Beaconing Intrusion IoCs

---

Command and Control (C&C)

Command and control (C&C or C2) refers to an infrastructure of hosts with which attackers direct, distribute, and control malware.

• done through coordinated botnets
• a compromised host is called a zombie
• attacker adds zombie hosts to its pool of resources which they issue commands to
  • command can be a simple ping or heartbeat to verify connection to the bot
    • called beaconing
  • or can be a more malicious command
• bot can beacon a C&C server by sending simple transmissions at regular intervals to unrecognized or malicious domains
• irregular peer-to-peer traffic could indicate that a bot is communicating with a C&C server
• zombie hosts frequently change DNS names and IP addresses
  • using techniques such as domain generation algorithms (DGA) and fast flux DNS

Beaconing is a means for a network node to advertise its presence and establish a link with other nodes, such as the beacon management frame sent by an AP.

• can be done by legitimate software or malicious software
• detected by capturing metadata about all the sessions established or attempted and analyzing for patterns that are suspicious
  • but many legitimate apps use beaconing (NTP servers, automatic updates, cluster services, etc.)
• indicators of malicious beaconing include:
  • endpoints
    • e.g., of known bad IP address on reputation lists
  • rate and timing of attempts
  • size of response packets

Internet Relay Chat (IRC)

Internet relay chat (IRC) is a group communications protocol that enables users to chat, send private messages, and share files.

• IRC networks use discrete channels
  • representing individual forums used by clients to chat
• easy for an attacker to set up an IRC server and begin sending interactive control directives to bots connected to it
• use of IRC for C&C is less common today
• IRC traffic is easy to detect
  • should be blocked

HTTP and HTTPS

• frequently used for C&C communications
  • difficult to separate malicious traffic from legitimate traffic on HTTPS
• mitigate by
  • using proxies configured to decrypt and inspect encrypted traffic
  • using IP address and domain reputation checking
  • DNS blackholes
  • certificate inspection
    • encrypted bot traffic often uses self-signed certificates

DNS

• DNS traffic is often not inspected or filtered
  • attackers use this to evade detection
• DNS can operate as C&C channel
  • is highly effective because the bot does not need direct Internet access
  • bot uses a local DNS server that forwards lookups outside the organization
  • bot receives a response with a control message
• attackers send commands as request or response queries
  • which makes them longer and more complicated than typical DNS traffic
    • can be used as an indicator of compromise
• attackers may break control messages into several query fragments to avoid detection
• when same query is repeated several times
  • is an indicator that a bot may be checking the control server for commands
• tools that facilitate DNS tunneling
  • iodine
  • dnscat2

Social Media Websites

• social media sites can be vectors for C&C
• allow attackers to issue commands through the platforms messaging capability
  • e.g., organization’s often allow unrestricted LinkedIn traffic
    • allows an attacker to issue commands to bots through an active account profile using fields like employment status, employment history, status updates, etc.
• can leverage hashtags to encode command strings
• has become less prevalent
  • sites have incorporated controls to limit abuse

Media and Document Files

• media file formates like JPEG, MP3, and MPEG use metadata to describe images, audio, and video
• attacker can embed control messages inside this metadata
• then sends the media file to bots over any channel supporting media sharing
• monitoring systems don’t typically inspect media metadata
  • allows attacker to evade detection