators will not be visible.
Attempts by Agent C2 to maintain a stable connection to the c2 server can be detected by a monitoring and identfy as beacon.
detecting beacon traffic by Zeek and kibana
Imagine a tool developed by a team of researchers from a prestigious university in the US, a tool that can easily detect multiple protocols, a tool that can detect non-standard network traffic, Zeek is the perfect IDS for identifying beacon in a network.
How does Zeek work?
Zeek checks each network packet using editable scripts, the scripts analyze the network packets and export the relevant data to different log files, example log files: Protocols, IMAP, SSL, HTTP, in addition to identifying and analyzing protocols, thare also options to configure export files from packet if detected, read more about detecting beacon and an anomaly network traffic at C2 Malware Detection and Network Anomaly article
sample files can be downloaded on our GitHub .
IPS / IDS independent control system has more advantage over any dependent system running on the operating system, attacker or malware can not avoid monitoring in the network layer, use of IPS / IDS system should be an integral part of corporate network protection and can prevent complex attack in real time.