Cyber games

Wargames, April 2025 – Command and Control (C2), Conclusions

29 April

Introduction

Perhaps 3+ years ago threat actors had a long ‘dwell time’ where they waited perhaps even as long as 6 months before accomplishing their objectives, based on our findings over the past few days it’s clear to see that these dwell times are now in the minutes or even seconds. It’s trivial for a threat actor who has gained sufficient access to go from data exfiltration to ransomware within minutes – perhaps limited only by the speed at which they can perform data exfiltration down your own Internet connection!

Key findings

  • Even casual threat actors now have access to effective Command and Control services, alongside the examples we’ve provided from GitHub other services which will include effective EDR bypass techniques can be found on the ‘dark web’.

    • Some of these services are very much ‘click, click, click, done’.

  • Having previously seen Windows Defender (enabled by default on even Windows Server operating systems) be first to respond to the delivery of malware on a system we again it almost ‘usurping’ other EDR agents – in the most extreme situations the alternative agent didn’t even report a finding.

    • Defenders should ensure that they either centrally report from Windows Defender or perhaps consider disabling Defender in favour of their alternative EDR agent to ensure they receive alerts in the event of malicious activity.

  • Don’t overlook endpoint hardening – configuration of software allowlists are effective against the large majority of C2 agents that don’t load directly into memory.

    • Where allowlists are configured don’t forget to generate alerts from any block actions – otherwise you may be blind to the failed attempts of a threat actor looking to gain a foothold which after further Resource Development are later successful.

  • Even basic URL filtering practices such as blocking access to ‘shareware and freeware’ are effective.

    • As with software allowlisting consider generating a daily report on all failed attempts to access websites in these categories for incident responders to follow up on.

  • If not monitored closely it’s entirely possible for the beacons within network traffic to go unnoticed by defenders – quite often the beacons are only alerted on when an initial connection is made.

    • Depending on how ‘chatty’ the Command and Control channel is no further detections may be made.

Final thoughts

The combination of using cloud services to host the Command and Control servers alongside seeing the use of vendor sandboxing was a first for us and has really helped to build our own confidence in the utility of such services – this really exemplifies the limited utility of static signature matching. Cloud service providers handing out public IPs which can be quickly used (and dropped if detected as malicious) really helps the threat actor evade such simplistic defences – even more so if they are using stolen credit card details which themselves may be considered ‘burnt’ after initial use.

To truly protect against such late stage attacks requires a multi-layered approach; it’s no surprise really but the combination of effective network and endpoint security with timely human (or perhaps automated!) invention based on actionable alerts will be effective at detecting and expunging even the most determined threat actors from your network.

Contact your ANSecurity account manager to learn more from findings and speak with the experts who can help you become a truly effective defender.


LET’S TALK ABOUT  YOUR CYBER SECURITY