Gh0st in the Dshell: Decoding Undocumented Protocols

While many types of malware use well-documented protocols, such as HTTP, HTTPS, or IRC for command and control, any network traffic analyst will eventually encounter malware that uses an undocumented, custom protocol. This traffic is sometimes encrypted but often relies on simple obfuscation...

By

David Martin

June 3, 2016

All papers are copyrighted. No re-posting of papers is permitted

Related Content

ransomware 25 340x340.png

Digital Forensics, Incident Response & Threat Hunting, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming

Visual Summary of SANS Ransomware Summit 2025

Check out these graphic recordings created in real-time throughout the event for SANS Ransomware Summit 2025

emerging threats summit 340x340.png

Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership

Visual Summary of SANS Emerging Threats Summit 2025

Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025

CD - Blog - Making Linux Security Accessible Blog Series - Part 5 -340 x 340.jpg

Network Security Basics: Connecting Safely – Part 5 of 5 of the Terminal Techniques for You (TTY): Making Linux Security Accessible Blog Series

Secure your Linux system by managing open ports, configuring firewalls, and using SSH best practices to minimize exposure to cyber threats.

Charles Goldner