Command and Control: Detecting the Hidden Threat Before It’s Too Late

Cybersecurity is like an endless game of cat and mouse. Over time, the mouse becomes increasingly creative in his attempts to curate a smorgasbord of cheese and crumbs while continuing to evade detection by his feline predator. In parallel, the cat becomes craftier in his pursuit. It’s not so different when it comes to threat actors attempting to compromise your network. Just like the mouse, your adversaries continually evolve their tactics.

One such maneuver, “Command and Control” (C2), is particularly insidious. It involves establishing a channel for communication between the compromised network and a server controlled by a threat actor. Using one of a number of communications protocols, it sends out a periodic beacon that keeps the session (and therefore control of the server) alive.

Internet Control Message Protocol (ICMP) is often used to implement C2. Because it is part of the Internet Protocol Suite, it is ubiquitous among IP-compatible hosts. However—unlike other Internet protocols, such as TCP or UDP—it is not commonly monitored. While firewalls can block TCP traffic, ICMP traffic is often permitted. As a result, it is an attractive choice for cybercriminals wishing to establish communications with their servers without detection.

One of the Analytic Stories in this week’s release of the Splunk Enterprise Security Content Update (ESCU) provides a detection search that can be used to monitor for large ICMP packets leaving your network. Such activity may be an indication that an adversary is attempting to gain control of your servers via C2.  

Let us know how these searches work for you by clicking on the “Feedback Center” link in the green bar at the top of the page in the ESCU app.

Keep An Eye on Your Window Registry Files

Another new Analytic Story in this week’s ESCU release is focused on detecting changes to Windows registry files that are initiated locally or from remote locations. This type of activity may indicate that an attacker has infiltrated your system.

The registry is a key component of the Windows operating system. It is composed of a hierarchical database containing settings, options, and values for executables, making it a prime target for threat actors intent upon upgrading their account privileges, maintaining persistence, or moving laterally within the environment. Among a number of other techniques, the attacker may modify registry files to launch malicious software upon reboot or to disguise itself as a legitimate process. (This is an effective technique, because most legitimate software also modifies registry keys.)  

Considering the frequency of this attack technique, it makes sense to keep continuous watch over your critical registry files. The searches in this Analytic Story are designed to help you detect behaviors associated with manipulation of the Windows registry. Once you filter out false positives, you can investigate further and ferret out any malicious activities.

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk ES Content Update v1.0.17 now.

The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Join the Discussion