My key takeaways
- "Malware of the Day" is about simulating one malware or exploit that was found "in the wild"
- why? to share with the public so that we can test our security detection abilities in place
- sharing (safe) PCAPs with identified C2 methods and network traffic patterns
- smoke detectors are not build to prevent fires. They are meant to detect fires and alert someone to mitigate the fire.
- We have to trust some security controls like automotive airbags; tests are destructive, so had not been testet on my car; I trust it anyway
- Otherwise we have to test the tools
- reduces the number of "what if’s"
- to get most out of the blog posts, do not initially read the post, but donwload and test the PCAP first
- a long time between signals will also avoid detection
- shorter beaconing time will require some jitter
- also very long (aka permanent) connections might be used as C2 connection as well
- if testing with PCAP, remember that there is no much noise in it
- will you be able to catch it also in a noisier RL situation?
Env
-
Provided by Active Countermeasures
-
Speaker
- Keith Chew
- Bill Sterns
additional links
- https://www.activecountermeasures.com/category/malware-of-the-day/
- https://www.activecountermeasures.com/free-tools/beaker/
- https://en.wikipedia.org/wiki/K-means_clustering
- https://github.com/activecm/rita
- https://github.com/zeek/zeek
- https://github.com/activecm/threat-tools
- https://www.activecountermeasures.com/free-tools/threat-simulator/
- https://www.activecountermeasures.com/simulating-a-beacon/
- https://www.activecountermeasures.com/free-tools/espy/
User comments
-
cbrenton-acm — heute um 20:37 Uhr
Some command examples from the tool they are talking about:
Sunburst
beacon-simulator.sh 165.227.91.97 80 900 90 tcp &
UDP payload jitter
beacon-simulator.sh 167.172.135.27 514 300 0 udp 256 & -
WWMB — heute um 20:42 Uhr
@1aBonline Popular excuse why networks packets are late: "A shark bit my wire, and I had to fix it." #protolol -
Robin — heute um 20:56 Uhr
you could use dnscat2 for testing dns beacons too