Εντοπισμός επιθέσεων τύπου C2 beaconing
C2 beaconing attacks hunting
Master Thesis
Author
Σαρλής, Στέφανος
Sarlis, Stefanos
Date
2022-02View/ Open
Keywords
C2 ; Command and Control ; C&C ; APT ; Beaconing ; Red Teaming ; Covenant ; PowerShell Empire ; Cobalt Strike ; Pupy ; Merlin ; PoshC2 ; AMSI ; Evasion ; Bypass ; RITA ; YARA ; ELK ; Suricata ; Sysmon ; Wazuh ; MITRE ATT&CK ; Attack & Defense Lab ; Dnscat2 ; Oletools ; Capa ; Beacon ; Implant ; Grunt ; Cyber Kill Chain ; Unified Kill Chain ; Callbacks ; Domain Fronting ; Redirectors ; RelaysAbstract
As cyber attacks are constantly evolving in both number and complexity, the use of advanced security mechanisms becomes imperative. However, while modern security solutions offer, in some cases, satisfactory detection rates, cyber threats are growing exponentially, being in an advantageous position. In addition, traditional methods for detecting malicious activity can be easily bypassed, since attackers are constantly finding new and sophisticated ways to avoid detection from defense solutions, aiming to infect networks and systems with different types of malware. Furthermore, unlike the majority of cyber attacks, Advanced Persistent Threats (APTs) are sophisticated attacks, in which adversaries try to stay under the radar, taking advantage of various methods and using different attack vectors. One of the most important stages of an APT attack is Command and Control (C2) beaconing. In this work, a holistic approach regarding beaconing attacks detection is presented. More particularly, the subject of this dissertation is beaconing detection through the design and execution of various attack scenarios, which simulate C2 beaconing attacks. The outcome of the work confirms that indeed the detection of malicious beaconing behavior requires the combination of different detection mechanisms and at the same time addressing a variety of challenges. More specifically, since beaconing is not a distinct event, but a sequence of time-related events, it is clear that its detection is extremely challenging. Therefore, in this work, the effectiveness of various security methods and solutions is evaluated, regarding the detection and mitigation of these attacks, through the execution of three attack scenarios with scalable complexity. The results show that there is significant room for improvement since the majority of security mechanisms largely fails to detect and address these threats. However, through the combined approach presented, the detection of beaconing attacks becomes more feasible.