Chapter 5: Endpoint Attacks, Evasion Techniques, and Cryptography
Learning Objectives
Describe endpoint attack methods including buffer overflows, command-and-control (C2) channels, malware taxonomy, and ransomware
Explain evasion and obfuscation techniques: protocol tunneling, encryption abuse, proxy chains, and polymorphic malware
Describe the cryptographic foundations underlying modern security: symmetric and asymmetric encryption, hashing, and key exchange
Identify PKI architecture components, X.509 certificate fields, cipher suite structure, and the role of PKCS standards
Section 1: Endpoint Attack Vectors
Endpoints are rich attack targets — they hold credentials, process sensitive data, and typically trust the user sitting in front of them. Attackers exploit this trust through memory corruption, command infrastructure abuse, and malicious software designed to persist, exfiltrate, or extort.
1.1 Buffer Overflow Attacks
A buffer overflow occurs when a program writes more data to a fixed-size memory region than it can hold. The overflow spills into adjacent memory, allowing an attacker to overwrite the return address and redirect program execution.
The classic exploitation sequence:
Attacker identifies a vulnerable input (e.g., a call to gets() or strcpy() with no bounds check)
Crafted input fills the buffer, overflows into the saved RBP and return address (RIP/EIP)
Return address is overwritten with attacker shellcode, a ROP gadget, or a libc function
When the vulnerable function returns, execution jumps to attacker-controlled code
Modern Mitigations and Bypass Techniques:
Mitigation
Mechanism
Bypass Method
Stack Canary
Random value between buffer and return address; checked before return
Info-leak / format-string to read canary value
ASLR
Randomizes base addresses of stack, heap, libraries
Memory-disclosure to learn offsets; brute-force on 32-bit
Separate safe stacks; CFI enforces valid call targets
Advanced JIT-spraying or corrupted vtable exploitation
Key Points — Buffer Overflows
Buffer overflows overwrite the return address on the stack, redirecting execution to attacker-controlled code.
Modern defenses (ASLR, DEP, stack canary) must be chained to bypass — attackers typically need an info-leak first, then a ROP chain.
ROP chains execute arbitrary behavior using existing code gadgets ending in RET, bypassing DEP without injecting shellcode.
60–70% of modern exploits still target memory corruption vulnerabilities despite decades of mitigations.
Unsafe C functions (gets(), strcpy(), sprintf()) are primary sources of buffer overflow vulnerabilities.
1.2 Command-and-Control (C2) Frameworks
Once an attacker has initial access, they need persistent, bidirectional communication between compromised hosts (implants/beacons) and an operator's server. C2 frameworks provide this infrastructure.
Framework
Notes
Cobalt Strike
Commercial; widely abused by ransomware operators; uses "Beacon" implant
Metasploit Meterpreter
Open-source; flexible staging; encrypted channels
Sliver
Open-source Go-based; designed to replace Cobalt Strike for red teams
Brute Ratel C4
Evades EDR via direct syscalls; emerged 2022
C2 channels include HTTP/HTTPS beaconing (port 80/443 blending with web traffic), DNS-based C2 (commands encoded in DNS queries), and social media/cloud storage (APTs embedding instructions in tweets or GitHub commits).
1.3 Malware Taxonomy
Malware Type
Primary Objective
Persistence
Example
Virus
Self-replication; payload execution
Infects executables
Conficker
Worm
Self-propagation across networks
Exploits network services
WannaCry
Trojan
Backdoor / credential theft
Masquerades as legitimate software
Emotet
Rootkit
Persistent stealthy access
Hooks OS kernel or bootloader
Necurs
Fileless Malware
Evasion; lives in memory only
PowerShell, WMI, registry
PowerSploit
RAT
Full remote control
Service installation
DarkComet
Botnet Agent
DDoS, spam, fraud at scale
C2 beacon with re-install dropper
Mirai
Fileless malware injects into legitimate process memory (svchost.exe), uses PowerShell/WMI as execution engines, and stores configuration in the Windows registry. Detection requires memory forensics and behavioral EDR with AMSI integration.
