Looking out for C2 Traffic

Types of C2 Communication


When a host gets infected with a malware, sometimes it will attempt to call back to it’s Command and Control (C2) to get, or send information. There are 4 types of C2 communication traffic

  1. Beacon
    • After a host has been compromised, the malware will send a message heartbeat to the C2 to inform them of it’s status. This traffic is just to tell the C2 that it’s alive.
  2. Command
    • The command is sent from the C2 to the malware residing on the compromised host. It can either be real-time, or non-real-time. Non-real-time commands means that the command is stored and queued somewhere which the malware can retrieve to execute.
  3. Exfiltration
    • This command is sent from the compromised host to the C2. Exfiltration means sending a payload, and this payload can either be a reply from the malware, or stolen data from the host or network. Exfiltration can be done either immediately on request, or at regular (or deliberately irregular) intervals
  4. Connectivity Check
    • This check is done by the malware to check if it has internet connectivity out. This connection may not talk directly to the C2, but may try to connect to something as benign as Google. If it doesn’t have any internet connection, it can either defer talking to the C2, or remove itself entirely from the system.

Capturing C2 traffic


There are some strategies to capture C2 traffic, such as leveraging on CTI to learn about IOCs, patterns and log entries that may indicate a compromise.

Because C2 traffic is a networking phenomenon, most approaches towards network analysis, such as:

  • Netflow Analysis for inflow and outflow
  • IRC and P2P traffic
  • DNS query logs (to look out for DNS tunneling or DGA)
  • Unusual port numbers and services
  • Unusual timing of connections
  • Requests to Social Media at unusual hours
  • Packet size

Below shows an image of the packet sizes versus time, and we can see the start difference between a normal Google search and a Malware

Machine Learning to capture C2 traffic


Machine learning techniques can be employed to detect C2 traffic. In an extremely noisy environment like network traffic, ML perform anomaly detection by sieving out traffic that stands out.

I did a small sample project which can be seen here: https://github.com/jinhaochan/BotnetDetection

The model trained took features only from network behavior, and had quite a good performance. Although I must say that more advanced malwares these days come up with creative techniques, and in this case, machine learning might fail to detect them due to the lack to training data. Furthermore, the malware can cleverly disguise themselves to look like normal traffic, and the model we train miss those entries

Analyzing C2 traffic


Assuming that you know a malware has infected a host and is talking to a C2 server, you can either setup a honeypot, or try to reverse engineer the malware sample on the host.

Setting up the honeypot is essentially performing an MITM between the malware and the C2 server. We allow the malware to connect to the C2 and internet, while isolating it from other machines on the network to prevent it from spreading. This way, we can capture all the traffic that’s flowing to and from the C2, and we can find out what the motive of the malware is.

The second method is getting the sample of the malware on the infected host, and perform reverse engineering to find out what functions and capabilities it has.

MITRE ATT&CK TTP for C2


There is a branch Tactics in the MITRE ATT&CK Framework dedicated to C2, and there is a collection of Techniques they use to identify C2 communication.

If you are coming up with a system or model to detect C2 traffic, the matrix can be highly beneficial. But take caution to not fit a round peg into a square hole, the list is not comprehensive. Attackers are aware of MITRE and their TTPs, and will actively build ways around them.

Software to use for detection C2


Bro (now renamed to Zeek) https://www.zeek.org/

There are many write ups out there on how to use Zeek to capture and analyze traffic. Zeek is not specific to capturing just C2, but a wide array of network activities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s