SlideShare una empresa de Scribd logo

Pursuing evasive custom command & control - GuideM

Mark Secretario
Mark Secretario

This talk is all about dissecting C3 channels and how the attacker leverages this technique in order to exfiltrate data using cloud storage provider - Investigating in-memory attacks leveraging legitimate 3rd party services like Dropbox, OneDrive, and Slack to use as a medium for Command & Control Communication - Detecting usage and exfiltration optimizing custom command & control channels

Tecnología
1 de 78
Descargar para leer sin conexión
1
AGENDA - #whoami - #cat /etc/group - The Problem (Cyber Kill Chain) - How we can improve? - Traditional C2 (OneDrive) & Detection - C2 Framework Common Channel - Introducing Custom Command & Control (C3) - C3 Channel – Dropbox - C3 Channel – Slack - C3 Channel - GDrive - Attack Surface using Custom Command & Control - LIVE DEMO - Detecting Custom Command & Control - Q/A
#WHOAMI MARK CHRISTIAN SECRETARIO | @iansecretario_ |www.iansecretario.com | www.redteam.blog - Founder of GuideM | Course Developer | Instructor - 8 yrs of experience - Sr. Penetration Tester | Security Consultant - Co-Founder of GuideM | Course Developer - OSCE | OSCP | CRTP | CRTE | | CRTO | CCNP | CFR | CCNA CyberOps Interests: Offensive Security | Red Team | Purple Team |Exploit Development | Security Architecture | Adversary Simulation
RENZON CRUZ | @r3nzsec | www.renzoncruz.com - 8 yrs of experience - Sr. Security Consultant DFIR– National Security (GCC) - Co-Founder of GuideM | Course Developer | Instructor - GCFE | GCIH | eCTHP | eCDFP | eJPT | CFR | ITIL | MCP | MCS Speakership: - BSides Vancouver 2019 - BSides London 2019 - BSides Doha 2020 Interests: SOC | Threat Hunting | Digital Forensics | Incident Response | Malware Analysis | Adversary Simulation #WHOAMI
#CAT /ETC/GROUP • GuideM is a top specialized training provider that delivers world approach in both Offensive (Red) and Defensive (Blue) disciplines of cybersecurity in the Philippines • GuideM provides professional training and services wherein we take pride in producing world class quality courses that are comprehensive, highly technical and purely hands-on
LOCAL HOME LAB SETUP #1 https://detectionlab.network/ • Shoutout to Chris Long @Centurion for this detectionlab setup and scripts • Home Lab Setup for detection adversary behaviors • Mostly Splunk capabilities with Bro/Zeek logs for network detection • Sysmon installed mostly host artifacts and DNS queries as well
LAB SETUP #2 (CLOUD) Click to add text Click to add text https://github.com/cyberdefenders/DetectionLabELK • DetectionLab is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk • Perfect for building effective detection capabilities • Designed with defenders in mind
LAB SETUP #3 (CLOUD) Click to add text Click to add text Click to add text Click to add text https://github.com/DefensiveOrigins/APT-Lab-Terraform • Credits to @Rev10D @Krelkci from DefensiveOrigins and BlackhillsInfosec for a quick lab setup Attacker Controlled environment • Covenant C2 • Empire & Starkiller • C3 (Fsecure)
WHY DO WE CARE?
THE PROBLEM 10 10 Detection & Defense Complexity Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on Objectives Initial Attack Vector Access level maturity Full Control
• C2, CnC, C&C, Command & Control • Control large pools of computers • Asynchronous • Client to Server COMMAND & CONTROL 101
• Blending with the noise to disguise as common user traffic • Common protocols • HTTP/HTTPS, SMPT/POP, DNS, ICMP • Common Applications • Outlook, Spotify, PowerShell, Twitter, Gmail, Slack, OneDrive • The more benign the better • Low and slow traffic usage C2 HIDING IN PLAIN SIGHT
• Infrastructure to carry out remote communication with the hosts • A number of different transport mechanisms can be utilized • Some tend to be more stealthy than the others • Many network security appliances are trying in various ways to detect these • But... bypasses exist in custom tools to get right by COMMAND & CONTROL 101
1. A user gets compromised. 2. Attacker establishes command & control channel through the user’s compromised machine. 3. Attacker issues commands on demand and compromised machine sends callbacks. TRADITIONAL C2 COMMUNICATION
MITRE ATT&CK – COMMAND & CONTROL
COMMAND & CONTROL CHANNELS
17 C2 CHANNEL - TWITTER • C&C channels can take the form of IRC chatter, peer to peer protocols, generic HTTP traffic and so on • Adversaries and several malware samples that appeared recently have also used social media for C&C • Twitter can be used for DGA too (Domain Name Generation)