1.4 Ransomware
Ransomware encrypts victim files and demands payment for the decryption key. Modern "Big Game Hunting" combines data exfiltration with encryption (double extortion). Ransomware-as-a-Service (RaaS) allows affiliates to perform intrusions for a 70–80% revenue share.
flowchart LR
A["Initial Access\n(Phishing / Exploit)"] --> B["Establish C2\n(Beacon)"]
B --> C["Lateral Movement\n(Credential Dump,\nPass-the-Hash)"]
C --> D["Data Exfiltration\n(Double Extortion)"]
D --> E["Deploy Ransomware\nPayload"]
E --> F["Encrypt Files +\nDrop Ransom Note"]
F --> G["Extortion\n(Pay or Data Published)"]
style A fill:#4a0000,color:#f5b7b1,stroke:#c0392b
style B fill:#1a3a5c,color:#cdd9e5,stroke:#2980b9
style C fill:#4a0000,color:#f5b7b1,stroke:#c0392b
style D fill:#2d1b00,color:#f9e4b7,stroke:#f39c12
style E fill:#4a0000,color:#f5b7b1,stroke:#c0392b
style F fill:#4a0000,color:#f5b7b1,stroke:#c0392b
style G fill:#7b0000,color:#f5b7b1,stroke:#922b21
Key Points — Malware & Ransomware
Fileless malware evades traditional AV by executing entirely in memory using PowerShell, WMI, or process injection.
Double extortion ransomware exfiltrates data before encrypting — victims face both operational disruption and data exposure.
RaaS platforms lower the barrier to entry for ransomware attacks; affiliates get 70–80% of ransom payments.
Ransomware defenses: offline immutable backups, network segmentation, least privilege, behavioral EDR, and aggressive patch management.
LockBit and ALPHV (BlackCat) are prominent RaaS groups that pioneered double extortion at scale.
Pre-Check Quiz — Endpoint Attack Vectors
1. What exactly does a buffer overflow attack overwrite to redirect program execution?
2. Which technique allows attackers to bypass DEP/NX without injecting new shellcode?
3. What distinguishes "double extortion" ransomware from traditional ransomware?
4. What makes fileless malware difficult to detect with traditional antivirus?
Section 2: Evasion and Obfuscation Techniques
Maintaining access without triggering detection requires evading firewalls, IDS/IPS, EDR, DLP, and SIEM. Modern evasion targets the visibility gaps in these controls rather than defeating them head-on.
2.1 Protocol Tunneling
Protocol tunneling encapsulates one protocol's traffic inside another — specifically one that security controls allow through without inspection.
DNS Tunneling: DNS is almost universally permitted outbound. Attackers encode arbitrary data inside DNS query names and response records, creating a bidirectional covert channel over port 53.
DNS Tunneling Detection Signals:
Indicator
Normal DNS
Tunneling DNS
Query name length
Short (<50 chars)
Long (100+ chars), high entropy
Query volume per domain
Low
Unusually high burst to single domain
Record types queried
A, AAAA, MX, CNAME
Heavy TXT, NULL, or unusual types
Subdomain entropy
Low (readable words)
High (base64/hex strings)
Response size
Small
Large (TXT records packed with data)
2.2 Encrypted C2 Channels
Attackers abuse encryption to make malicious traffic indistinguishable from legitimate communications. HTTPS C2 over port 443 uses valid TLS certificates (free from Let's Encrypt); DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries inside HTTPS, bypassing traditional DNS monitoring.
Behavioral analytics: Beacon periodicity (connections every N seconds with low variance) is detectable even when encrypted
Threat intelligence: IOC feeds for known C2 domains/IPs
TLS inspection: Decrypt traffic at a proxy — legally complex, requires trust store management
2.3 Domain Generation Algorithms (DGAs) and DNS Fast Flux
DGAs are algorithms embedded in malware that generate hundreds of pseudo-random domain names using a seed (often the current date). Blocklisting one domain is useless — hundreds of alternatives are generated daily. DNS Fast Flux rapidly rotates A records (low TTL, ~60 seconds) using a botnet as proxy tier, defeating IP-based blocking.
2.4 Proxy Chains
Proxy chains route malicious traffic through a series of intermediate hosts, obfuscating the true origin. Each proxy knows only the previous and next hop. Common techniques include TOR (multi-hop onion routing), bulletproof hosting, legitimate cloud infrastructure (AWS/Azure/GCP relay nodes), and residential proxy networks.
2.5 Polymorphic and Metamorphic Malware
Type
Mutation Method
AV Evasion
Polymorphic
Encrypts payload with different key each infection; only the decryption stub changes
Each copy has unique binary hash; signature only matches stub
Metamorphic
Rewrites own code logic (substitutes instructions, reorders blocks, inserts junk)
No static signature survives — each instance is structurally different
Packers/Crypters
Compress/encrypt binary; decompress/decrypt at runtime
File-level scan sees only wrapper; behavior detection or sandbox required
Key Points — Evasion Techniques
DNS tunneling exploits the near-universal firewall permission for port 53 to create a covert bidirectional channel.
