{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T20:10:02Z","timestamp":1755893402204,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":53,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,6,19]],"date-time":"2024-06-19T00:00:00Z","timestamp":1718755200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,6,19]]},"DOI":"10.1145\/3714393.3726496","type":"proceedings-article","created":{"date-parts":[[2025,6,4]],"date-time":"2025-06-04T18:38:47Z","timestamp":1749062327000},"page":"359-370","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["CryptMove: Moving Stealthily through Legitimate and Encrypted Communication Channels"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-8463-3449","authenticated-orcid":false,"given":"Md Rabbi","family":"Alam","sequence":"first","affiliation":[{"name":"University of North Carolina at Charlotte, Charlotte, NC, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6982-7386","authenticated-orcid":false,"given":"Jinpeng","family":"Wei","sequence":"additional","affiliation":[{"name":"University of North Carolina at Charlotte, Charlotte, NC, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5729-2898","authenticated-orcid":false,"given":"Qingyang","family":"Wang","sequence":"additional","affiliation":[{"name":"Louisiana State University, Baton Rouge, LA, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,6,4]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"https:\/\/www.kernel.org \/doc\/Documentation\/security\/Yama.txt. Accessed","author":"Yama","year":"2024","unstructured":"Yama linux security module. https:\/\/www.kernel.org \/doc\/Documentation\/security\/Yama.txt. Accessed May 2024."},{"key":"e_1_3_2_1_2_1","volume-title":"https:\/\/github.com\/sindresorhus\/guides\/blob\/master\/npm-global-without-sudo.md","author":"Linux Install","year":"2019","unstructured":"Install npm packages globally without sudo on macOS and Linux. https:\/\/github.com\/sindresorhus\/guides\/blob\/master\/npm-global-without-sudo.md, 2019. Accessed April 2024."},{"key":"e_1_3_2_1_3_1","first-page":"181","volume-title":"RAID","author":"Ah-Fat Patrick","year":"2020","unstructured":"Patrick Ah-Fat, Michael Huth, Rob Mead, Tim Burrell, and Joshua Neil. Effective detection of credential thefts from windows memory: Learning access behaviours to local security authority subsystem service. In RAID, pages 181--194, 2020."},{"volume-title":"https:\/\/angr.io\/. Accessed","year":"2023","key":"e_1_3_2_1_4_1","unstructured":"Angr. Angr. https:\/\/angr.io\/. Accessed May 2023."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3552326.3587439"},{"key":"e_1_3_2_1_6_1","volume-title":"BlackHat Briefings","author":"Boileau Adam","year":"2005","unstructured":"Adam Boileau. Trust Transience: Post Intrusion SSH Hijacking. In BlackHat Briefings, August 2005."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24174-6_4"},{"key":"e_1_3_2_1_8_1","volume-title":"February","author":"CISA.","year":"2022","unstructured":"CISA. Iran-Based Threat Actor Exploits VPN Vulnerabilities. https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa20--259a, February 2022."},{"volume-title":"OpenSSH CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/OpensshCryptMove.mp4. Accessed dec","year":"2024","key":"e_1_3_2_1_9_1","unstructured":"CryptMove. OpenSSH CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/OpensshCryptMove.mp4. Accessed dec 2024."},{"volume-title":"PuTTY CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/puttyCryptMove.mp4. Accessed","year":"2024","key":"e_1_3_2_1_10_1","unstructured":"CryptMove. PuTTY CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/puttyCryptMove.mp4. Accessed Dec 2024."},{"volume-title":"WinSCP CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/WinSCP.mp4. Accessed","year":"2024","key":"e_1_3_2_1_11_1","unstructured":"CryptMove. WinSCP CryptMove Demo. https:\/\/cryptmove.s3.us-east-2.amazonaws.com\/WinSCP.mp4. Accessed Dec 2024."},{"key":"e_1_3_2_1_12_1","unstructured":"Benjamin Delpy and Vincent Le Toux. Mimikatz. Mimikatz 2014."},{"key":"e_1_3_2_1_13_1","volume-title":"The transport layer security (tls) protocol version 1.2. Technical report","author":"Dierks Tim","year":"2008","unstructured":"Tim Dierks and Eric Rescorla. The transport layer security (tls) protocol version 1.2. Technical report, 2008."},{"key":"e_1_3_2_1_14_1","volume-title":"Blackhat USA 2013 White Papers","author":"Duckwall S.","year":"2013","unstructured":"S. Duckwall and C. Campbell. Hello, my name is Microsoft and I have a credential problem. In Blackhat USA 2013 White Papers, 2013. https:\/\/media.blackhat.com\/us-13\/US-13-Duckwall-Pass-the-Hash-WP.pdf."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629605"},{"key":"e_1_3_2_1_16_1","unstructured":"Steve Friedl. An Illustrated Guide to SSH Agent Forwarding. http:\/\/www.unixwiz.net\/techtips\/ssh-agent-forwarding.html 2006. Accessed December 2023."