Blog Post

Microsoft Defender for Endpoint Blog
4 MIN READ

Detecting and remediating command and control attacks at the network layer

OludeleOgunrinde's avatar
Oct 12, 2022

Overview

 

Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.

 

We are excited to announce the general availability of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats looking to compromise the endpoint.

 

Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let’s say - in an attacker's ideal scenario - their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization’s environment through a user’s device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint. 

 

This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.

 

Figure 1: Sample C2 attack flow

 

 

To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. 

 

Prerequisites

 

 

See Protect your network for the full list of requirements.

 

 

How does network layer C2 detection and remediation work?

 

Detecting and blocking C2 connections at the network layer

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.

 

Generating incident and alert notifications in the Microsoft 365 Defender portal

After detection, an alert will surface under “Incidents and alerts” in the Microsoft 365 Defender portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).

 

 

Figure 2: Alert page in the Microsoft 365 Defender portal

 

 

Figure 3: C2 attack flow timeline in the Microsoft 365 Defender portal

 

 

Testing/Validation: C2 detection and remediation  

 

Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:

 

a.  Navigate to your PowerShell prompt.

b.  Type: $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreentestratings.com

c.  If the testing URL is successfully blocked, you will get (Figure 4):

 

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. 

At line:1 char:13 

+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen ... 

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 

   eption 

    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

 

Figure 4: PowerShell output

 

 

d.  Followed by a block notification (Figure 5).

 

Figure 5: Endpoint notification

 

 

e.  On the block notification, click:

  1. “OK” to make the toast notification disappear
  2. “Feedback” to open the network protection feedback page where can submit feedback to the Antimalware and Cybersecurity portal (Figure 6).

 

Figure 6: Web threat detections over time 

 

 

f.  In the unlikely event the testing URL is not successfully blocked, you can get aka.ms/MDEClientAnalyzer and/or F12 network trace, then send the NP team (NP_C2_Support_Team@microsoft.com) your screenshot. 

 

 

Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal  

 

To access the report:   

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

2. Navigate to:  

  1. Reports -> Security report -> Devices -> 
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 😎
  2. Reports -> Web Protection ->
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 😎 

 

Figure 7: Web threat detections over time 

 

 

Figure 8: Web threat summary

 

 

Your feedback counts

We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at NP_C2_Support_Team@microsoft.com

Updated Mar 12, 2023
Version 5.0
  • Dennis_Hermanns's avatar
    Dennis_Hermanns
    Copper Contributor

    Having all prereqs enabled, I just tested this. Defender is not blocking it. How can I check if this is actually active in my org?

  • Dennis_Hermanns,thanks for your question. The rollout approach for this new enhancement is gradual. Thus, it will be enabled in your organization as soon as possible. Well, if you want it now, could you send your org id to NP_C2_Support_Team@microsoft.com?

  • P4tr8k's avatar
    P4tr8k
    Brass Contributor

    The same situation as with colleagues above. What is a expected time to run this functionality for all customers?

  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor

    A pointer to how we can verify the setting is available in our tenant would be interesting. Is it listed as a setting under "advanced features"?

  • TakashiVV's avatar
    TakashiVV
    Copper Contributor

    i think that 

    if emotet writes IP&fakeDomainName to hosts file,

    it may be difficult to detect C2 connections.

     
     

     

     

  • gaz111905's avatar
    gaz111905
    Copper Contributor

    We have all the listed prerequisites enabled and the test is not working, its allowed to run with no detections.