Detection on this phase of the kill chain is not extremely complex, however from a business perspective it is critical for the organization to find this activity. An attacker who has progressed his attack to the C&C phase may be a dangerous and impactful threat for the business. Whether your organization is part of botnet or not, this is not the real issue, the real issue is that the organization is breached, and you need to ascertain the impact in your organization. The earlier your spot the attacker in the kill chain the less impact for your organization, unfortunately at this point it is certainly worrying if you find any C&C activity.
In the command and control phase your network is compromised and your endpoints are running malware. This malware is designed to communicate with an external control server owned by the attacker, this server will typically download new malicious software to your network, exfiltrate information and control your network.
The communication between the compromise network and the command and control server uses common communication protocols such as HTTP, SSL, IRC, FTP or DNS.
The subject about DNS and its current role as part of an APT is very extensive, I am going to try to keep it simple and show you some indicators that need to be checked in order to detect and stop an attacker in the command & control phase of the cyber kill chain.
The indicators we are going to look for are easily observable in the endpoint however we are going to look for this activity at the network level, I will dedicate another post for hunting in the endpoint. I also presume you already know the DNS and it’s role in normal communication.
The following is a list of anomalies you can look for in the DNS communication in your network:
1. Unusual DNS query failures
Once the malware is installed in your network it will start beaconing out to find it’s master server to receive instructions. The typical scenario to achieve this is the malware using a domain name to connect to that external machine.
The challenge here for the attacker is to maintain persistence in your network, and using a domain name allows them to outbound your organization but not maintain persistence once the defender has found the malicious domain. Once the domain is found, blocking the domain will eliminate that communication and that’s why attackers use DGA (Domain Generation Algorithms) to evade detection, maintain persistence and make it really difficult for defenders to block the c2 channel.
DGA is an interesting algorithm which for the purpose of this post I will not discuss. The important thing here is to understand that DGA based malware generates many domain names and tries to connect to them. Most of theses domain names are not registered, they do not exist and they will generate a high volume of logs with the NXDOMAIN error. Only a few of the domains generated by DGA will be up and running as the attacker has manipulated the algorithm embedded in the malware to be able to calculate the randomness of the process to generate domains.
2. Unusual Domain name requests
All these domains should raise an alarm and they should be found and analysed using techniques such as Rinse and Repeat over a log file of DNS queries. I already explained this technique in a previous post.
3. Watch for beaconing behaviour
Look at periodic traffic generated in your DNS communication
4. Look for shady TLD (Top level domains)
Requests to domains that are not part of your organization baseline or in those countries in which you do not do business with such .tk .ru .country
5. Looking for DNS communication during odd hours, for example during night most employees do not need DNS communications since they are not in the office.
6. Abnormal volume of DNS queries, looking at the volume of DNS traffic per IP or per domain can signal connections to command and control threat infrastructure.
DGA and DNS
DNS protocol and log format