Politecnico di Torino (logo)

Developing a Proof-of-Concept malware detection engine for Cisco Secure Endpoint

Alessandro Pisani

Developing a Proof-of-Concept malware detection engine for Cisco Secure Endpoint.

Rel. Cataldo Basile. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview

In recent years, exploits for SMB vulnerabilities such as Eternal Blue and Eternal Romance have been released and integrated into malware and attack frameworks. Exploits for NTLM vulnerabilities such as Rotten Potato have been integrated into tools like Juicy Potato, Mimikatz and Metasploit. While Cisco has been asking to their customers to apply vendor patches to protect themselves from these vulnerabilities, it was not providing any visibility into, or detection or prevention from these. Even if an enterprise is patched against these attacks, customers expect Cisco to detect an attempt. Therefore, the main challenge is to research how Cisco Secure Endpoint may detect network based attack against the endpoint or originating from it, while taking into account context, such as what local application is the source or destination of the network traffic. In a second instance, investigate whether the solutions could be use to prevent the attacks in addition to detecting them. The need to have a way to define some rules which can provide visibility into specific protocol types or detect specific attack patterns can be perfectly handled by Snort IPS/IDS. Currently this solution is not be portable across all the Secure Endpoint supported platforms, in particular on Windows. For this reason, the goal is to build snort 3 on Windows to intergate it in the Cisco Secure Endpoint in order to detect network-based attacks such as Eternal Blue, Eternal Romance, Zerologon, DCShadow and DCSync.

Relators: Cataldo Basile
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 81
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: Cisco Systems France
URI: http://webthesis.biblio.polito.it/id/eprint/22598
Modify record (reserved for operators) Modify record (reserved for operators)