GitHub Repo

Analytics Story: Command And Control

Updated Date: 2026-05-13 ID: 943773c6-c4de-4f38-89a8-0b92f98804d8 Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Why it matters

Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker. Because this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Excessive DNS Failures DNS Anomaly
Windows PuTTY Suite Utility Execution SSH Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
TOR Traffic Multi-hop Proxy TTP
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect Spike in blocked Outbound Traffic from your AWS None Anomaly
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol TTP
Windows TOR Client Execution Multi-hop Proxy Anomaly
Detect Large ICMP Traffic Non-Application Layer Protocol TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
Detect Remote Access Software Usage Traffic Remote Access Tools Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Traffic Network icon Network pan:traffic not_applicable
Cisco Secure Firewall Threat Defense Connection Event Other cisco:sfw:estreamer not_applicable
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Cisco Secure Access Firewall Other cisco:cloud_security:firewall cisco_secure_access:firewall
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2