March 2

Webinar takeaway – Malware of the Day

0  comments

My key takeaways

  • "Malware of the Day" is about simulating one malware or exploit that was found "in the wild"
  • why? to share with the public so that we can test our security detection abilities in place
    • sharing (safe) PCAPs with identified C2 methods and network traffic patterns
  • smoke detectors are not build to prevent fires. They are meant to detect fires and alert someone to mitigate the fire.
  • We have to trust some security controls like automotive airbags; tests are destructive, so had not been testet on my car; I trust it anyway
    • Otherwise we have to test the tools
    • reduces the number of "what if’s"
  • to get most out of the blog posts, do not initially read the post, but donwload and test the PCAP first
  • a long time between signals will also avoid detection
    • shorter beaconing time will require some jitter
    • also very long (aka permanent) connections might be used as C2 connection as well
  • if testing with PCAP, remember that there is no much noise in it
    • will you be able to catch it also in a noisier RL situation?

Env

additional links

User comments

  • cbrenton-acm — heute um 20:37 Uhr
    Some command examples from the tool they are talking about:
    Sunburst
    beacon-simulator.sh 165.227.91.97 80 900 90 tcp &
    UDP payload jitter
    beacon-simulator.sh 167.172.135.27 514 300 0 udp 256 &

  • WWMB — heute um 20:42 Uhr
    @1aBonline Popular excuse why networks packets are late: "A shark bit my wire, and I had to fix it." #protolol

  • Robin — heute um 20:56 Uhr
    you could use dnscat2 for testing dns beacons too


Tags

anomaly detection, beacon, C2, home network, pcap, threathunting


You may also like

Webinar takeaway – Applying The Threat Hunter’s Runbook

Webinar takeaway – Applying The Threat Hunter’s Runbook

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – The Ins and Outs of RITA
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}