Keypoints
- Adversaries mimic legitimate protocols like HTTP, SSL/TLS, and cloud services to hide command-and-control traffic.
- Fake SSL/TLS handshakes are used to trick inspection tools and make traffic appear encrypted.
- Manipulated HTTP headers, URIs, and certificates aid in blending malicious traffic with trusted services.
- Unusual client-to-server data ratios and unexpected network-using processes are strong indicators.
- Detection requires content analysis, protocol validation, and monitoring of process network behavior across platforms.
Description:
- Like a spy wearing a convincing uniform, attackers dress their communications to look like trusted services so they can move and speak unnoticed in a crowded network.
- Attackers manipulate protocol handshakes, headers, endpoints, and certificates to make C2 traffic resemble normal web or service traffic (e.g., Gmail, cloud storage). This enables persistent covert communication and evasion of monitoring tools, complicating analysis and response.
Detection:
- Monitor network traffic content and metadata for mismatches between expected protocol behavior and observed packets. Use deep packet inspection (DPI) or protocol parsers to validate protocol conformance.
- Alert on abnormal client-to-server data ratios, such as clients sending far more data than they receive. Implement thresholds per application and tune with baselining tools.
- Log and profile processes that initiate network connections. Flag processes that normally do not use the network or that have not been seen before on the host.
- Inspect SSL/TLS handshakes and certificate attributes for anomalies: self-signed or short-lived certs, unusual issuer fields, or certs mismatched to DNS names. Use TLS fingerprinting (JA3/JA3S) to detect atypical clients or servers.
- Correlate HTTP header patterns and URI semantics with known legitimate service behaviors. Detect suspicious header manipulations, uncommon user-agent strings, or hidden data in query strings and POST bodies. Use web proxy logs, WAF logs, and URL categorization.
- Use network sandboxing and payload extraction for traffic that cannot be decrypted inline. Compare extracted payloads against threat intelligence and YARA rules to identify C2 protocols hidden inside legitimate-looking flows.
- Recognize common challenges and reduce false positives by maintaining up-to-date baselines, whitelisting known services, and applying contextual signals (user, process, asset criticality). Combine network indicators with endpoint telemetry (process, parent/child relationships) for higher-fidelity detection and quicker triage.
Tactics:
Command and Control
Platforms:
ESXi, Linux, Windows, macOS
Data Sources:
Network Traffic: Network Traffic Content
Relationship Citations:
(Citation: McAfee-GhostSecret-fixurl),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: ESET Okrum July 2019),(Citation: ESET InvisiMole June 2020),(Citation: Kaspersky ToddyCat June 2022),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: MAR10135536-F),(Citation: Malware Analysis Report 10135536-G),(Citation: Novetta Blockbuster),(Citation: MAR10135536-B),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: Zscaler Higaisa 2020),(Citation: Novetta Blockbuster Destructive Malware),(Citation: ESET InvisiMole June 2018),(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020),(Citation: US-CERT FALLCHILL Nov 2017),(Citation: Mandiant APT41),(Citation: Mandiant Cutting Edge Part 2 January 2024),(Citation: Scarlet Mimic Jan 2016),(Citation: PWC KeyBoys Feb 2017),(Citation: McAfee Lazarus Resurfaces Feb 2018),