Webinar takeaway - Malware of the Day - Jean-Christoph von Oertzen

My key takeaways

"Malware of the Day" is about simulating one malware or exploit that was found "in the wild"
why? to share with the public so that we can test our security detection abilities in place
- sharing (safe) PCAPs with identified C2 methods and network traffic patterns
smoke detectors are not build to prevent fires. They are meant to detect fires and alert someone to mitigate the fire.
We have to trust some security controls like automotive airbags; tests are destructive, so had not been testet on my car; I trust it anyway
- Otherwise we have to test the tools
- reduces the number of "what if’s"
to get most out of the blog posts, do not initially read the post, but donwload and test the PCAP first
a long time between signals will also avoid detection
- shorter beaconing time will require some jitter
- also very long (aka permanent) connections might be used as C2 connection as well
if testing with PCAP, remember that there is no much noise in it
- will you be able to catch it also in a noisier RL situation?

cbrenton-acm — heute um 20:37 Uhr
Some command examples from the tool they are talking about:
Sunburst
beacon-simulator.sh 165.227.91.97 80 900 90 tcp &
UDP payload jitter
beacon-simulator.sh 167.172.135.27 514 300 0 udp 256 &
WWMB — heute um 20:42 Uhr
@1aBonline Popular excuse why networks packets are late: "A shark bit my wire, and I had to fix it." #protolol
Robin — heute um 20:56 Uhr
you could use dnscat2 for testing dns beacons too