analysis of cobalt strike network traffic obfuscation in
play

Analysis of Cobalt Strike network traffic obfuscation in C2 - PowerPoint PPT Presentation

Sep 11, 2023 •187 likes •438 views

Analysis of Cobalt Strike network traffic obfuscation in C2 communication Vincent van der Eijk & Coen Schuijt University of Amsterdam vincent.vandereijk@os3.nl, coen.schuijt@os3.nl July 3, 2020 Vincent van der Eijk & Coen Schuijt (OS3)

  1. Analysis of Cobalt Strike network traffic obfuscation in C2 communication Vincent van der Eijk & Coen Schuijt University of Amsterdam vincent.vandereijk@os3.nl, coen.schuijt@os3.nl July 3, 2020 Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 1 / 25

  2. Introduction Red and Blue Teaming RAT → Botnet Cobalt Strike APTs Figure 1: Cobalt strike logo [https://cobaltstrike.com/] Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 2 / 25

  3. Research questions Main research question ”How can we distinguish obfuscated Cobalt Strike beacons from genuine traffic based on identifying features?” Sub questions Which features can we extract from network traffic generated by 1 malleable C2 profiles? Can we detect a Cobalt Strike beacon using a malleable profile with 2 one or more of those features? Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 3 / 25

  4. State of the art (I/II) 1 2 3 4 Target CDN Redirector C2 Figure 2: Common C2 network setup Beacon Domain redirection Redirector/proxy C2 Server Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 4 / 25

  5. State of the art (II/II) Malleable Profile Defines beaconing behaviour HTTP parameters Encoding Highly customizable 1 set sleeptime "5000"; 2 set jitter "0"; 3 set useragent "Mozilla /5.0 (Windows NT 6.1; WOW64; Trident /7.0; rv :11.0) like Gecko "; 4 5 http -get { 6 set uri "/s/ref=nb_sb_noss_1 /167 -3294888 -0262949/ field - 7 keywords=books "; Listing 1: Snippet from the amazon.profile Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 5 / 25

  6. Related work Little scientific research on Cobalt Strike No research specific to malleable profiles Botnet traffic detection researched thoroughly Sources L. van Duijn (2014) Beacon detection in PCAP files J. Dreijer (2015) StealthWare - Social Engineering Malware Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 6 / 25

  7. Methodology 1 2 3 4 5 Network Topology Data capturing Dataset generation Feature engineering Testing Configure ncapd Benign: browse Test feature on Setup Target Machine Parse dataset listener amazon dataset Malicious: capture Configure domain Configure softflow HTTP(S) beacon Group dataset Plot results redirection deamon traffic Install packet capture Mixed: HTTP(S) Setup redirector Filter dataset software beacon & tcpreplay Mixed: HTTP(S) Create identifying Configure C2 Server beacon & office use feature simulation Mixed: HTTP(S) beacon & office use simulation Figure 3: Project approach Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 7 / 25

  8. Infrastructure setup (I/II) 1 2 3 4 Target CDN Redirector C2 Figure 4: Infrastructure setup 1 Target Windows 10 (1909) NAT interface 2 CDN Amazon CloudFront Domain redirection (Host Header, Redirector IP) Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 8 / 25

  9. Infrastructure setup (II/II) 1 2 3 4 Target CDN Redirector C2 Figure 4: Infrastructure setup 3 Redirector socat proxy 443, 80 4 C2 Server Cobalt Strike 4.0 amazon.profile Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 9 / 25

  10. Data gathering (I/V) Benign PCAPS for HTTP Malicious NetFlow for HTTPS Mixed Active beacon Simulate user browsing updating mailing ... Reproduceable dataset External CTU-13 (Botnet-43) 1 6M flows, university network Stratosphere Research Laboratory (CZ) 1 https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-43/ Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 10 / 25

  11. Detection algorithm (I/II) 1 1 Start Read NetFlow data Reached EOF Yes 1 Read NetFlow data No 2 Creating host objects 3 Yes Host Attach flow to host known 3 Append flow to host (src IP) No 2 Create new host object Figure 5: Detection algorithm pt.1 Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 11 / 25

  12. Detection algorithm (II/II) 4 Filter Flows config.cfg 5 Apply Features 4 Filter flows 5 Apply feature (Host) 6 Yes 6 Alert Exceeds Alert Threshold No Figure 6: Detection algorithm pt.2 Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 12 / 25

  13. Results Amazon.profile traffic analysis (Cobalt Strike) HTTP Beacon Benign Amazon network traffic HTTPS Beacon Beacon detection algorithm Detection accuracy Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 13 / 25

  14. Amazon profile traffic analysis: HTTP Beacon (I/V) Figure 7: Packet capture for HTTP beacon Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 14 / 25