},{"key":"e_1_3_2_1_17_1","volume-title":"February","author":"Fruhlinger Josh","year":"2020","unstructured":"Josh Fruhlinger. Equifax data breach FAQ: What happened, what was the impact? https:\/\/www.csoonline.com\/article\/3444488\/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html, February 2020."},{"key":"e_1_3_2_1_18_1","volume-title":"GCMAN and Carbanak 2.0 attacks. https:\/\/securelist.com\/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks\/73638\/","author":"COMPUTER INCIDENTS INVESTIGATION DEPARTMENT","year":"2022","unstructured":"COMPUTER INCIDENTS INVESTIGATION DEPARTMENT GREAT. APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. https:\/\/securelist.com\/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks\/73638\/, February 2022."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_3"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_1_21_1","unstructured":"Sarah Hawley Ben Read Cristiana Brafman-Kittner Nalani Fraser Andrew Thompson Yuri Rozhansky and Sanaz Yashar. Apt39: An iranian cyber espionage group focused on personal information. In Technical Report. Mandiant 2019."},{"key":"e_1_3_2_1_22_1","first-page":"3093","volume-title":"USENIX Security Symposium","author":"Ho Grant","year":"2021","unstructured":"Grant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey M Voelker, and David A Wagner. Hopper: Modeling and detecting lateral movement. In USENIX Security Symposium, pages 3093--3110, 2021."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC3686"},{"key":"e_1_3_2_1_24_1","volume-title":"December","author":"Jansen Wouter","year":"2022","unstructured":"Wouter Jansen. Abusing cloud services to fly under the radar. https:\/\/research.nccgroup.com\/2021\/01\/12\/abusing-cloud-services-to-fly-under-the-radar\/, December 2022."},{"key":"e_1_3_2_1_25_1","volume-title":"process_vm_read(2) - Linux man page. https:\/\/man7.org\/linux\/man-pages\/man2\/process_vm_readv.2.html","author":"Kerrisk Michael","year":"2022","unstructured":"Michael Kerrisk. process_vm_read(2) - Linux man page. https:\/\/man7.org\/linux\/man-pages\/man2\/process_vm_readv.2.html, 2022. Accessed May 2024."},{"key":"e_1_3_2_1_26_1","volume-title":"February","author":"VYACHESLAV","year":"2023","unstructured":"VYACHESLAV KOPEYTSEV. Lazarus targets defense industry with ThreatNeedle. https:\/\/securelist.com\/lazarus-threatneedle\/100803\/, February 2023."},{"key":"e_1_3_2_1_27_1","volume-title":"Network and Distributed System Security Symposium","author":"Lee Jonghyup","year":"2011","unstructured":"Jonghyup Lee, Thanassis Avgerinos, and David Brumley. Tie: Principled reverse engineering of types in binary programs. In Network and Distributed System Security Symposium, 2011."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714639"},{"key":"e_1_3_2_1_29_1","volume-title":"Network and Distributed System Security Symposium","author":"Lin Zhiqiang","year":"2011","unstructured":"Zhiqiang Lin, Junghwan John Rhee, X. Zhang, Dongyan Xu, and Xuxian Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Network and Distributed System Security Symposium, 2011."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"e_1_3_2_1_31_1","unstructured":"Chris M. Lonvick and Tatu Ylonen. The Secure Shell (SSH) Connection Protocol. RFC 4254."},{"key":"e_1_3_2_1_32_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Meijer Carlo","year":"2021","unstructured":"Carlo Meijer, Veelasha Moonsamy, and Jos Wetzels. Where's crypto?: Automated identification and classification of proprietary cryptographic primitives in binary code. In 30th USENIX Security Symposium (USENIX Security 21), 2021."},{"key":"e_1_3_2_1_33_1","volume-title":"Unofficial guide to mimikatz & command reference. https:\/\/adsecurity.org\/?page_id=1821","author":"Metcalf S.","year":"2018","unstructured":"S. Metcalf. Unofficial guide to mimikatz & command reference. https:\/\/adsecurity.org\/?page_id=1821, 2018. Accessed February 2019."},{"volume-title":"Event Tracing for Windows (ETW). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/event-tracing-for-windows--etw-. Accessed","year":"2023","key":"e_1_3_2_1_34_1","unstructured":"Microsoft. Event Tracing for Windows (ETW). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/devtest\/event-tracing-for-windows--etw-. Accessed May 2023."},{"volume-title":"ReadProcessMemory function. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/memoryapi\/nf-memoryapi-readprocessmemory. Accessed","year":"2024","key":"e_1_3_2_1_35_1","unstructured":"Microsoft. ReadProcessMemory function. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/memoryapi\/nf-memoryapi-readprocessmemory. Accessed January 2024."},{"volume-title":"Security Support Provider Interface (SSPI). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/rpc\/security-support-provider-interface-sspi-. Accessed","year":"2024","key":"e_1_3_2_1_36_1","unstructured":"Microsoft. Security Support Provider Interface (SSPI). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/rpc\/security-support-provider-interface-sspi-. Accessed January 2024."