Date of Award

Fall 10-2025

Document Type

Dissertation

Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)

First Advisor

Cody Welu

Second Advisor

Tyler Flaagan

Third Advisor

Blake Anderson

Abstract

Fingerprinting refers to the process of identifying detailed information about a system, a technique employed by both defenders and attackers. Active fingerprinting is crucial for identifying dynamic and short-lived Command and Control (C2) infrastructure. Although passive fingerprinting techniques are widely used in security, active fingerprinting enhances visibility by directly interacting with target systems and servers. Existing detection methods, whether passive monitoring or active probing, identify servers as malicious but rarely attribute them to a specific framework. This study aimed to design and validate an active fingerprinting artifact, C2PROBER, capable of identifying and labeling open-source C2 frameworks through HTTP and TLS probing. The artifact was developed using Python and created a YAML-based rule that defined unique requests to probe, signatures, and confidence-scoring logic to identify and label C2 frameworks. Each probed request triggered a unique response behavior produced through customized HTTP methods, protocol version, URIs, header manipulation, and TLS fingerprint extraction via JARM and X.509 certificate analysis. This research addressed two research questions: 1) Can active fingerprinting techniques identify and label C2 frameworks? 2) Can we effectively parse the HTTP response of the C2 server to obtain unique artifacts (such as response headers, error messages, and patterns) to identify the C2 frameworks Sliver, Empire, and Metasploit? This research methodology followed Wieringa’s Design Science Research (DSR) and validated the artifact using a Single-Case Mechanism Experiment (SCME). The evaluation metrics, including the confusion matrix, precision, recall, and F1 score, demonstrated high detection accuracy, indicating the artifact’s ability to differentiate between C2 infrastructure and benign servers with minimal false positives. The findings revealed that active probing remains a practical approach for identifying and labeling C2 frameworks. This research contributes to a modular, reproducible, and extensible fingerprinting mechanism. Additionally, this study advances fingerprinting from detection to actionable attribution, thus improving threat intelligence and defense.

Download

Share

COinS