C&C servers are used by cybercriminals to send commands to systems compromised by malware and received stolen information from the target network. If C&C callback is detected by product, there's a possibility that the host is infected. This article will guide you on what to do in case of C&C callback detection.
Identify the traffic detected as C&C callback from Suspicious Connection / Network Content Inspection log.
- Go to OfficeScan / Apex One web console and navigate to Logs > Agents > Security Risks. Select the particular machine, group or ‘OfficeScan Server’ hierarchy then click View Logs > Suspicious Connection/Network Content Inspection logs.
- Set the time period to the date when the C&C detection occurred or the span that includes the actual date of the detection.
- Click Display Logs.
- Click Export All to CSV.
Below is an example of Suspicious Connection or NCIE log.
From the Suspicious Connection/NCIE log, the important fields to check are:
- Local IP/User-defined C&C list – This is the local endpoint that has the security agent installed.
- Remote IP – This is the remote endpoint/device that is either the source or destination of the detected traffic.
- Result – This is the action done by the security agent on the traffic. This can be ‘Logged’ or ‘Blocked’.
- List Source – This tells what traffic was detected.
Note that the type of traffic (either request or response) helps determine where the actual malicious traffic comes from.
If a traffic detected is a ‘response’ traffic and the direction is ‘outgoing’, then the actual malicious traffic originated from the remote IP (where the request traffic comes from).
- Traffic Direction – This tells where the traffic comes from and where it is going.
Incoming means that the traffic is from remote IP going to the local / user-defined IP C&C list IP.
Outgoing means that the traffic is from the local / user-defined IP C&C list IP going to the remote IP.
- C&C traffic coming from public IP going to IP that is part of your network:
Below is an example of traffic coming from public IPs.
Follow these steps:
- Check if the IP address that is part of your network should be open to the public.
- If it should be closed to the public, check why there is traffic coming in externally. It is possible that there is misconfiguration in the routing of traffic/packets.
- If it is open and provides services by acting as a Web or DNS server, then that is the reason for the detection.
Note that anyone on the Internet can send traffic (either safe or malicious) to machines that are open to the public. Threat actors do this as part of their reconnaissance, probing the Internet for vulnerable machines that can be targeted. This can be done automatically and randomly.
- Check the ‘List Source’ to find more information about the detected traffic. If the traffic is an exploit, check if the device/machine where the detection occurred is vulnerable to it.
- If the device/machine is vulnerable to the detected exploit traffic, patch it. If it is not vulnerable, then the exploit will not be successful.
- Deploying a Web Application Firewall (WAF) and/or Intrusion Prevention System (IPS) will help scan/filter malicious traffic before they reach machines open to public.
For more information about C&C detection, you may check this article on What to do in case of Command and Control (C&C) callback detection . You may also file a support case for further assistance and provide the Suspicious Connection or NCIE logs.