18 C2 CHANNEL - TWITTER Twitter as C2 used by APT
GADOLINIUM ● Nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries ● Rracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. https://www.microsoft.com/security/blog/2020/09/24/ gadolinium-detecting-empires-cloud/ 19 C2 CHANNEL - ONEDRIVE
● We are going to make the cloud-based file sharing service a middle-man to set-up the communication playground between the target server and the Empire C2 ● Assuming that the Empire C2 is properly installed and configured, we will be using MS OneDrive for the cloud base file sharing C2 20 C2 CHANNEL - ONEDRIVE
1. Create an application and register 2. Setup Microsoft account permissions 3. Obtain the AuthCode 4. Run the listener 21 Click to add text CREATING C2 CHANNEL - ONEDRIVE https://www.bc-security.org/post/using-the-onedrive- listener-in-empire-3-1-3/
● Attacker leverages OneDrive as medium to store results from the C2 channel ● Once Agent has been created delivering the payload through email would be trivial. https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/ 22 CREATING C2 CHANNEL - ONEDRIVE
● Payload executed on user machine ● Compromised machine connects through OneDrive C2channel ● Attacker sends command through C2 channel using OneDrive https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/ 23 Click to add text Click to add text C2 CHANNEL – ONE DRIVE OPERATIONS
24 Click to add text Click to add text C2 ONEDRIVE – DETECTION (MITRE ATT&CK T1059.001) https://attack.mitre.org/techniques/T1059/001/
25 Click to add text Click to add text C2 ONEDRIVE – DETECTION (POWERSHELL | SPLUNK) EventCode=3 Network Connection Click to add text Command & Scripting Interpreter: Powershell • PowerShell execution with network connection towards to 13.107.43.12 (Kali instance in Azure)
26 Click to add text Click to add text C2 ONEDRIVE – DETECTION (SYSMON| SPLUNK) https://github.com/EmpireProject/Empire/blob/master/lib/listeners/onedrive.py EventCode=22 DNSEvent (DNS query)
27 Click to add text Click to add text C2 ONEDRIVE – DETECTION (SYSMON| SPLUNK) https://github.com/EmpireProject/Empire/blob/ master/lib/listeners/onedrive.py EventCode=1 Process Creation
28 Click to add text Click to add text C2 ONEDRIVE – DETECTION (POWERSHELL | SPLUNK) Empire Multi/Launcher Stager • Adversary was able to deploy this payload to the victim's computer • The script well then execute and connect to the empire control server • The attacker will then be able to issue arbitrary commands and run Empire modules on the compromised system PowerShell Event Logs EventID: 4103 CommandLine: "-noP –sta –w 1 –enc"
29 Click to add text Click to add text C2 ONEDRIVE – BEACONING DETECTION (BRO / SPLUNK) • Did you see some beaconing traffic here? • Hard to detect due to its nature • Defender's dilemma
30 Click to add text Click to add text C2 ONEDRIVE – BEACONING DETECTION (BRO / SPLUNK) BRO/ZEEK logs utilizing DNS Beaconing traffic with check-in interval for almost every 2hrs. See the pattern there?
31 Click to add text C2 ONEDRIVE – SSL FINGERPRINT DETECTION (BRO SSL | SPLUNK) JA3 value: - 235a856727c14dba889ddee0a38dd2f2 - Identified as PowerShell User-Agent - Empire heavily used PowerShell https://ja3er.com/form
Latin word for “Sneaky” is “Callidus”. It was developed using .net core framework in C#. Allows operators to leverage O365 services for establishing command & control communication channel. It uses the Microsoft Graph APIs for communicating with the O365 services. Microsoft Graph is a gateway to the data and intelligence in Microsoft 365. It provides a unified programmable model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security. Thanks to! Chirag Salva – author of Callidus for helping us! 32 CALLIDUS C2 https://3xpl01tc0d3r.blogspot.com/2020/03/introduction-to-callidus.html
Register for an azure application and set access to Microsoft graph API. Permissions Required for the application to be used as C2 channel Grant access to the compromised account for the registered application c3-0365 we created. 33 CALLIDUS 0365 C2
Callidus also has modules for Outlook,One note and Microsoft Teams as of this moment. 34 CALLIDUS 0365 C2
35 CADILLUS 0365 C2 CHANNEL
36 C2 OFFICE 365 - DETECTION
37 C2 OFFICE 365 - DETECTION
- C3 started as an “External C2” implementation, but is intended to be framework agnostic - Design requirements - Enable rapid prototyping - Be dynamically adaptable - Allow chaining - Credits to William Knowles, Janusz Szmigielski & Nick Jones - Huge thanks to F-secure & mwrlabs for this awesome toolkit INTRODUCTION TO C3
