Just a quick post to list out some of my favourite Command and Control (C2) exfiltration methods.
- Standard TCP connect using ‘Invoke-PowerShellTcp’ from Nishang framework. This is a super easy comprising of a netcat listener for the server and PowerShell for client side makes this a very accessible exfil method read about it here. How do we prevent this: block TCP access on the boundary firewall. No excuses for this one. In addition there is a whole host of client side mitigation, such as PowerShell logging and denying PowerShell execution etc.
- DNS tunnelling using dnscat. Well what can you say about this, if all else false this will probably get you off the network in most places. Read about this here. How do we prevent this: This is more challenging, first verify if DNS is actually required, for example if this is a server subnet, azure or AWS do your servers really need to resolve address that can’t already be taken care of by internal DNS Server not resolving names to the outside or could you use a static hosts file? Secondly various IDS and firewalls can be tuned to detect this type of DNS traffic, so for example does that DNS request really need to be that big/long, wow that is a lot of DNS traffic from that box? no probably not – its DNS tunnelling.
- ICMP tunnelling again using the Nishang framework, Mittal has written a nice client side PowerShell method for connecting, read about this here and the backend server here. How do we prevent this: block ICMP access on the boundary firewall. Its unlikely that you will need ICMP off the network.