Command and Control (C2) communication is a key component of any structured cyber-attack. As such, security operations actively try to detect this type of communication in their networks. This poses a problem for legitimate pentesters that try to remain undetected, since commonly used pentesting tools, such as Metasploit, generate constant traffic patterns that are easily distinguishable from regular web traffic. In this paper we start with these identifiable patterns in Metasploit's C2 traffic and show that a machine learning-based detector is able to detect the presence of such traffic with high accuracy, even when encrypted. We then outline and implement a set of modifications to the Metasploit framework in order to decrease the detection rates of such classifier. To evaluate the performance of these modifications, we use two threat models with increasing awareness of these modifications. We look at the detection evasion performance and at the byte count and runtime overhead of the modifications. Our results show that for the second, increased-awareness threat model the framework-side traffic modifications yield a better detection avoidance rate (90%) than payload-side only modifications (50%). We also show that although the modifications use up to 3 times more TLS payload bytes than the original, the runtime does not significantly change and the total number of bytes (including TLS payload) reduces.
翻译:命令与控制 (C2) 通信是任何结构性网络攻击的关键组成部分。 因此, 安全操作会积极尝试在网络中检测这种类型的通信。 这给合法的笔式测试者带来了问题, 合法的笔式测试者试图不被发现, 因为通常使用的笔测试工具, 如Metasploit 等, 产生与常规网络交通很容易区分的固定交通模式。 在本文中, 我们从Metasploit C2 交通中的这些可识别模式开始, 并显示机器学习式的探测器能够以高精确度探测到这种交通, 即使加密。 我们然后对Metasploit 框架进行一套修改, 以便降低这类分类者的检测率。 为了评估这些修改的性能, 我们使用两种威胁模型来提高对这些修改的认识。 我们从检测逃避性能和点数开始, 并运行这些修改的票数。 我们的结果表明, 在第二个提高认识威胁模型中, 框架- 路边交通修改比有效载器仅进行修改( 50 % ) 的探测率要好得多 。 我们还显示, 虽然这些修改的原时程比TLSLS 减少次数要高出3倍。