Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Ability to Capture Beaconing/C2 Domains and Infrastructure #101

Open
ikiril01 opened this issue Mar 12, 2015 · 3 comments
Open

Add Ability to Capture Beaconing/C2 Domains and Infrastructure #101

ikiril01 opened this issue Mar 12, 2015 · 3 comments
Assignees
@ikiril01
Labels
Com-Bundle Com-Package Type-Question
Milestone
MAEC 5.0

Comments

@ikiril01
Copy link
Member

We should add the ability to capture the beaconing/callout/C2 Domains used by a malware instance, either as part of a Capability or a separate structure.
@ikiril01 ikiril01 added this to the MAEC 5.0 milestone Mar 12, 2015
@ikiril01
Copy link
Member Author

I'm wondering if this should also include other useful snippets of network traffic, such as HTTP user agents?

@ikiril01
Copy link
Member Author

An important aspect of this is capturing information about network infrastructure associated with operationalizing and delivering the malware instance. This would likely involve:

  • Hostnames used
  • Associated ASNs
  • Associated IPs (especially with regards to DNS resolution)

Update: it would also be useful to capture the nature or type of server being used, e.g.,

  • C2 Server
  • Distribution Server
  • Exfiltration Server

@ikiril01 ikiril01 self-assigned this Apr 10, 2015
@ikiril01
Copy link
Member Author

For C2 and Exfiltration entities, it may make the most sense to define this as a structured Capability property that references existing Objects (such those originating from Actions).

For example,

<Object id="object-1">
    <Properties xsi:type="AddressObj:AddressObjectType"/>
       <Address_Value>10.0.0.0</Address_Value>
    </Properties>
</Object>

<Object id="object-2">
    <Properties xsi:type="DomainNameObj:DomainNameObjectType"/>
       <Value>asdffsdgh.info</Value>
    </Properties>
</Object>

<Capability name="command and control" id="capability-1">
    <Property>
      <Name xsi:type="C2PropertiesVocab">C2 server</Name>
      <Object_Reference object_id="object-1"/>
    </Property>
</Capability>

<Capability name="data exfiltration" id="capability-2">
    <Property>
      <Name xsi:type="C2PropertiesVocab">exfiltration server</Name>
      <Object_Reference object_id="object-2"/>
    </Property>
</Capability>

As far as other entities related to malware distribution/origination network infrastructure, I'm wondering if this is more aligned with malware field data (which we already capture to some extent, though it will be refactored per #95), and thus should be captured there? E.g.,

<Object id="object-3">
    <Properties xsi:type="AddressObj:AddressObjectType"/>
       <Address_Value>10.1.2.3</Address_Value>
    </Properties>
</Object>

<Malware_Subject id="malware-subject-1">
    <Field_Data>
      <Distribution_Site object_id="object-3"/>
    </Field_Data>
</Malware_Subject>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikiril01 ikiril01

Labels
Com-Bundle Com-Package Type-Question
Projects
None yet
Milestone
MAEC 5.0
Development

No branches or pull requests
1 participant
@ikiril01