Command and Control (C2) - secuguru/security-terms GitHub Wiki

In the command and control (C2) phase, attackers establish and maintain communication with compromised systems to issue commands, retrieve data, and manage ongoing operations. C2 channels vary widely in sophistication, from simple web-based communications to advanced steganography and encrypted messaging. Here are common C2 techniques, including web service-based C2, removable media, and steganography/encoded commands.

1. Web Service-Based C2

  • Definition: Attackers use web-based services or legitimate applications as C2 channels to issue commands and retrieve data from compromised systems.
  • Methods:
    • Dead Drop Resolvers: Attackers post commands or data to web pages, forums, or social media sites, where infected systems periodically check for instructions. This is a form of one-way communication where the system retrieves commands without directly connecting to the attacker.
    • One-Way/Bi-Directional Traffic:
      • One-Way Traffic: In one-way C2, the compromised system only receives commands, reducing the chance of detection by limiting outbound traffic patterns.
      • Bi-Directional Traffic: With two-way C2 communication, the system can both receive commands and send data back, providing the attacker with interactive control.
    • Encrypted Channels: Attackers often use HTTPS, TLS, or other encryption protocols to conceal C2 traffic, blending in with legitimate encrypted web traffic to evade detection.
  • Security Implications: Web services provide a flexible C2 channel that can easily bypass firewalls and other security measures. Encrypted channels make it challenging for defenders to inspect the content of C2 traffic, especially if it’s mixed with legitimate web activity.

2. Removable Media

  • Definition: Attackers may use removable media (like USB drives) as a physical C2 method, especially in environments with restricted network access or air-gapped systems (systems isolated from external networks).
  • How It Works:
    • Attackers may plant malware on USB drives that execute commands once plugged into a target system. The infected system could then record data or execute tasks, saving the results back to the USB for the attacker to retrieve.
    • USBs can carry updated command files or scripts to be executed automatically when inserted into the compromised system.
  • Security Implications: Removable media-based C2 avoids network detection entirely, making it ideal for air-gapped networks or environments with strict network controls. However, physical access is often required, which can limit its practicality for large-scale attacks.

3. Steganography and Encoded Commands

  • Steganography:
    • Definition: Attackers use steganography to hide commands or data within seemingly innocent files, such as images, videos, or audio files, allowing them to avoid detection.
    • How It Works: The attacker embeds commands within the pixel values of an image or the metadata of a media file. The compromised system decodes these hidden commands to understand and execute them.
  • Encoded Commands:
    • Definition: Attackers encode commands in formats that aren’t immediately readable, such as Base64, hexadecimal, or custom encoding schemes, making it harder for security tools to recognize malicious instructions.
    • How It Works: The compromised system decodes the commands after receiving them, executing the instructions as needed.
  • Security Implications: Steganography and encoding can evade detection by traditional security tools, which might not analyze image or audio files for hidden commands. These techniques allow attackers to mask malicious commands within benign-looking files, bypassing content inspection mechanisms.

Summary

  • Web Service-Based C2 (Dead Drop Resolvers, One-Way/Bi-Directional Traffic, and Encrypted Channels) provide a highly flexible and often covert way for attackers to communicate with compromised systems, using legitimate web services and encryption to evade detection.
  • Removable Media C2 offers a non-network method of command and control, suitable for air-gapped environments, though it requires physical access or insider cooperation.
  • Steganography and Encoded Commands hide commands within innocuous-looking files or encode them, allowing attackers to evade content inspection and security monitoring.

By understanding these C2 techniques, defenders can implement security controls such as network monitoring for unusual traffic patterns, limiting removable media access, and analyzing file contents for potential steganographic data. Additionally, detecting suspicious use of encryption and encoded data on C2 channels can help identify covert command-and-control activities.