We’re excited to announce that the Command and Control (C2) Collection is now available with today’s launch of version 21 of the Corelight software. One of the most important ways that defenders can quickly identify and contain a security incident is to have data and detections for the attacker’s communication. The C2 Collection builds on Corelight’s already extensive capabilities for analyzing network traffic, including encrypted and hidden communication, by identifying C2 tools and techniques that indicate the presence of malicious communication. We focus on unique protocol data and high value detections to speed the detection and response workflow. In this post, I’ll discuss some components of the collection and how they work as well as give you a snapshot of two updates to our Encrypted Traffic Collection, including our new RDP inferences package.
The C2 Collection
At its core, C2 is the mechanism for an attacker to communicate with their malware or compromised machines inside a defender’s network. C2 takes many forms and can travel over many different protocols so it’s important to utilize as many techniques as possible to detect and defend against malicious communications. The Corelight C2 collection contains numerous packages developed by the Corelight Labs research team focused on identification and detection of network C2 components. These packages deliver high-fidelity detections for known malware tools as well as highlight unknown C2 behaviors, allowing Corelight customers to uncover conventional and targeted malware communication.
Our approach to detection alerts (aka notices in Zeek terminology) is simple. We take every opportunity to reduce noisy alerts through various filtering approaches (block and allow lists, removing known false positives (FPs), structural improvements, etc.) so that our customers can focus on the most critical alerts. For v21, this includes a few new approaches:
We added a severity score to the notice log. It’s a 0-7 scale (based on the syslog severity) that gives a way to map the relative severity of each notice, allowing for filtering and prioritization in your SIEM or analytics stack.
For many of the C2 packages, we split our detections into two logical components – known tools and unknown C2 (behavioral) techniques, each with slightly different alerts and configurations.
Now let’s take a look at the components that make up the C2 Collection:
Modern malware plays all kinds of tricks to avoid detection. One of those tricks is continuing to use unencrypted HTTP for transport (while often encrypting the C2 payload inside). Fortunately, that makes it easier for Corelight to perform analysis and detection, which is exactly what this package does. It’s a new framework for identifying malware running over HTTP and the included detections are built upon durable collections of information from the headers and other connection characteristics. This allows our detections to target many of the most prevalent HTTP malware families (including Metasploit, Cobalt Strike, Powershell Empire and more) while also being easily extendable to new and changing tools over time. This package generates notices with details about the specific malware seen.
While some Metasploit HTTP communication is detected by the http-c2 package, this Meterpreter Detection package uses a novel algorithm to specifically target the flexible Meterpreter payload and follow-on communication. Using a variety of properties of the connection (including length and timing), this detection works on TCP and UDP variants of Meterpreter, generating logs which include specific details (like the GUID) about the session.
DNS and ICMP tunneling:
Two of the most common protocols used to tunnel C2 communication are DNS and ICMP. Because they are ubiquitous and fundamental to network operations, the security visibility and enforcement of these protocols is too often minimized or ignored. The line can also blur a bit between C2 detection and exfiltration, since a covert channel can be used for either. These two packages help track down C2 which is tunneling over DNS or ICMP.
A number of tunneling tools for C2 communication (and exfiltration) are seen in the wild, so we prioritized detection of those known tools. A set of detections for six known tools each for DNS and ICMP are included. In addition, a generic behavioral approach for DNS tunneling (using a novel algorithm published originally by Zeek creator and Corelight co-founder Vern Paxson) uses byte counts as the primary component for detection. A similar anomaly-based approach to ICMP tunneling is also included. Alerts as well as new log data are provided for each of the detections.
Domain Generated Algorithms (DGAs):
DGAs are still popular with modern malware, and they are still hard to track down. Anyone who has tried to build a statistical or lexical approach to DGA detection understands how frustrating it can be — lots of noise and not a lot of signal. Our detection takes a different approach: DGAs use generators to decide what domains are valid for a particular date and time. A number of these generators have been published via open-source lists. We use these generators to calculate the known list of DGAs for over 44 malware families (and their variants) every day, then we match against them. It’s a simple approach and one that is supremely effective for known malware. While it won’t capture unknown malware using DGAs, we believe that finding known infections is the best place to start, especially to minimize the time spent chasing FPs. This detector generates alerts as well as a log with additional details.
That’s a quick roundup of what to expect from the new C2 Collection and like all of our content collections, expect it to expand over time.
But wait there’s more! We didn’t want our very popular Encrypted Traffic Collection (ETC) to go without some attention too, so there are two things to tell you about – a new package and an update:
RDP inferences – RDP continues to be one of the primary vectors for initial access into private networks. In fact, according to the FBI, 70-80 percent of ransomware breaches start with an RDP compromise. With v21 we have added a comprehensive set of data and detections for RDP. For encrypted RDP, the data includes inferences about the authentication mechanisms, behavior of the connections, and client details. It also includes our own implementation of the rdfp fingerprinting tool for unencrypted RDP connections. The detections watch for RDP brute force attack tools and anomalous behavior and generate high priority alerts. You won’t find another solution that gives you the amazing detail into the RDP protocol that Corelight does. Whether you use it to track a specific RDP connection or threat hunt with the inference data, this package will help find RDP attacks early, before they turn into full blown incidents. Keep an eye on this blog for an in depth post on our RDP inferences packages next.
Encrypted DNS detection – We introduced our detection for DNS over HTTPS (DoH) in our v19 release (and discussed the security ramifications here). DoH continues to be a challenge for security visibility and so we made some additional improvements to our package. For v21, we’ve revamped the detection logic and changed from adding a field in the connection log to a specific DoH log.
MITRE ATT&CK coverage
While there are a number of frameworks for technique and content coverage, most of our customers are most focused on MITRE ATT&CK. The v21 release features a wide range of coverage across relevant MITRE ATT&CK C2 techniques including:
T1041 – Exfiltration over C2 Channel
T1095 – Non-Application Layer Protocol
T1071 – Application Layer Protocol
T1110 – Brute Force
T1568 – Dynamic Resolution
T1572 – Protocol Tunneling
T1573 – Encrypted Channel
We hope you enjoyed the introduction to our new C2 Collection. Stay tuned for much more content from the Corelight Labs team and send us your thoughts on what we should be looking at next.