Detecting and remediating command and control attacks at the network layer
Published Oct 12 2022 08:00 AM 11.5K Views

Overview

 

Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.

 

We are excited to announce the general availability of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats looking to compromise the endpoint.

 

Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let’s say - in an attacker's ideal scenario - their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization’s environment through a user’s device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint. 

 

This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.

 

OludeleOgunrinde_1-1665538034013.png

Figure 1: Sample C2 attack flow

 

 

To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. 

 

Prerequisites

 

 

See Protect your network for the full list of requirements.

 

 

How does network layer C2 detection and remediation work?

 

Detecting and blocking C2 connections at the network layer

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.

 

Generating incident and alert notifications in the M365D portal

After detection, an alert will surface under “Incidents and alerts” in the M365D portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).

 

 

Screenshot 2022-10-11 212433.png

Figure 2: Alert page in the M356D portal

 

 

Screenshot 2022-10-11 212214.png

Figure 3: C2 attack flow timeline in the M356D portal

 

 

Testing/Validation: C2 detection and remediation  

 

Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:

 

a.  Navigate to your PowerShell prompt.

b.  Type: $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreentestratings.com

c.  If the testing URL is successfully blocked, you will get (Figure 4):

 

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. 

At line:1 char:13 

+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen ... 

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 

   eption 

    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

 

OludeleOgunrinde_4-1665509789648.png

Figure 4: PowerShell output

 

 

d.  Followed by a block notification (Figure 5).

 

OludeleOgunrinde_5-1665509789653.png

Figure 5: Endpoint notification

 

 

e.  On the block notification, click:

  1. “OK” to make the toast notification disappear
  2. “Feedback” to open the network protection feedback page where can submit feedback to the Antimalware and Cybersecurity portal (Figure 6).

 

OludeleOgunrinde_10-1665511473258.png

OludeleOgunrinde_8-1665510730173.png

OludeleOgunrinde_9-1665510852441.png

Figure 6: Web threat detections over time 

 

 

f.  In the unlikely event the testing URL is not successfully blocked, you can get aka.ms/MDEClientAnalyzer and/or F12 network trace, then send the NP team (NP_C2_Support_Team@microsoft.com) your screenshot. 

 

 

Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal  

 

To access the report:   

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

2. Navigate to:  

  1. Reports -> Security report -> Devices -> 
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 8)
  2. Reports -> Web Protection ->
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 8) 

 

OludeleOgunrinde_11-1665537534017.png

Figure 7: Web threat detections over time 

 

 

OludeleOgunrinde_12-1665537557197.png

Figure 8: Web threat summary

 

 

Your feedback counts

We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at NP_C2_Support_Team@microsoft.com

7 Comments
Co-Authors
Version history
Last update:
‎Nov 12 2022 11:40 PM
Updated by: