Technique on mitre.org

T1665: Hide Infrastructure

Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools, masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers, and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.

C2 networks may include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.

Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents. Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., Virtualization/Sandbox Evasion).

Hiding C2 infrastructure may also be supported by Resource Development activities such as Acquire Infrastructure and Compromise Infrastructure. For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.

Positive Technologies products that cover the technique

Detection

PT NAD provides rules, activity stream modules, and filters to detect tools designed to hide malicious activities. These tools may include proxies, VPN servers, and post-exploitation frameworks, which allow adversaries to evade detection by network security appliances or software, and make malicious traffic to appear legitimate or benign.

Examples of PT NAD detection rules

TOOLS [PTsecurity] LocaltoNet Active Tunnel (sid 10011988)
TOOLS [PTsecurity] gsocket client activity (sid 10009304)
TOOLS [PTsecurity] Possible traffic proxying through webshell. TLS over HTTP (sid 10007667)
SUSPICIOUS [PTsecurity] VPN SoftEther connection (sid 10011974)

Examples of PT NAD detection modules

Use of Cobalt Strike
Use of Brute Ratel
Internal SOCKS5 proxy server

Examples of PT NAD filters

app_service =="Openvp"

Detection

ID	DS0035	Data source and component	Internet Scan: Response Metadata	Description	Internet scanners may be used to look for artifacts associated with malicious C2 infrastructure. Correlate data and patterns from Internet-facing resources gathered from scans with network traffic to gain further insight into potential adversary C2 networks.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Network detection systems may be able to identify traffic for specific adversary command and control infrastructure. Correlate network traffic with data and patterns from Internet-facing resources gathered from scans to gain further insight into potential adversary C2 networks.

ID	DS0038	Data source and component	Domain Name: Domain Registration	Description	Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain.

ID	DS0035	Data source and component	Internet Scan: Response Content	Description	Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. If requests are filtered or blocked, the specifics of this action, such as the response sent, can be used to gain further insight into the resource's nature or creation.

ID	Data source and component	Description
DS0035	Internet Scan: Response Metadata	Internet scanners may be used to look for artifacts associated with malicious C2 infrastructure. Correlate data and patterns from Internet-facing resources gathered from scans with network traffic to gain further insight into potential adversary C2 networks.
DS0029	Network Traffic: Network Traffic Content	Network detection systems may be able to identify traffic for specific adversary command and control infrastructure. Correlate network traffic with data and patterns from Internet-facing resources gathered from scans to gain further insight into potential adversary C2 networks.
DS0038	Domain Name: Domain Registration	Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain.
DS0035	Internet Scan: Response Content	Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. If requests are filtered or blocked, the specifics of this action, such as the response sent, can be used to gain further insight into the resource's nature or creation.