Temperance: Adversary emulation framework

Abstract

This paper introduces and develops Temperance, an adversary emulation framework, which can be used to quickly reproduce a C2 (Command and Control) infrastructure by red team operators for simulating a cyber operation. The agent implanted into the target communicates with the C2 server, from which the operator has full remote control of the host. The network traffic that this agent generates can be distinguished from a normal user-generated one when using a standard C2 approach because of the beaconing behavior. The solution introduced and developed by this paper uses a dynamic-size hops cluster. A hop facilitates communication between the agents and the server in a decentralized message-passing style instead of simple traffic forwarding, like a normal proxy. The server's work has been delegated to the hops, requiring a lower number of active connections to be managed by it. This approach makes the infrastructure more fault-tolerant since the hop replacement is faster, simpler, and automatically. The operators can scale the operation since human intervention is needed less to maintain the infrastructure. Some defense techniques, like IP banning, become ineffective since the agents can use the remaining available hops from the cluster. To evaluate the solution, the network traffic of a normal user simulation, a baseline C2 server, and Temperance were captured to analyze the behavior. Two machine learning algorithms trained to detect the bea-coning behavior from the collected data were used to compare how well Temperance evades this detection.