Try in Splunk Security Cloud

Description

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Network_Traffic, Web
  • Last Updated: 2018-06-01
  • Author: Rico Valdez, Splunk
  • ID: 943773c6-c4de-4f38-89a8-0b92f98804d8

Narrative

Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.
Because this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.

Detections

Name Technique Type
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Detect Remote Access Software Usage URL Remote Access Software Anomaly
Detect Spike in blocked Outbound Traffic from your AWS   Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
TOR Traffic Proxy, Multi-hop Proxy TTP
Windows Remote Access Software Hunt Remote Access Software Hunting

Reference

source | version: 1