Beyond Vulnerability Scans: Mitigating and Monitoring for Malware Leveraging C2 Systems

Many modern forms of malware are now file-less and rely on Command & Control (C2) infrastructure to assist outsiders with gaining unauthorized access to networks. This malware “phones home” to remote attackers, who then leverage the internal foothold to infiltrate networks and execute attacks. These attacks can be difficult to detect when security monitoring is limited to periodic vulnerability and compliance scans.

Oftentimes these attacks execute against Windows OS based hosts using CMD and Powershell. These modern forms of malware do not rely on files present on a local disk where antivirus software can detect it. Once the malware is initiated, it persists in system memory and starts trying to create outbound connections to malicious domains. Domain generation algorithms (DGA) are used by the malware to generate domain names for use as potential rendezvous points on the public internet.

From the outside of the network, an attacker aware of the pattern used by the DGA generates matching domains oftentimes purchased with stolen credit cards. Once a match is found between the malware and the outside attacker, an encrypted reverse TCP or SSH shell connection is made with the attacker.

The Challenges of Detecting Malware Leveraging C2 Infrastructure

Attacks leveraging Command and Control (C2) architecture with Domain Generation Algorithms (DGA) are effective for many reasons.

• Firewalls do a great job of limiting uninitiated outside traffic. Few are configured to block connections from the inside going out.
• The ability to set up secure TCP and SSH connections is inherent in modern operating systems. The tools needed to perform the remote connection are easy to access once on the system.
• TLS Certificates are free and easy to get through services like Let’s Encrypt. This makes it possible to set up reverse HTTPS connections with ease.
• Law enforcement and authorities cannot keep up with the rapid pace that malicious domains can be established.

Ideas for Detecting Attacks Leveraging C2 Infrastructure

Monitor and Alert on Excessive Failed DNS Look-ups

DNS is important for spotting command and control activity.  As mentioned above, Domain Generation Algorithms (DGA) work to create random domain names on a cycle. The attacker knows what auto-generated domains will be generated and quickly register matching domains on the fly. This rapid registration process results in a whack-a-mole that law enforcement cannot keep up with.

Attacks leveraging DGA will result in explosions of failed resolutions as malware tries them all. This makes tracking failed DNS lookups is a great way for Security Ops to identify malware.

Enabled and Implement Event Logging for CMD and Powershell

Security Operations teams should be monitoring CMD and Powershell activity. Unfortunately, event logging for both CMD and Powershell activity are not enabled in Windows by default. Microsoft first made full Powershell event logging is available in version 5.1 which was bundled with Window 10 anniversary edition.

If your shop is still a few versions behind, be warned that Windows 7 ships with Powershell version 2 out of the box. Be sure your organization is running an up to date version of Powershell and enable security event logging for both it and CMD.

You can implement event logging for both CMD and Powershell via Group Policy Objects (GPO). Check out a few references below for more information.

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
• https://sid-500.com/2017/08/16/monitoring-windows-powershell-enable-module-logging/
• https://blogs.technet.microsoft.com/nathangau/2017/05/24/security-monitoring-mp-powershell-exploit-toolkit-rules/

An Important Note about Windows Events

It is also important to understand Windows event log IDs and what they mean. A handy compilation can be found here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

One of the most important event log IDs to be aware of is 4688: Process Command Line. This event type is not logged by default and perhaps one of the most important. It documents each program that is executed, who the program ran as and the process that started the process. You can correlate this event to other events by the Process ID to determine what the program did while it ran and when it exited (which is documented by Event 4689).

Ideas for Preventing Attacks Leveraging C2 Infrastructure

Enable Application and Process Whitelisting

Enabling application whitelisting utilities on endpoints is an effective mitigation. There are no shortage of solutions, but if you are running a modern Active Directory domain, you already have one. Microsoft’s Applocker can prevent Powershell from running and is included with current versions of Windows Server.

Deploy an End Point Security Utility with Advanced Functionality

Basic (and free) antivirus utilities are all but useless. Install an endpoint security utility that includes host-based firewall and intrusion detection capabilities. An effective utility will detect malicious activity and protocols and stop them automatically.  

Hopefully this post will have you on your way to enhancing your security operations monitoring. Please share comments, corrections and other ideas in the comments.