Strategies for Discovering C2 Servers During the Incident Response Log Collection and Analyze Stage
Background: During malware analysis on assets, one of the best approaches is not only to focus on identifying the exact malware but also to look for signs of other malware based on external calls made to our assets.
Tactics to identify: 1. JARM algorithm 2. Banner of the server 3. Ico hash value 4. SSL Certificate
JARM algorithm The name JARM comes from the first letters of its developers. Before discussing JARM, it is important to understand the differences between TCP and UDP, as well as the TCP three-way handshake.
In this case, JARM initiates a connection with the server. During this process, the server generates a TLS negotiation based on its operating system (OS), libraries, and other unique factors. JARM then creates a unique fingerprint based on the response data it receives.
In this example, we have checked the unique fingerprints of these two domains. By comparing these fingerprints with others stored in our database, we can identify similarities and potentially detect common Command and Control (C2) points.
Banner on the server Banner grabbing is another method to determine if a well-known C2 server is visible within our connections. A "banner" refers to information obtained by scanning open ports and other components of assets that have connected to C2 network. However, since this process involves scanning, the rule must be properly tuned and optimized to avoid generating unnecessary noise.
From an attacker's perspective, this activity could create anomalies, signaling that someone is actively using a technique to identify C2 assets. I will discuss this technique further in other shared articles.
ICO hash value Sometimes, in the case of covert C2 infrastructure, attackers may use a unique icon for their dashboards. By hashing the page icon delivered through the HTML page, we can search the internet using well-known tools or leverage our internal database to identify similar hash values.
SSL Certificate SSL certificates are a well-known method for uncovering C2 servers because many threat actors use the same certificate with a wildcard value. Additionally, multi-domain SSL certificates are commonly used, which can help narrow down the search during the log collection phase of the incident response process.
Conclusion: The methods provided help us, as Incident Response specialists, understand the next steps to take in addressing potential infection persistence. Of course, there are other ways to determine C2 connections, such as analyzing payload signatures and other more exotic techniques. However, in this article, I have focused on sharing my knowledge using only the network layer.
Happy Hunting ! J0k3R