CypherCon 2023

Secret Handshake: A Mutual TLS Based C2 Communication Channel

John Conwell


One of the goals of malware command & control (C2) communication is to blend into background traffic while relaying commands and replies between the malware server and the infected client. The most common C2 channel these days is HTTPS because it is simple to configure and easily hides in the sheer volume of HTTPS traffic. It comes as little surprise that defenders tend to focus on the data portion of the encrypted traffic and not the underlying tunneling envelopes. But what if the C2 communication wasn’t part of the data field in the encrypted network packets? What if, instead, the C2 communication was embedded in the mechanism that enables encrypted communication in the first place?

This presentation demonstrates a malware C2 channel that embeds C2 commands and client responses as payloads inside of x509 certificates used during mutual TLS handshakes. It then goes into detail on different detection techniques used to identify this type of C2 channel and possible approaches to blocking such vectors.

x509 certificates are allowed to pass with impunity through our firewalls, but they are just files that can easily contain malicious payloads like any other. We trust and ignore them because they are a core component to an encryption process that we’ve come to take for granted. The primary goal is to bring a heightened awareness to a class of indicator that we have come to trust and highlight methods people can use to detect malicious uses of it.

John Conwell

Secret Handshakes

John “turbo” Conwell is a data scientist who is focused on identifying threat actor infrastructure and analyzing network telemetry to identify emerging attack techniques. He has over 12 years of experience in data science, and 6 years ago decided to narrow his focus on information security. He has spent an ungodly number of hours collecting, analyzing, and in general thinking about how x509 certificates could be used by threat actors.