CUSTOM COMMAND & CONTROL COMMUNICATION ● Connector – connection between Gateway and the C2 Framework. ● Gateway – a main node which allows to set up other infrastructure around it ● Channel – a communication medium, by default we can use Slack or UNCShare. ● Relay – this is the payload of C3, however, it does not allow you to execute any commands.
- Primary means of extending C3; Intended to make it “modular”. Has 2 types: - Channel Interface: - The “path” to another relay - Function as what is commonly associated with the notion of a C2 channel (e.g http) - Implant Interface: - The “path” to a framework implant (e.g a named pipe) MAKING IT EXTENSIBLE: INTERFACES
41 C3 CHANNEL - SLACK https://www.praetorian.com/blog/using-slack-as-c2-channel-mitre-attack-web-service-t1102?edition=2019 https://github.com/praetorian-inc/slack-c2bot • Organizations are embracing the cloud based technology for collaboration and bots such as Slack • Several security researchers have experimented with Slack as a C2 channel, creating “Slackor”, Slack C2bot and Slackshell • Legitimate applications and are frequently used to move files around • Little risk that anti-virus or endpoint solutions will detect the infiltration of malicious code or the exfiltration of sensitive data
42 C3 CHANNEL - SLACK https://www.praetorian.com/blog/using-slack-as-c2-channel-mitre-attack-web-service-t1102?edition=2019 Executing the commands using the implant (win_slack_implant.exe) Running "whoami" using slack against the compromised machine
43
44 C3 CHANNEL – SLACK (ATTACKER)
45 Click to add text C3 CHANNEL – DROPBOX • Dropbox has a rich and well documented API • HTTPs enabled and trusted cloud service • Therefore, Dropbox isn't categorized as a malicious domain right off the bat • Cobaltstrike added External C2 feature to allow 3rd party programs to act as a communication layer between Cobalt Strike and its Beacon payload
46 Click to add text C3 CHANNEL – DROPBOX
47 Click to add text C3 CHANNEL – DROPBOX (VICTIM) Click to add textClick to add text Victim's view after executing the implant from C3
48 C3 CHANNEL – DROPBOX (ATTACKER)
Summary exfiltration 49 C3 CHANNEL – DROPBOX (ATTACKER)
50 Click to add text C3 CHANNEL – UNC SHARES https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/ • C3 can use UNC path in order to laterally move through the network and use the shared folder for command and control communication. • As you can see below every time our covenant C2 sends a task through a file will be created that will be used for relay communication
51 C3 CHANNEL – DROPBOX https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-3/ ● Using the same Dropbox app we can create. ● Once the relay is executed on the victim it will query and resolve the domain api.dropboxapi.com which is used for polling the folder. ● Relays will often check the contents of the Dropbox folder for files to read. C3 will create a new folder the Dropbox app folder
52 C3 CHANNEL – DROPBOX Even in this case there is no integration with our command and control (C2) framework, Covenant, we can see that details such as operating system and user is already.
53 C3 CHANNEL – DROPBOX EXFILTRATION Once we have our Dropbox channel fully functional we can now use this channel for exfiltration. As seen here we can also configure jitter and delay or remove files Successful Data exfiltration using Dropbox on C3 channel
54 C3 CHANNEL – DROPBOX EXTERNAL C2 As the objective of C3 is to be fully extensible we can turn on connector to our C2 of choice (Covenant/Cobalt Strike) Setup Connector for covenant & Add a peripheral grunt
55 C3 CHANNEL – DROPBOX EXTERNAL C2 Every time we execute a task in our C2, it will go through the Dropbox channel then the relay will upload files in our Dropbox folder through the guidem-drop which is our application. Successful connection on our Covenant C2
56 C3 CHANNEL – GOOGLE DRIVE https://threatpost.com/roguerobin-google-drive-c2/141079/ A custom malware used by the APT known as DarkHydrus uses a mix of novel techniques, including using Google Drive as an alternate command- and-control (C2) channel.
57 C3 CHANNEL – GOOGLE DRIVE
58 C3 CHANNEL – GOOGLE DRIVE (VICTIM)
59 C3 CHANNEL – GOOGLE DRIVE (ATTACKER)
60 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Sysmon Event ID 3 - Network Connection • Relay_x64_f575_relay-victim.exe suspicious binary having a network connection towards 13.228.49.204
61 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Sysmon Event ID 22 - DNS Query • Relay_x64_f575_relay-victim.exe suspicious binary having a DNS query towards slack.com
62 C3 CHANNEL – SLACK DETECTION (ZEEK| SPLUNK) BRO DNS Query = slack.com
63 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Post Exploitation after running the implant from C3 (Slack Channel) Discovery – T1033 (System Owner/User Discovery) cmd.exe /c whoami
64 Click to add text C3 CHANNEL – DROPBOX DETECTION (SYSMON | ELK) SYSMON Event ID 22 DNS Query calling api.dropboxapi.exe
65 Click to add text C3 CHANNEL – DROPBOX DETECTION (ZEEK| SPLUNK) Zeek Logs = bro.dns.json DNS Query calling api.dropboxapi.exe, content.dropboxapi.com
66 Click to add text C3 CHANNEL – DROPBOX DETECTION (ZEEK| SPLUNK) Sysmon Event ID 3 – Network Connection Relay_x64_f576_dropbox-relay.exe connecting to external IP
67 C3 CHANNEL – DROPBOX DETECTION C3 Function URL WriteMessageToFile https://content.dropboxapi.com/2/files/upload ListChannels https://api.dropboxapi.com/2/files/list_folder CreateChannel https://api.dropboxapi.com/2/files/create_folder_v2 GetMessageByDirection https://api.dropboxapi.com/2/files/search_v2 ReadFile https://content.dropboxapi.com/2/files/download DeleteFile https://api.dropboxapi.com/2/files/delete_v2 https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-3/ Dropbox URL calls credits to F-secure (C3 workshop)
68 Click to add text C3 CHANNEL – UNC DETECTION (SYSMON | ELK) SYSMON Event ID 10 Process Access – can be indication of thread injection CallTrace: ntdll.dll Attacker was attempting to inject malicious code into a process and has been using it to beacon out to C2 server
69 Click to add text HOST ARTIFACTS DETECTION – PS TRANSCRIPTS
70 Click to add text HOST ARTIFACTS DETECTION – CREATE ACCOUNT Post Compromise artifacts (Creation of Account)
71 Click to add text HOST ARTIFACTS DETECTION – RARE PROCESS CHAINS
C3 CHANNEL – GITHUB DETECTION
● Identify data sources to leverage detection of common C2 traffic ● Understand and identify detection opportunities ● Learn about real-world use cases on advanced types of C2 such as custom command and control channels ● Take advantage of the MITRE Framework HOW CAN WE IMPROVE
• Look for unknown protocols • Look for beaconing behavior • Unusual traffic volumes • Investigate typical C&C protocols • HTTP: User-Agent, HTTP Referrer • DNS: Query Length, Query Types, Query Entropy DETECTING C2/C3
Freq.py https://github.com/sans-blue-team/freq.py RITA (Real Intelligence Threat Analytics) https://github.com/activecm/rita JA3 https://github.com/salesforce/ja3 C2 Matrix https://www.thec2matrix.com/matrix Slingshot C2 Matrix VM https://www.sans.org/slingshot-vmware-linux/download TOOLS TO DETECT C2/C3
Follow us on Twitter/Linkedin Ian Secretario – @iansecretario_ https://iansecretario.com/ Renzon Cruz - @r3nzsec https://renzoncruz.com/ 76 THANK YOU FOR LISTENING
Any Questions?
https://labs.f-secure.com/ https://github.com/FSecureLABS/C3 https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ https://www.insomniacsecurity.com/2018/01/11/externalc2.html https://github.com/Und3rf10w/external_c2_framework https://github.com/RhinoSecurityLabs/external_c2_framework/ https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki#domain-fronting https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2 https://www.cobaltstrike.com/help-externalc2 https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols- 895587e7f325 https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise- Abusing-Office365-Powershell-For-Covert-C2.pdf https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook- Backdoor.pdf https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox- extension-abusing-instagram https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears- instagram-posts-to-control-malware https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and- evasive-global-criminal-operation.html https://securingtomorrow.mcafee.com/mcafee-labs/vpnfilter-botnet-targets-networking- devices https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-new- chat-platforms-abused-by-cybercriminals https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan- leveraging-telegrams-bot-api-to-target-iranian-users https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F- Secure_Dukes_Whitepaper.pdf https://3xpl01tc0d3r.blogspot.com/2020/03/introduction-to-callidus.html https://rastamouse.me/blog/c3-first-look/ @FSecureLabs @mwrlabs @nmonkee @william_knows @Rev10D @Krelkc @grzryc Grzegorz Rychlik @cobbr REFERENCES & THANKS!

