Протокол прикладного уровня
Sub-techniques (5)
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Примеры процедур |
|
Название | Описание |
---|---|
Cobalt Strike |
Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual) |
Hildegard |
Hildegard has used an IRC channel for C2 communications.(Citation: Unit 42 Hildegard Malware) |
Magic Hound |
Magic Hound malware has used IRC for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021) |
NETEAGLE |
Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519. |
During FrostyGoop Incident, the adversary initiated Layer Two Tunnelling Protocol (L2TP) connections to Moscow-based IP addresses.(Citation: Dragos FROSTYGOOP 2024) |
|
Rocke |
Rocke issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018) |
INC Ransom |
INC Ransom has used valid accounts over RDP to connect to targeted systems.(Citation: Huntress INC Ransom Group August 2023) |
Siloscape |
Siloscape connects to an IRC server for C2.(Citation: Unit 42 Siloscape Jun 2021) |
Dragonfly 2.0 |
Dragonfly 2.0 used SMB for C2.(Citation: US-CERT TA18-074A) |
QUIETEXIT |
QUIETEXIT can use an inverse negotiated SSH connection as part of its C2.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
Duqu |
Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.(Citation: Symantec W32.Duqu) |
Clambling |
Clambling has the ability to use Telnet for communication.(Citation: Trend Micro DRBControl February 2020) |
Sliver |
Sliver can utilize the Wireguard VPN protocol for command and control.(Citation: Cybereason Sliver Undated) |
Lucifer |
Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.(Citation: Unit 42 Lucifer June 2020) |
Velvet Ant |
Velvet Ant has used reverse SSH tunnels to communicate to victim devices.(Citation: Sygnia VelvetAnt 2024A) |
TeamTNT |
TeamTNT has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT) |
Raspberry Robin |
Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.(Citation: RedCanary RaspberryRobin 2022)(Citation: TrendMicro RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024) |
Nightdoor |
Nightdoor uses TCP and UDP communication for command and control traffic.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Filter Network Traffic |
Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures: Ingress Traffic Filtering: - Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges. Egress Traffic Filtering: - Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected. Protocol-Based Filtering: - Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue. Network Segmentation: - Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems. Application Layer Filtering: - Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques. |
Обнаружение
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)
Ссылки
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
- Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
- Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
- Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
- Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.