Command and Control (C2) explained
What is Command and Control (C2)? What are C2 servers? Why are they so notorious, and why are blue teams worldwide trying their best to detect C2 servers? It’s time to answer these questions and much more.
C2 — what is it?
Command and control originate as a military term, which means for an “individual to have authority and power over a set of resources and how those resources are utilized”— as a military personnel controlling multiple drones from a submarine. The process will be called “command and control” and the sub will be “command and control center”. It is usually abbreviated as C2; we’ll use both terms interchangeably in this article.
C2 in security
Why does C2 matters in security?
Here’s why: replace drones with bots, malware, and the military with ransomware gangs, DDoS groups, APTs, and numerous other cybercriminals, and you get one of the most significant contributors to today’s threat landscape.
Every time a system is breached, a piece of software is dropped by bad guys in a compromised system that talks back to them. This is done for every successfully breached target, effectively creating a farm of infected victims. This farm is centrally controlled by one set of servers, known as C2 servers. When multiple remote devices are hacked and are used as bots (“robots”, doing scripted activity like scraping, DDoS, etc.), the collection of bots is called botnets. But it’s not just bots and botnets that communicate to C2 servers.
- Multiple supply chain attacks
- malware stealing sensitive data
- crypto miners
have been spotted talking back to C2 servers. This makes this statement something to consider: if one of your systems is talking to a possible C2 server, you might be compromised.
Hence, it has been a constant job for security teams: detecting possible command and control communication because succeeded in disruption of such traffic can limit the further damage caused. And it all comes down to understanding C2 servers as we dig deeper in the next section.
The C2 Servers
C2 servers are from where the cybercriminals control and perform operations on the infected systems. The communications between an infected host and the C2 server are called “beaconing” or “beacons”. Beaconing is to and fro communications, where instructions are relayed from the C2 server to the malware, and malware responds, awaiting further instructions. These “beacons” are what the blue teams try to detect; the sooner, the better.
C2 Servers in the Wild
Each C2 server behaves in a certain way, and some are pretty popular among attackers. One such C2 server is called CobaltStrike, which is mostly used by white-hat hackers. Still, it is popular among cybercriminals too, because of its powerful functionalities, such as key logging, privilege escalation, code execution, and much more. CobaltStrike quickly became the choice of C2 in attacker circles because of how stable and customizable it is.
In the infamous SUNBURST campaign of supply chain attacks performed back in 2020 by the APT UNC2452, a custom-built C2 communication protocol was used, where encoded DNS and HTTPS-based communications were performed, where the C2 subdomain name was calculated uniquely and dynamically for each targeted victim, based on data extracted from the host. Due to the dynamic and encoded nature, it was complicated to detect this malware.
Sometimes, there are out-of-the-box ways in which different services have been used as C2 servers. One instance where attackers were using VirusTotal comments to communicate between the control server and the infected host. Since requests to VirusTotal are expected in some scenarios, the C2 communications might go undetected.
Detecting C2 Communications
Knowing what C2 are, and how they communicate and behave is not enough.
The next step is figuring out that indeed your system is talking to a C2 server and figuring it out as soon as possible because the longer the malware stays hidden, the higher the chances of impact.
So how does detection takes place? We discussed “beacons” before, which are nothing but incoming and outgoing traffic. Larger organizations have strict logging and monitoring of all connections to their systems. Finding anomalous patterns in these logs that stand out from usual traffic can indicate something is wrong.
For Example, Kodiac is a known malware using a python-based C2 server, which was reported to send beacons back to the C2 server every ten minutes. This pattern-like behavior can point out outliers.
Life would be easier if every malware worked in such systematic ways, but they don’t. To aid the detection process, many security teams use threat intelligence to make their life easier. Threat intelligence is a collection of IOCs seen as part of previous attacks. If you are wondering what an IOC is, let us explain.
Indicators of compromise or IOCs are technical information, like IP address, domain names, file hashes, etc and they are present in logs, which might indicate something suspicious has occurred.
For example, if a domain is known to be a malicious C2 server because of analysis done of past attacks by the threat intelligence community, security organizations, etc, and this domain has received traffic from one of your machines, there are high chances that you are breached.
Once the hard part of detection is done, it’s time for mitigation:
- isolating breached systems
- performing forensic analysis
- removal of malicious artifacts (DLLs, files, etc.)
When the detection is done, and the initial incident response has been executed, further analysis is handed over to forensic firms, while the affected organization focuses on damage control. It is essential to answer questions like
- What has been accessed?
- What can be leaked?
- Is there a pattern that can be attributed to a known attacker?
It doesn’t matter if you are a red or a blue teamer; it is crucial to know what C2 and C2 servers are and how they work. It was reported that the number of C2 servers on the internet saw a spike of 30% in 2022! That’s huge and points towards a large increase in successful cyberattacks.
Multiple C2 servers are out there in the wild, dominated by the most popular framework CobaltStrike, alongside newer C2s like Empire, different flavors of CobaltStrike, etc.
The Brute Ratel framework gained notoriety recently, as its cracked version was being shared among hacker communities. Botnets like IceID, QuakBot, KmsDBot, etc aren’t behind either, with their custom C2 networks deployed.
In other words, your network can be their next target. Hence, it’s prime time to take a look at your existing security infrastructure and spruce it up from a logging and monitoring perspective so that next time there is a flood of outgoing connections, unknown processes are talking to the internet, and anything out of the ordinary happens, you have enough data to comb over and analyze to spot those nefarious C2 agents and beacons.
Lastly, a threat intelligence solution can never be overlooked. While threat intelligence provides reactive countermeasures, remember security is not about stopping every attack and breach but minimizing the impact, whether or not compromise has occurred.
In case you are already familiar with C2, we still have good news for you — Hexway has a self-hosted solution for penetration testing specialists with additional PTaaS benefits and a customer result presentation portal. Hexway solutions perfectly blend with existing pentest processes and allow teams to be more productive by optimizing the workflow.