By Josh Liburdi, Sqrrl Security Technologist, and George Aquila
The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.
Understanding Command and Control
C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.