Tweaking Metasploit to Evade Encrypted C2 Traffic Detection

TL;DR

This paper demonstrates how modifications to Metasploit can significantly reduce detection rates of encrypted C2 traffic by machine learning classifiers, with minimal runtime impact and increased payload overhead.

Contribution

It introduces novel modifications to Metasploit that effectively evade machine learning-based detection of encrypted C2 traffic, improving stealth for pentesters.

Findings

Detection evasion rate reaches 90% with modifications in increased-awareness threat model.

Modifications increase TLS payload bytes up to 3 times but do not significantly affect runtime.

Total byte count including TLS payload is reduced despite increased payload size.

Abstract

Command and Control (C2) communication is a key component of any structured cyber-attack. As such, security operations actively try to detect this type of communication in their networks. This poses a problem for legitimate pentesters that try to remain undetected, since commonly used pentesting tools, such as Metasploit, generate constant traffic patterns that are easily distinguishable from regular web traffic. In this paper we start with these identifiable patterns in Metasploit's C2 traffic and show that a machine learning-based detector is able to detect the presence of such traffic with high accuracy, even when encrypted. We then outline and implement a set of modifications to the Metasploit framework in order to decrease the detection rates of such classifier. To evaluate the performance of these modifications, we use two threat models with increasing awareness of these modifications. We look at the detection evasion performance and at the byte count and runtime overhead of the modifications. Our results show that for the second, increased-awareness threat model the framework-side traffic modifications yield a better detection avoidance rate (90%) than payload-side only modifications (50%). We also show that although the modifications use up to 3 times more TLS payload bytes than the original, the runtime does not significantly change and the total number of bytes (including TLS payload) reduces.