Command and Control & Data Exfiltration Assessment
The objective of the Command and Control & Data Exfiltration Assessment is to evaluate the customer environment for preconditions that might allow execution of malware and successful establishment of command and control (C2) communication. After evaluating the environmental conditions, C2 establishment using commodity malware, commonly abused tools, covert channels, and custom malware is attempted. In addition, if the organization employs Data Loss Prevention (DLP) controls, various mock sensitive data samples will be transmitted via channels protected by the DLP product (email, web browser, etc.) to determine the degree of protection present. This test is typically scoped in conjunction with an Assumed Compromise (Internal Pivot) Test.
As a side effect of tester activity, alerts generated by various attacks are collected and included in the ensuing report. Visibility of the target organization may be used to influence the overall rating for the engagement. However, this evidence should be analyzed for the potential for actionable response. As an example, an alert generated by Microsoft ATA warning of identity theft may be more immediately actionable than results of a SIEM query executed manually to discover activity.
To seed access to the environment, the target organization typically provides Remote Desktop Protocol (RDP) access to a host and Active Directory domain credentials with a provisioned email account to simulate compromise. Normally, the user account used to execute the Assumed Compromise (Internal Pivot) Test is also used for C2 evaluation.
This engagement typically includes the following elements, although this is not an exhaustive list:
title: Test Host Configuration Analysis
In the context of the C2 assessment, host configuration analysis focuses on preconditions that might prevent or allow successful malware execution and C2 channel establishment. Typically, the following tasks are completed:
+ Enumerate installed security products.
+ Enumerate local users and group membership.
+ Evaluate access to basic commonly abused administrative utilities (cmd.exe, powershell.exe, powershell_ise.exe).
+ Determine whether command line and PowerShell logging is enabled. Results should be disclosed to the customer immediately to confirm the observed configuration. The customer should be questioned about log forwarding and aggregation applied to the environment. In some cases, where these features are deemed to be disabled, Endpoint Detection and Response (EDR) software or a SIEM agent may be surreptitiously logging and forwarding these events.
+ Evaluate installed applications to identify custom software and uncommon utilities that might be subject to abuse (python.exe, ruby.exe, go.exe, etc).
+ Determine whether application control restrictions exist:
+ Can foreign unsigned binaries be executed?'
+ Can foreign signed, but commonly abused binaries be executed (sysinternals)?
+ Can various lolbins be executed?
+ Determine whether Office macros can be executed with or without prompt.
+ Determine whether local resource sharing and clipboard can be accessed over RDP.title: Local Privilege Escalation
The provided test system should be checked for common local privilege escalation opportunities. By escalating privileges on the host, an attacker may be able to disable security software, install tools, or silence alerts being generated by endpoint protection using the host file or host firewall. Local privilege escalation should be demonstrated on either the C2 Assessment or Assumed Compromise (Internal Pivot) Test if both offerings are executed simultaneously.title: Egress Filtering Analysis
The egress controls of the organization are tested to determine whether appropriate filtering is being applied at the network boundary. Outbound scans for ICMP, TCP, and UDP connectivity are executed against a host that replies to all requests received for this purpose. Results are used to inform payload generation for testing C2 channel establishment. Results should be disclosed to the customer immediately to confirm the observed configuration, especially when a large number of ports are reported to be open. Proxy-based firewalls may produce false positive results while still providing protection to the organization.title: Web Content Filtering Analysis
Often the initial infection vector in an organization’s network involves user interaction. To obtain code execution, an attacker may use one of a number of techniques to compel a user to click a link. As a result, scenarios for content delivery using this technique should be explored including, but not limited to the following:
+ Does the content filter prevent access to:
+ Social media sites
+ Personal email sites
+ File transfer sites
+ Other non-work sites
+ Does the content filter prevent access to content types including:
+ Scripts
+ Binaries (executable and library files)
+ Macro enabled documents
+ Archives containing the above
+ Encrypted archives containing the above
+ Encrypted office documents
+ Other common malware file types (ISO files, RDP files, etc)
+ Can a user browse to or retrieve content from:
+ A raw IP address
+ An uncategorized domain
+ A recently categorized domain
+ A Content Delivery Network (CDN) relay fronting an attacker site
+ Any of the above running a reverse proxy (for credential capture)
+ Other useful permutations
+ What are the capabilities of the content filtering solution:
+ Is there a client-side component?
+ Is there a cloud-based component?title: Email Content Filtering Analysis
Often the initial infection vector in an organization’s network involves user interaction. To obtain code execution, an attacker may send direct attachments or links to a user. As a result, scenarios for content delivery using this technique should be explored including, but not limited to the following:
+ Does the content filter prevent access to content types including:
+ Scripts
+ Binaries (executable and library files)
+ Macro enabled documents
+ Archives containing the above
+ Encrypted archives containing the above
+ Encrypted office documents
+ Other common malware file types (ISO files, RDP files, etc)
+ Does the content filter perform URL rewriting to support inspection and/or detonation of downloaded content in a security sandbox?
+ Can URL rewriting be bypassed by sending links in signed email messages?title: VPN Client Configuration Analysis
On occasion, customers will send a laptop to perform the Assumed Compromise (Internal Pivot) Test or C2 Assessment. When the client system includes VPN connectivity back to the corporate network, the configuration of the VPN client should be evaluated. The following elements should be considered, at a minimum:
+ Is the VPN client configured to allow split tunneling? Split tunnel VPN configuration may allow an attacker to bypass security infrastructure or access resources that would otherwise be inaccessible on the corporate network.
+ Does the VPN employ host checking to prevent non-corporate devices from connecting, like client certfiicates?
+ Does the VPN require user-supplied Multi-Factor Authentication?title: Commodity Payload Analysis
During this phase, several commodity payloads are automatically generated to determine whether any payloads are not detected on disk or not detected during execution. This typically uses payloads from frameworks like Metasploit, PowerShell Empire and others. Various encoding and staging options are used to attempt to easily bypass detection on the provided endpoint.title: Custom Payload Analysis
During this phase, custom payloads are generated to illustrate that establishment of C2 is possible from a protected endpoint. This analysis can use fully custom C# binaries, compiled on disk, or other C2 implant frameworks like VSAgent, Cobalt Strike, and others. Often, successful execution requires use of custom malleable C2 profiles, Content Delivery Network (CDN) relays, payload obfuscation, and other techniques to avoid detection.title: Covert Channel Analysis
During this phase, payloads that are capable of using covert channels like ICMP, DNS, and DNS-over-HTTPS are generated to attempt clandestine communication with C2 infrastructure. Protocol choice is typically driven by the results of egress scan activity.