forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcommand_and_control.yml
37 lines (36 loc) · 1.99 KB
/
command_and_control.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: Command and Control
id: 943773c6-c4de-4f38-89a8-0b92f98804d8
version: 1
date: '2018-06-01'
author: Rico Valdez, Splunk
description: Detect and investigate tactics, techniques, and procedures leveraged
by attackers to establish and operate command and control channels. Implants installed
by attackers on compromised endpoints use these channels to receive instructions
and send data back to the malicious operators.
narrative: 'Threat actors typically architect and implement an infrastructure to use
in various ways during the course of their attack campaigns. In some cases, they
leverage this infrastructure for scanning and performing reconnaissance activities.
In others, they may use this infrastructure to launch actual attacks. One of the
most important functions of this infrastructure is to establish servers that will
communicate with implants on compromised endpoints. These servers establish a command
and control channel that is used to proxy data between the compromised endpoint
and the attacker. These channels relay commands from the attacker to the compromised
endpoint and the output of those commands back to the attacker.\
Because this communication is so critical for an adversary, they often use techniques
designed to hide the true nature of the communications. There are many different
techniques used to establish and communicate over these channels. This Analytic
Story provides searches that look for a variety of the techniques used for these
channels, as well as indications that these channels are active, by examining logs
associated with border control devices and network-access control lists.'
references:
- https://attack.mitre.org/wiki/Command_and_Control
- https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware
tags:
analytic_story: Command and Control
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring