March 2

Webinar takeaway – Malware of the Day

Security

0  comments

My key takeaways

  • "Malware of the Day" is about simulating one malware or exploit that was found "in the wild"
  • why? to share with the public so that we can test our security detection abilities in place
    • sharing (safe) PCAPs with identified C2 methods and network traffic patterns
  • smoke detectors are not build to prevent fires. They are meant to detect fires and alert someone to mitigate the fire.
  • We have to trust some security controls like automotive airbags; tests are destructive, so had not been testet on my car; I trust it anyway
    • Otherwise we have to test the tools
    • reduces the number of "what if's"
  • to get most out of the blog posts, do not initially read the post, but donwload and test the PCAP first
  • a long time between signals will also avoid detection
    • shorter beaconing time will require some jitter
    • also very long (aka permanent) connections might be used as C2 connection as well
  • if testing with PCAP, remember that there is no much noise in it
    • will you be able to catch it also in a noisier RL situation?

Env

additional links

User comments

  • cbrenton-acm — heute um 20:37 Uhr Some command examples from the tool they are talking about: Sunburst beacon-simulator.sh 165.227.91.97 80 900 90 tcp & UDP payload jitter beacon-simulator.sh 167.172.135.27 514 300 0 udp 256 &

  • WWMB — heute um 20:42 Uhr @1aBonline Popular excuse why networks packets are late: "A shark bit my wire, and I had to fix it." #protolol

  • Robin — heute um 20:56 Uhr you could use dnscat2 for testing dns beacons too

Tags

anomaly detection, beacon, C2, home network, pcap, threathunting

You may also like

Webinar takeaway – Shellcode Execution with Python

teaser for this Webcast, which made me attend Imagine you are pen testing a company and gain access to a Windows application server. You discover the server has application allow listing deployed, and strong EDR/XDR defensive solutions. To your excitement, you find there is a Python interpreter installed. It would be really great if you

Read More

Webinar takeaway – Applying The Threat Hunter’s Runbook

My key takeaways threat hunting runbook Identify connection persistency Identify if there is a business need Protocol analysis Investigate external IP address Investigate internal IP address Threat hunting is stealthy only when in IR mode, the adversary should be allowed to notice we are after him set the TCP timeout from 5min to 1h in

Read More
Leave a Comment