Detecting Command and Control over Non-HTTP Protocols

In the modern security operations center (SOC), visibility is often synonymous with TLS inspection. As organizations invest heavily in SSL/TLS decryption proxies and Web Application Firewalls (WAFs) to scrutinize HTTP/S traffic, a strategic blind spot emerges. Sophisticated threat actors, aware of the intense scrutiny applied to port 80 and 443, are increasingly pivoting to non-HTTP protocols to establish Command and Control (C2) and facilitate data exfiltration.

By leveraging protocols that are often overlooked or implicitly trusted-such as DNS, ICMP, SMB, or NTP-adversaries can bypass perimeter defenses, evade signature-based detection, and maintain a persistent presence within the network. Detecting these "low and slow" communication channels requires moving beyond simple pattern matching and embracing deep protocol analysis and statistical anomaly detection.

The Architecture of Evasion

The primary objective of using non-HTTP C2 is to blend into the background noise of legitimate network operations. Unlike HTTP, which has a structured request-response pattern that is easily profiled, protocols like DNS and ICPG are fundamental to network health. Blocking them entirely is rarely an option, providing attackers with a reliable, "always-on" medium for heartbeat signals and instruction delivery.

1. DNS Tunneling and Signal Embedding

DNS is perhaps the most prolific vector for non-HTTP C2. Because DNS is a foundational requirement for almost all network activity, recursive lookups are rarely blocked at the egress point. Attackers utilize DNS tunneling to encapsulate non-DNS data within standard DNS queries and responses.

The Mechanism:

Attackers typically use `A`, `AAAA`, `TXT`, or `CNAME` records. An infected host sends a query for a subdomain under an attacker-controlled domain:

`v1-encoded-payload.attacker-c2.com`

The authoritative name server for `attacker-c2.com` (controlled by the adversary) intercepts this query, decodes the subdomain string, and responds with a `TXT` record containing the next set of instructions.

Detection Strategies:

• Entropy Analysis: Legitimate subdomains (e.약. `www`, `mail`, `api`) typically follow predictable linguistic or structural patterns. C2 subdomains often exhibit high Shannon entropy due to the encoding (Base64, Base32) of encrypted payloads.
• Query Length and Volume: Monitor for unusually long subdomains (approaching the 253-character limit) and a sudden spike in the volume of queries to a specific, low-reputation TLD or top-level domain.
• Record Type Anomalies: An unusual prevalence of `TXT` or `NULL` records in an environment where they are rarely used for standard business operations is a significant red flag.
• TTL Monitoring: Attackers often use very low Time-to-Live (TTL) values to ensure that every "heartbeat" reaches their authoritative server rather than being cached by intermediary resolvers.

2. ICMP Exfiltration: The Stealthy Echo

ICMP (Internet Control Message Protocol) is designed for diagnostics and error reporting. However, the `Echo Request` (Type 8) and `Echo Reply` (Type 0) packets contain a "data" field that is often ignored by basic firewalls.

The Mechanism:

An attacker can inject arbitrary payload data into the padding section of an ICMP packet. By sequencing these packets, an adversary can reconstruct a file or a command stream on the receiving end. Because ICMP is often permitted to facilitate `ping` and `traceroute`, it provides a stealthy, unidirectional or bidirectional channel.

Detection Strategies:

• Payload Size Variance: Standard `ping` utilities use a fixed, predictable payload size (e/g., 32 or 64 bytes). Detect ICMP packets that deviate significantly from this baseline.
• Frequency and Periodicity: C2 channels often exhibit "beaconing" behavior-regular, rhythmic intervals of ICMP traffic that do not align with standard network troubleshooting patterns.
• Payload Inspection: Using Deep Packet Inspection (DPI) to look for non-random, non-standard characters or recognizable headers within the ICMP data field.

3. SMB and Lateral C2

While DNS and ICMP are primary for North-South (egress) traffic, the Server Message Block (SMB) protocol is the king of East-West (lateral) movement. Once an initial foothold is established, attackers use SMB to move between workstations and servers.

The Mechanism:

Advanced frameworks like Cobalt Strike utilize "SMB Beacons." These rely on named pipes to pass commands between an infected host and a compromised internal relay. This allows the attacker to communicate with the outside world through a single "egress-capable" host, effectively hiding the true origin of the C2 traffic.

Detection Strategies:

• Named Pipe Monitoring: Monitor for the creation of unusual or randomized named pipes. Attackers often use randomized strings to avoid signature-based detection.
• Anomalous SMB Traffic Patterns: Watch for SMB connections between workstations that have no functional reason to communicate (e.g., a workstation in HR communicating with a workstation in Engineering via SMB).
• Process-to-Network Correlation: Correlate SMB traffic with the initiating process. A `cmd.exe` or `powershell.exe` process initiating SMB connections to multiple internal targets is a high-fidelity indicator of compromise.

Operationalizing Detection

Detecting these protocols requires a robust telemetry pipeline. Relying on endpoint logs alone is insufficient; network-level visibility is mandatory.

The Detection Pipeline

1. Data Collection: Utilize tools like Zeek (formerly Bro) or Suricata. Zeek is particularly

Conclusion

As shown across "The Architecture of Evasion", "Operationalizing Detection", a secure implementation for detecting command and control over non-http protocols depends on execution discipline as much as design.

The practical hardening path is to enforce certificate lifecycle governance with strict chain/revocation checks, protocol-aware normalization, rate controls, and malformed-traffic handling, and behavior-chain detection across process, memory, identity, and network telemetry. This combination reduces both exploitability and attacker dwell time by forcing failures across multiple independent control layers.

Operational confidence should be measured, not assumed: track detection precision under peak traffic and adversarial packet patterns and policy-gate coverage and vulnerable artifact escape rate, then use those results to tune preventive policy, detection fidelity, and response runbooks on a fixed review cadence.