Unraveling command and control, part 1: Tactics and techniques

Have you ever wondered at exactly what stage cyberattackers consider their attack to be successful? Is it when they gain privileged access, or is it when they evade the security defenses of the organization?

The real success of a cyberattack is when the attacker can remain undetected within the target environment and continue to establish communication with the compromised systems in the network to corrupt it in multiple malicious ways. In order to maintain this impregnable communication channel, cybercriminals use command and control (known as C&C or C2).

In this two-part blog series, we'll shed light on various facets of the command and control attack, from its definition to detection.

Let's begin by learning what C&C tactics are.

What is command and control?

C&C is a technique used by cyberattackers to establish and maintain discrete communication with compromised devices in the target network.

The attacker employs a malicious C&C server to communicate with infected machines over the target network. This C&C server is also used for receiving the desired data or payload back from the infected systems.

The attacker usually tries to impersonate the normal, expected traffic to avoid any detection within the network. The C&C servers can be further used by the adversaries to create a network of infected machines called botnets to perform malicious activities such as data exfiltration, a distributed-denial-of service (DDoS) attack, cryptocurrency mining, or network shutdown.

Techniques used to establish command and control

There are multiple ways in which an attacker can establish command and control over the target network covertly. Here are six ways this dominance can be established:

1. Manipulating application layer protocols

Adversaries may discretely communicate using application layer protocols with a compromised computer to control them remotely. They can insert malicious commands and the results of those commands within the existing protocol traffic between the client and server. This helps them to avoid any suspicion or detection, making it easier for them to blend in and pivot through the target network.

Application layer protocols like web protocols, mail protocols, DNS, and FTPs may be exploited by adversaries.

2. Data encoding

Adversaries may opt for encoding data using a standard data encoding system. This makes it difficult to detect the traffic in the network. Data encoding can be achieved using ASCII, MIME, Unicode, or other binary-to-text and character encoding systems.

3. Manipulating non-application layer protocols

Adversaries may communicate using non-application layer protocols between the infected device and the C&C server within a network. Since the non-application layer protocols are not generally monitored, it makes it easier for attackers to establish covert communication.

Non-application layer protocols like Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), Serial over LAN (SOL), and Socket Secure (SOCKS) may be exploited by adversaries.

4. Obfuscating data

Adversaries may attempt to obfuscate infected devices and C&C traffic to make it harder to be detected. They may use tools like FlawedAmmyy to muddle the initial parts of the C&C channel, making the content almost imperceptible and difficult to identify or decipher. Other methods to avoid detection include using steganography techniques, impersonating legitimate protocols, or adding junk data to protocol traffic.

5. Misusing remote access software

Adversaries may use legitimate remote access and desktop support tools such as Ammyy Admin, TeamViewer, AnyDesk, LogMeIn, GoToAssist, VNC, and others to establish interactive command over target devices in the network.

6. Gaining control through removable media

Adversaries may establish command and control channels on air-gapped host systems by using removable media such as USB drives to transfer commands from system to system. Here, the internet connected system is compromised first and the second system is compromised through lateral movement by relaying commands by using replication through removable media.

How does command and control work?

To establish a C&C communication, the attacker first needs to gain entry into the organization's network. This can be achieved using some of the following tactics:

1. Phishing emails
2. Malvertising
3. Direct execution of malware programs
4. Exploiting vulnerabilities in browser plugins

Once initial access is achieved, the attacker establishes the command and control communication in the following steps:

1. Once the host machine is compromised, the communication with the C&C server is established and the infected machine sends a signal to the attacker's C&C server to let it know that it is ready to receive the next set of instructions or commands. The C&C communication is carried out through legitimate traffic such as DNS or HTTP/HTTPS.
2. With the C&C communication channel being established, the infected host machine receives and executes further commands received from the malicious C&C server.
3. The attacker by this time will have complete charge of the infected machine and can execute malicious codes on it.
4. Through the established C&C channel, the attacker can send commands to install further, more malicious software, exfiltrate information, encrypt data, look for more vulnerabilities in the network, shut down machines, stealthily monitor system activities, and cause other such serious damage to the network.

The malicious code used to establish the C&C communication will advance further to other systems in the network and create a network of compromised systems called botnets. Through this, the attacker can easily have a lateral movement inside the network.

Now you should have a sound understanding of what C&C is and how adversaries use it to infiltrate a network and execute an attack.

Interested to learn more? Watch out for our second and final part of this blog series to learn about Indicator of Compromise and other detection and attack prevention techniques using a SIEM solution. Stay tuned!