Egress / C2-Test

Preparation for Internal Attacks

When it comes to IT security, many companies are still relying more and more on protecting the perimeter, i.e. the "transition" between the corporate network and the public networks. In practice, however, attacks using the external firewall as an entry point are becoming increasingly rare. Instead, hackers are increasingly using malware (e.g. phishing emails) to get a foot in the door and, if successful, establish a communication channel from inside to outside (command and control, or C2). This approach gives the attacker a significant advantage, as outbound communications are not monitored as closely as inbound communications in many organisations. Command and control connections are often the basis for (usually very long) undetected intrusions and data theft in companies.

Egress c2 test v1

The command and control channels established by the attacker can be used to steal, encrypt or delete data, for example. An Egress / C2 test examines in detail which ports, protocols or channels a malicious attacker can use to connect from the inside to the outside (if they have already gained initial access, e.g. through a phishing email) and exfiltrate data from your organisation undetected.

Egress c2 test bild 2 v1

Would your firewall detect and prevent the establishment of (more complex) command and control channels? How do your endpoint security products such as anti-virus (AV), endpoint protection platform (EPP) and endpoint detection and response (EDR) behave? At the end of the day, we will show you concrete vulnerabilities in the respective systems and products. We will also inform you about possible measures to harden the affected systems, products or configurations.

How I Proceed in the Assumed Breach Scenario
  • 01
  • 02
  • 03
  • Preparation | Scoping

    First, I work with my clients to determine which products/systems will be tested in the customer's network and what approximate results can be expected. The next step is to consider possible scenarios for the egress / C2 test.

    Scope v2
  • Methodology | Implementation

    Did your (Next Gen) firewall detect and prevent the establishment of (more complex) command and control channels? What ports and channels could I use to connect to the outside world undetected? How did the AV/EPP/EDR solution behave at the endpoint? Did the SIEM used meet your expectations? At the end, you will receive a technical report and a short presentation of the results. The results will give you an insight into the real strengths and weaknesses of the products used and allow you to compare your pre-defined expectations with the actual results. Furthermore, the results will form the basis for a targeted development or hardening of your systems, e.g. hardening through configuration changes.

    Umsetzung v2
  • Report | Development

    Did your (Next Gen) firewall detect and prevent the establishment of (more complex) command and control channels? Which ports and channels could be used to establish an undetected connection to the outside world? How did the AV/EPP/EDR solution behave at the endpoint? Did the SIEM you deployed meet your expectations? We will answer these and other questions in a report and presentation that will help you strengthen and evolve the security of your systems.

    Weiterentwicklung v1
Why Egress / C2 Tests at RedOps?

As an offensive security expert, command and control frameworks are an important part of my core competency. I am constantly looking for new ways in which I, as an attacker, can establish unauthorised command and control channels without being detected. The results of the egress / test provide my clients with important insights into possible blind spots in systems such as Antivirus (AV), Endpoint Protection (EPP), Endpoint Detection and Response (EDR), SIEM, Next Gen Firewall, etc.

Responsibility Research Quality
  • Responsibility and Integrity

    Anyone who uses offensive security services and deliberately exposes themselves to an ethical hacking attack should do so with a partner they can absolutely trust. I keep all information strictly confidential and am 100% integer in what I do.

  • Research Orientation

    IT security is not a product, but a constant learning process. That's why I invest a lot of time in further education and research. I have already been able to present my results in the area of endpoint security at several international IT security conferences.

  • Quality Instead of Quantity

    With Offensive Security, I have made my passion my core competence. I don't sell products or licences, but live purely from my expertise in the field of IT security. For me, quality clearly comes before quantity.