Command and control (C2) frameworks
Move over Cobalt Strike: Adversaries and testers have more options for command and control (C2) and post-exploitation frameworks than ever.Pairs With This Song
While Cobalt Strike and Metasploit remain the most popular command and control (C2) frameworks, in 2022 we saw some adversaries keeping things under control via alternatives such as Brute Ratel, Sliver, and Mythic.
Commercial and open source C2 and post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Since there’s no universally agreed upon definition that differentiates C2 from post-exploitation frameworks, we chose to analyze both collectively in this section.
Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt Strike. While Cobalt Strike has received a lot of attention and remains Red Canary’s most-observed framework, both red teamers and adversaries have begun to leverage alternative frameworks.
Cobalt Strike and Metasploit continue to be the most popular C2 and post-exploitation frameworks seen in our customers’ environments. Cobalt Strike was the highest-ranking framework, coming in at #8, followed by Metasploit ranking 14th. While they didn’t break into our top 50 for 2022, Brute Ratel, Sliver, and Mythic may continue to gain popularity as adversaries look for alternative frameworks, so they’re worth keeping an eye on.
Brute Ratel is a commercial post-exploitation framework with implants that can take many forms, including executables, service binaries, DLLs, and PowerShell scripts. It is capable of moving laterally via Server Message Block (SMB), escalating privileges, and creating processes to inject itself into for defense evasion. Qbot was observed delivering Brute Ratel in 2022.
Sliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell. It supports several protocols for C2 including HTTP, WireGuard, and DNS. TA551 reportedly used Sliver in 2021, and in 2022 Team Cymru observed at least two distinct campaigns using it. In 2022, adversaries also took advantage of Sliver’s support for macOS.
Post-exploitation and C2 frameworks share objectives even if their implementations differ. At a minimum they automate popular methods of achieving execution and communication. These tools attempt to emulate common adversary behaviors so that detections put in place for post-exploitation frameworks can also flag other malicious behavior. Post-exploitation frameworks are often deployed in the later stages of an attack after an initial loader or dropper, so quickly remediating these stages can prevent the deployment of a post-exploitation framework.
Many post-exploitation frameworks spawn common Windows processes such as
rundll32.exe and inject into them. Looking for processes with incorrect or no command-line arguments or unexpected network connections can uncover malicious activity.
process == 'rundll32.exe' && command == (“”)* && has_network_connection
*Note: Empty quotations (“”) denote an empty command line
Additionally, many frameworks allow for the execution of PowerShell. Unexpected PowerShell processes or PowerShell DLL loads can also be a sign of a post-exploitation framework.
process == ('regsvr32.exe' || 'rundll32.exe' || 'wscript.exe' || 'mshta.exe' || 'cscript.exe' || 'msxsl.exe') && modload_property_includes ('system.management.automation.dll' || 'system.management.automation.ni.dll')
Like many of the trends in this report, it’s difficult to offer holistic testing guidance about something so broad as post exploitation tools. However, T1059.001: PowerShell, T1047: Windows Management Instrumentation, T1003.001: LSASS Memory, and T1055: Process Injection are good starting points for testing against post-exploitation and other malicious tools.