},{"key":"e_1_3_2_1_37_1","volume-title":"Automated adversary emulation: A case for planning and acting with unknowns","author":"Miller Doug","year":"2018","unstructured":"Doug Miller, Ron Alford, Andy Applebaum, Henry Foster, Caleb Little, and Blake Strom. Automated adversary emulation: A case for planning and acting with unknowns. 2018."},{"key":"e_1_3_2_1_38_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Niakanlahiji Amirreza","year":"2020","unstructured":"Amirreza Niakanlahiji, Jinpeng Wei, Md Rabbi Alam, Qingyang Wang, and Bei-Tseng Chu. Shadowmove: A stealthy lateral movement strategy. In 29th USENIX Security Symposium (USENIX Security 20), 2020."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8439"},{"key":"e_1_3_2_1_40_1","first-page":"197","author":"Vincent Rijmen Joan Daemen","year":"2001","unstructured":"Joan Daemen Vincent Rijmen. Specification for the advanced encryption standard (aes). Federal Information Processing Standards Publication, 197, 2001.","journal-title":"Federal Information Processing Standards Publication"},{"volume-title":"2017 32nd IEEE\/ACM International Conference on Automated Software Engineering.","author":"Rupprecht Thomas","key":"e_1_3_2_1_41_1","unstructured":"Thomas Rupprecht, Xi Chen, David H. White, Jan H. Boockmann, Gerald L\u00fcttgen, and Herbert Bos. Dsibin: Identifying dynamic data structures in c\/c binaries. 2017 32nd IEEE\/ACM International Conference on Automated Software Engineering."},{"key":"e_1_3_2_1_42_1","volume-title":"Cobalt strike 3.0. Technical report","author":"Seazzu Luca","year":"2016","unstructured":"Luca Seazzu. Cobalt strike 3.0. Technical report, Sandia National Lab.(SNL-NM), Albuquerque, NM (United States), 2016."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134003"},{"key":"e_1_3_2_1_45_1","volume-title":"Network and Distributed System Security Symposium","author":"Slowinska Asia","year":"2011","unstructured":"Asia Slowinska, Traian Stancescu, and Herbert Bos. Howard: A dynamic excavator for reverse engineering data structures. In Network and Distributed System Security Symposium, 2011."},{"key":"e_1_3_2_1_46_1","volume-title":"USENIX Security","volume":"2001","author":"Song Dawn Xiaodong","year":"2001","unstructured":"Dawn Xiaodong Song, Wagner, et al. Timing analysis of keystrokes and timing attacks on ssh. In USENIX Security, volume 2001, 2001."},{"key":"e_1_3_2_1_47_1","volume-title":"February","author":"COUNTER THREAT UNIT RESEARCH","year":"2023","unstructured":"COUNTER THREAT UNIT RESEARCH TEAM. BRONZE UNION Cyberespionage Persists Despite Disclosures. https:\/\/www.secureworks.com\/research\/bronze-union, February 2023."},{"key":"e_1_3_2_1_48_1","volume-title":"April","author":"Project The","year":"2003","unstructured":"The OpenSSL Project. OpenSSL: The open source toolkit for SSL\/TLS. www.openssl.org, April 2003."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11212-1_14"},{"volume-title":"StackScraper - Capturing data using real-time stack scanning against a remote process. https:\/\/www.x86matthew.com\/view_post?id=stack_scraper","year":"2023","key":"e_1_3_2_1_50_1","unstructured":"x86matthew. StackScraper - Capturing data using real-time stack scanning against a remote process. https:\/\/www.x86matthew.com\/view_post?id=stack_scraper. Nov 2023."},{"volume-title":"2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society.","author":"Xu Jiacen","key":"e_1_3_2_1_51_1","unstructured":"Jiacen Xu, Xiaokui Shu, and Zhou Li. Understanding and bridging the gap between unsupervised network representation learning and security analytics. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00051"},{"key":"e_1_3_2_1_53_1","volume-title":"SPAM: stateless permutation of application memory. CoRR, abs\/2007.13808","author":"Ibn Ziad Mohamed Tarek","year":"2020","unstructured":"Mohamed Tarek Ibn Ziad, Miguel A. Arroyo, and Simha Sethumadhavan. SPAM: stateless permutation of application memory. CoRR, abs\/2007.13808, 2020. graphy"}],"event":{"name":"CODASPY '25: Fifteenth ACM Conference on Data and Application Security and Privacy","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Pittsburgh PA USA","acronym":"CODASPY '25"},"container-title":["Proceedings of the Fifteenth ACM Conference on Data and Application Security and Privacy"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3714393.3726496","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3714393.3726496","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T19:56:17Z","timestamp":1755892577000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3714393.3726496"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,19]]},"references-count":53,"alternative-id":["10.1145\/3714393.3726496","10.1145\/3714393"],"URL":"https:\/\/doi.org\/10.1145\/3714393.3726496","relation":{},"subject":[],"published":{"date-parts":[[2024,6,19]]},"assertion":[{"value":"2025-06-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}