My key takeaways
- "Malware of the Day" is about simulating one malware or exploit that was found "in the wild"
- why? to share with the public so that we can test our security detection abilities in place
- sharing (safe) PCAPs with identified C2 methods and network traffic patterns
- smoke detectors are not build to prevent fires. They are meant to detect fires and alert someone to mitigate the fire.
- We have to trust some security controls like automotive airbags; tests are destructive, so had not been testet on my car; I trust it anyway
- Otherwise we have to test the tools
- reduces the number of "what if’s"
- to get most out of the blog posts, do not initially read the post, but donwload and test the PCAP first
- a long time between signals will also avoid detection
- shorter beaconing time will require some jitter
- also very long (aka permanent) connections might be used as C2 connection as well
- if testing with PCAP, remember that there is no much noise in it
- will you be able to catch it also in a noisier RL situation?
Provided by Active Countermeasures
- Keith Chew
- Bill Sterns
cbrenton-acm — heute um 20:37 Uhr
Some command examples from the tool they are talking about:
beacon-simulator.sh 184.108.40.206 80 900 90 tcp &
UDP payload jitter
beacon-simulator.sh 220.127.116.11 514 300 0 udp 256 &
WWMB — heute um 20:42 Uhr
@1aBonline Popular excuse why networks packets are late: "A shark bit my wire, and I had to fix it." #protolol
Robin — heute um 20:56 Uhr
you could use dnscat2 for testing dns beacons too