  15. Amazon profile traffic analysis: Benign (II/V) Figure 8: Packet capture for benign Amazon traffic Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 15 / 25

  16. Amazon traffic analysis: HTTPS Beacon (III/V) Figure 9: Packet capture for Amazon HTTPS beacon Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 16 / 25

  17. Amazon traffic analysis: HTTPS Beacon (IV/V) Figure 10: NetFlow data for HTTPS beacon Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 17 / 25

  18. Amazon traffic analysis: Summary (V/V) We identified the following features: Periodicity Consistent byte size of flows Short flow duration TCP Flags Lack of DNS requests Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 18 / 25

  19. Beacon detection Figure 11: Linear regression for regular Figure 12: Linear regression for C2 server HTTPS network traffic shows a weak network traffic shows a high correlation correlation (r=0.854) (r=0.999) Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 19 / 25

  20. Results: Accuracy Table 1: Overview of NetFlow streams that the detection algorithm was able to classify correctly as either benign (good) or malicious (bad) Actual Good Bad Good 128910 2 Predicted Bad 5 15 TP + TN 13 + 128267 ACC = TP + TN + FP + FN = 13 + 128267 + 5 + 2 = 99 , 996% Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 20 / 25

  21. Discussion Difficult to obtain a large dataset with benign network traffic Only tested on our own malware samples and infrastructure Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 21 / 25

  22. Conclusions I/II Q1: Which features can we extract from network traffic generated by malleable C2 profiles? Time interval Byte size of flow Flow duration TCP flags DNS requests Q2: Can we detect a Cobalt Strike beacon using a malleable profile with one or more of those features? All features except the correlation to DNS requests and the TCP RST flag are useable Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 22 / 25

  23. Conclusions II/II How can we distinguish obfuscated Cobalt Strike beacons from genuine traffic based on identifying features? Filter rules based on identified features Detection algorithm using linear regression Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 23 / 25

  24. Future Work Further research the TCP RST flag behaviour Expand the detection algorithm to fingerprint threat actors Modify the detection algorithm to support real-time detection Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 24 / 25

  25. Key findings C2 communication of Cobalt Strike shows periodicity We are able to detect other profiles than the Amazon profile Avoid detection by changing the beaconing interval regularly Vincent van der Eijk & Coen Schuijt (OS3) C2 network analysis July 3, 2020 25 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provisioning On-line Games: A Traffic Goal Analysis of a Busy Counter-Strike Understand the

Provisioning On-line Games: A Traffic Goal Analysis of a Busy Counter-Strike Understand the

Provisioning On-line Games: A Traffic Goal Analysis of a Busy Counter-Strike Understand the resource requirements of a popular Server on-line FPS (first-person shooter) game Wu-chang Feng, Francis

533 views • 28 slides
Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13 September 2017 Agenda 1. Goals 2. Definitions 3. Motivating problem 4. Approach 5. How Cobalt Strike works 6. Traffic analysis 7.

821 views • 59 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets Network Traffic Measurement and Analysis Conference (TMA 2018) June 28, 2018 Milan Cermak et al. Institute of Computer Science, Masaryk University, Brno

575 views • 25 slides
Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki, Mark Crovella, Christophe Diot, and Nina Taft Traditional Network What ISPs Care Traffic Analysis About Focus on Focus on Long,

1.09k views • 46 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno 2 3

440 views • 20 slides
Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic analysis for Bitcoin and derived Transaction clustering using network traffic blockchains analysis for Bitcoin and derived blockchains Biryukov, Tikhomirov Introduction Network privacy Alex

491 views • 30 slides
ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

641 views • 46 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

IN INTRODUCTION TO TRAFFIC ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC ANALYSIS 1. Except for user terminals, the telephone network is composed of a variety of common 45 Trunks equipment

385 views • 17 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Obfuscation and Misdirection at TPC Group Inc.: Analysis of the Process and Alternatives for TPCG

Obfuscation and Misdirection at TPC Group Inc.: Analysis of the Process and Alternatives for TPCG

Obfuscation and Misdirection at TPC Group Inc.: Analysis of the Process and Alternatives for TPCG by Sandell Asset Management Corp. October 2012 SAMC Analysis of TPC Group Inc. DISCLAIMER THIS PRESENTATION WITH RESPECT TO TPC GROUP INC (

