Authors: Kevin Lamshöft, Tom Neubert, Jonas Hielscher, Claus Vielhauer, Jana Dittmann



In this paper we perform a threat analysis for a covert Command and Control (C2) channel using port scans as cover and syslog as carrier for data infiltration. We describe a theoretical threat scenario in which an adversary makes use of known covert channels in TCP and DNS, and propose a novel method for hiding information in TCP ports scans and the resulting (sys)logs as a carrier for hidden messages. For forensic purposes, we provide details on Indicators-of-Compromise (IoC) as well as mitigating measures aiming at preventing the covert channel apriori. Moreover, we propose a novel detection scheme in order to identify and prevent such threats hidden in port scans and evaluate its effectiveness using datasets generated by a proof of concept implementation of the proposed covert channel based threat scenario.