A primary goal of penetration testing engagements is for the tester to gain a foothold on target systems. However, the tester remains outside the network and needs a way to communicate with their malware and other tools inside.

Command-and-control channels provide these remote management capabilities over the network. The MITRE ATT&CK framework's Command and Control tactic has 16 techniques for building and concealing this channel, as shown in Figure 11.1.

If a defender can read command-and-control data, it is much easier to detect and remove an attacker's foothold in a target environment. Two ways to protect against this are rendering command-and-control data unreadable and making it difficult to find. This chapter explores both of these approaches via MITRE ATT&CK's Encrypted Channel and Protocol Tunneling techniques.

The code sample archive for this chapter can be found at https://www.wiley.com/go/pythonforcybersecurity and contains the following sample code files:

• EncryptedChannelClient.py
• EncryptedChannelServer.py
• DetectEncryptedTraffic.py
• ProtocolTunnelingClient.py
• ProtocolTunnelingServer.py
• ProtocolDecoder.py

Encrypted Channel

Encryption is the most effective way to protect sensitive data from eavesdropping. Data encrypted with a strong encryption algorithm is unreadable ...