555 views • 9 slides
THE COBALT CONFERENCE 2019, HONG KONG, 15-16 MAY ABSTRACTS PRESENTATION COBALT INSTITUTE -

THE COBALT CONFERENCE 2019, HONG KONG, 15-16 MAY ABSTRACTS PRESENTATION COBALT INSTITUTE -

THE COBALT CONFERENCE 2019, HONG KONG, 15-16 MAY ABSTRACTS PRESENTATION COBALT INSTITUTE - ADDING VALUE, GETTING RESULTS Mr David Weight President CI & Director Cobalt REACH Consortium Ltd The Cobalt Institute (CI) is a global

465 views • 17 slides
Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt receiver x 1 Virtual f O(f) F B f(x 1) Black-Box x 2 (VBB) f(x 2) Obfuscation : A Secure (and f Family f Family b b single

466 views • 18 slides
!"##$%&'()*' +,-./0'.10'2+3-./0*'4.105+!6'' 1660!' ' !"#$%&'"%()

!"##$%&'()*' +,-./0'.10'2+3-./0*'4.105+!6'' 1660!' ' !"#$%&'"%()

!"##$%&'()*' +,-./0'.10'2+3-./0*'4.105+!6'' 1660!' ' !"#$%&'"%() *+,,)*,&+-.)/+0$)1%$-+#$2'.)3&2#)4$5$,"67$2'.)!&0,&8)92'$%6%+-$-) ) 1&2$,()

362 views • 9 slides
UTD HLTRI at TAC 2019: DDI Track Ramon Maldonado , Maxwell Weinzierl, & Sanda M. Harabagiu

UTD HLTRI at TAC 2019: DDI Track Ramon Maldonado , Maxwell Weinzierl, & Sanda M. Harabagiu

UTD HLTRI at TAC 2019: DDI Track Ramon Maldonado , Maxwell Weinzierl, & Sanda M. Harabagiu The University of Texas at Dallas Human Language Technology Research Institute http://www.hlt.utdallas.edu/~{ramon, max, sanda} Outline 1.

464 views • 24 slides
kohn kohn architecture 466 AMSTERDAM AVE. STOREFRONT PROPOSAL P-01 EXISTING PHOTOS 4 4 6 6 6

kohn kohn architecture 466 AMSTERDAM AVE. STOREFRONT PROPOSAL P-01 EXISTING PHOTOS 4 4 6 6 6

BROWNSTONE BELTCOURSE TAX PHOTO OF 466 AMSTERDAM AVE. EXISTING BUILDING (GROUND LEVEL) EXISTING STOREFRONT 1 2 3 SCALE : NTS SCALE : NTS SCALE : NTS CORNICE BRACKETS FIRE- BELT-COURSE ESCAPE 9 SCALE : NTS DESIGNATION PHOTO CAST

366 views • 5 slides
OPTIONS AND CHALLENGES FOR COMMISSIONING DOMICILIARY CARE Professor John Bolton What crisis?

OPTIONS AND CHALLENGES FOR COMMISSIONING DOMICILIARY CARE Professor John Bolton What crisis?

OPTIONS AND CHALLENGES FOR COMMISSIONING DOMICILIARY CARE Professor John Bolton What crisis? Domiciliary Care has been grossly underfunded by local authorities and Domiciliary Care providers have been prepared (in the past) to take on

183 views • 7 slides
Terrameter LS Imaging System Automatic System for Resistivity and IP Imaging Terrameter LS is a

Terrameter LS Imaging System Automatic System for Resistivity and IP Imaging Terrameter LS is a

Terrameter LS Imaging System Automatic System for Resistivity and IP Imaging Terrameter LS is a world leading resistivity instrument that offers high quality data. The instrument can be used for several applications and is developed to be useful

473 views • 4 slides
Pathways to Graduation & Life Stanwood - Camano School District GRADUATION REQUIREMENTS

Pathways to Graduation & Life Stanwood - Camano School District GRADUATION REQUIREMENTS

Pathways to Graduation & Life Stanwood - Camano School District GRADUATION REQUIREMENTS Class of 2021 and Beyond Complete 24 Career & College Ready High School Credits Complete a Graduation Pathway Complete a High School

484 views • 11 slides
Complete Design to Manufacturing Solutions We Aim to be leading CAE service providers. We Aim to

Complete Design to Manufacturing Solutions We Aim to be leading CAE service providers. We Aim to

INTEGRATED CADCAM SOLUTIONS Complete Design to Manufacturing Solutions We Aim to be leading CAE service providers. We Aim to be leading CAE service providers. At ICS we believe that we succeed only when our customer succeeds . Our total

571 views • 40 slides
a world of materials many products each with its own reality material data compressive stress

a world of materials many products each with its own reality material data compressive stress

a world of materials many products each with its own reality material data compressive stress relaxation tensile viscosity fatigue conductivity expansion properties that describe reality www.matereality.com material databases for all

602 views • 26 slides

More recommend