Catégorie: Conférence avec actes
Auteurs: Clément Parssegny, Johan Mazel, Olivier Levillain et Pierre Chifflier
Date: août 2025

Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as "Mustang Panda" or "Nobelium".

In response to these threats, Security Operation Centers and other defense actors struggle to detect Com- mand and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata- based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network.

This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features. Our method is thus easier to use in a production environment and more explainable.

Publié dans les actes Proceedings of the 20th International Conference on Availability, Reliability and Security (pages 163 à 185)

Présenté lors de la conférence ARES à Ghent, Belgium en août 2025

BibTeX Document Version longue de l'article