HTTPS C2 with valid certificates makes malicious traffic opaque to perimeter security without TLS inspection.
JA3/JA3S fingerprinting identifies malware TLS sessions without decryption by hashing ClientHello parameters.
Polymorphic malware changes its encryption wrapper each infection; metamorphic malware rewrites its entire code — both defeat signature-based AV.
DGAs generate hundreds of domains daily from a shared seed; defenders must detect algorithmically-generated domain patterns, not block individual domains.
Post-Check Quiz — Evasion & Obfuscation
5. Why is DNS an attractive protocol for covert C2 channels?
6. What does JA3 fingerprinting analyze to detect malware TLS sessions?
7. What distinguishes metamorphic malware from polymorphic malware?
Section 3: Cryptographic Foundations
Cryptography underpins every security control in this course. The four foundational primitives — symmetric encryption, asymmetric encryption, hashing, and key exchange — are composed together in real-world protocols like TLS.
3.1 Symmetric Encryption
Symmetric encryption uses a single shared secret key for both encryption and decryption. It is fast and suitable for bulk data, but has a key distribution problem: N parties require N×(N−1)/2 unique keys.
Algorithm
Key Size
Type
Notes
AES-128/256
128 or 256 bits
Block (128-bit)
NIST standard; used in TLS, disk encryption, WPA3
ChaCha20
256 bits
Stream
Fast in software; used in TLS 1.3 where AES-NI is unavailable
3DES
168-bit effective
Block (64-bit)
Legacy; deprecated in TLS 1.3
RC4
Variable
Stream
Broken; prohibited in TLS (RFC 7465)
AES Block Modes: CBC (sequential, legacy TLS) → GCM (authenticated encryption AEAD, TLS 1.3/IPsec) → CTR (parallelizable, disk encryption). GCM provides both encryption and integrity in one pass.
3.2 Asymmetric Encryption
Asymmetric encryption uses a mathematically linked key pair. Data encrypted with the public key can only be decrypted by the private key. It solves the key distribution problem but is orders of magnitude slower than symmetric encryption — used only for handshake/authentication, not bulk data.
Algorithm
Based On
Key Size
Common Use
RSA
Integer factorization
2048–4096 bits
Key encipherment, digital signatures
ECDSA
Elliptic curve discrete log
256–384 bits
TLS certificates, code signing
ECDHE
Elliptic curve Diffie-Hellman
256–384 bits
Key exchange in TLS (mandatory in 1.3)
EdDSA (Ed25519)
Edwards-curve
256 bits
SSH keys, JWT signing
3.3 Cryptographic Hashing
A cryptographic hash maps arbitrary input to a fixed-length digest with three key properties: pre-image resistance (can't reverse H(x) to find x), collision resistance (can't find x≠y where H(x)=H(y)), and avalanche effect (one-bit change → completely different digest).
DH solves the problem of establishing a shared secret over an untrusted channel without transmitting the secret. Both parties compute the same value using public and private components; an eavesdropper sees only the public values and cannot compute the shared secret without solving the discrete logarithm problem.
sequenceDiagram
participant A as Alice
participant N as Untrusted Network (Eavesdropper)
participant B as Bob
Note over A,B: Agree publicly on prime p and generator g
A->>N: Publish: p, g
N->>B: Forward: p, g
Note over A: Choose private: a; Compute A = g^a mod p
A->>N: Send public value: A
N->>B: Forward: A
Note over B: Choose private: b; Compute B = g^b mod p
B->>N: Send public value: B
N->>A: Forward: B
Note over A: Compute B^a mod p = g^(ab) mod p
Note over B: Compute A^b mod p = g^(ab) mod p
Note over A,B: Shared secret established ✓
Note over N: Sees p,g,A,B — cannot compute g^(ab) mod p
Ephemeral DH (DHE/ECDHE) generates a new key pair for each TLS session and discards it after use — providing Perfect Forward Secrecy (PFS): past sessions remain secure even if the server's long-term private key is later compromised.
Key Exchange
PFS
Performance
Use
RSA key encipherment
No
Moderate
Legacy TLS 1.2
DHE
Yes
Slower (CPU)
TLS 1.2
ECDHE
Yes
Fast (ECC efficiency)
TLS 1.2 & 1.3 (mandatory)
Key Points — Cryptographic Foundations
Symmetric encryption (AES-GCM) is fast for bulk data; asymmetric (RSA/ECDSA) solves authentication but is too slow for bulk use — TLS combines both.
AES-GCM is an AEAD mode providing both encryption and integrity in a single pass — the standard for TLS 1.3.
SHA-256 is the current standard hash; MD5 and SHA-1 are broken for security purposes and must not be used in new systems.
Diffie-Hellman key exchange establishes a shared secret without transmitting it — security relies on the discrete logarithm problem.
ECDHE provides Perfect Forward Secrecy: each session uses a fresh key pair, so compromising the server's long-term key cannot decrypt past sessions.
Pre-Check Quiz — Cryptographic Foundations
8. Why does TLS use asymmetric cryptography only during the handshake, then switch to symmetric?
9. What property of Perfect Forward Secrecy (PFS) protects past TLS sessions?
10. Which hash algorithm is considered broken due to demonstrated collision attacks and must NOT be used for new security applications?
Section 4: PKI and Certificate Management
A Public Key Infrastructure (PKI) is the system of policies, processes, hardware, software, and people that manages digital certificates and public-key encryption — turning raw asymmetric cryptography into a scalable, trusted identity system.
4.1 PKI Architecture
The core problem PKI solves: how does Alice know a public key actually belongs to Bob and not an attacker performing MitM? A trusted third party — a Certificate Authority (CA) — signs a certificate binding a public key to an identity.
Component
Role
Root CA
Self-signed trust anchor; kept offline in HSM vaults; signs Intermediate CA certificates
Intermediate CA
Signs end-entity certificates; online; limits exposure of Root CA private key
End-Entity Certificate
Issued to servers, users, or devices; contains public key + identity + validity + extensions
Registration Authority (RA)
Verifies identity before certificate issuance
OCSP Responder
Real-time revocation status: returns "good", "revoked", or "unknown"
TLS 1.3 removes key exchange and authentication from the suite name (negotiated separately). Only AEAD cipher + hash remain: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256.
Weak/Prohibited Cipher Suites to Block:
TLS_RSA_* — No PFS; key exchange via RSA encipherment
*_RC4_* — RC4 is cryptographically broken
*_3DES_* — Sweet32 birthday attack; deprecated
*_NULL_* — No encryption; plaintext
*_EXPORT_* — 40/56-bit keys; intentionally weak (Cold War era)
CSR format sent to CA when requesting a certificate
.csr, .req
PKCS#11
Cryptoki
API for hardware tokens (HSMs, smart cards)
API standard
PKCS#12
Personal Information Exchange
Bundles private key + certificate + chain into encrypted archive
.pfx, .p12
Certificate Revocation:
Method
Mechanism
Pros
Cons
CRL
Download list of revoked serial numbers
Simple; no real-time dependency
Stale; large files
OCSP
Real-time query per certificate
Timely; small response
Privacy (CA learns what you check); responder availability
OCSP Stapling
Server includes OCSP response in TLS handshake
Privacy-preserving; no client-to-CA connection
Server must refresh regularly
CRLite / OneCRL
Browser-bundled compressed revocation sets
No real-time dependency; privacy
Browser-specific; update cycle
Key Points — PKI and Certificate Management
PKI uses a hierarchy of CAs to solve the trust problem: Root CAs are kept offline (HSM vaults); intermediates sign end-entity certificates online.
X.509v3 SAN (Subject Alternative Name) extension is the authoritative field for hostname binding in modern TLS — the legacy CN field is deprecated for this purpose.
TLS certificate chain validation requires signature verification from leaf → intermediate → root, plus validity period, revocation, hostname, and EKU checks.
OCSP Stapling solves OCSP privacy concerns by having the server pre-fetch and present the revocation response — eliminating the client-to-CA connection.
PKCS#12 (.pfx/.p12) bundles private key + certificate + chain into a single encrypted archive — the standard format for deploying certificates to web servers.
Post-Check Quiz — PKI and Certificate Management
11. Why do PKI hierarchies use Intermediate CAs rather than having the Root CA sign all end-entity certificates directly?
12. Which X.509v3 extension is the authoritative field for hostname binding in modern TLS (replacing the legacy CN field)?
13. What does PKCS#12 (.pfx / .p12) bundle together?
14. In TLS 1.3, which of the following is no longer included in the cipher suite name?
15. What problem does OCSP Stapling solve compared to standard OCSP?