Recomendados

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdfsoheil hashemi
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 

Recomendados

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdfsoheil hashemi
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Trupti Shiralkar, CISSP
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cybersecurity
CybersecurityCybersecurity
CybersecuritySanjana Agarwal
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt StrikeChristopher Gerritz
 
Dockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx CasablancaDockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx CasablancaMichel Courtine
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 

Más contenido relacionado

La actualidad más candente

What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 

La actualidad más candente (20)

What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
 

Similar a Pursuing evasive custom command & control - GuideM

Dockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx CasablancaDockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx CasablancaMichel Courtine
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Docker meetup - PaaS interoperability
Docker meetup - PaaS interoperabilityDocker meetup - PaaS interoperability
Docker meetup - PaaS interoperabilityLudovic Piot
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Patrick Chanezon
 
Neo4J with Docker and Azure - GraphConnect 2015
Neo4J with Docker and Azure - GraphConnect 2015Neo4J with Docker and Azure - GraphConnect 2015
Neo4J with Docker and Azure - GraphConnect 2015Patrick Chanezon
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStackPLNOG 17 - Grzegorz Kornacki - F5 and OpenStack
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStackPROIDEA
 
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...Agile Testing Alliance
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementSergii Kryshtop
 
Webinar: Dealing with automation tool overload!
Webinar: Dealing with automation tool overload!Webinar: Dealing with automation tool overload!
Webinar: Dealing with automation tool overload!Cloudify Community
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackQAware GmbH
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17Mario-Leander Reimer
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker, Inc.
 

Similar a Pursuing evasive custom command & control - GuideM (20)

Dockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx CasablancaDockercon eu tour 2015 - Devoxx Casablanca
Dockercon eu tour 2015 - Devoxx Casablanca
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Docker meetup - PaaS interoperability
Docker meetup - PaaS interoperabilityDocker meetup - PaaS interoperability
Docker meetup - PaaS interoperability
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
 
Neo4J with Docker and Azure - GraphConnect 2015
Neo4J with Docker and Azure - GraphConnect 2015Neo4J with Docker and Azure - GraphConnect 2015
Neo4J with Docker and Azure - GraphConnect 2015
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday Docker
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStackPLNOG 17 - Grzegorz Kornacki - F5 and OpenStack
PLNOG 17 - Grzegorz Kornacki - F5 and OpenStack
 
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
Webinar: Dealing with automation tool overload!
Webinar: Dealing with automation tool overload!Webinar: Dealing with automation tool overload!
Webinar: Dealing with automation tool overload!
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to Docker
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Pursuing evasive custom command & control - GuideM

  • 1. 1
  • 2. AGENDA - #whoami - #cat /etc/group - The Problem (Cyber Kill Chain) - How we can improve? - Traditional C2 (OneDrive) & Detection - C2 Framework Common Channel - Introducing Custom Command & Control (C3) - C3 Channel – Dropbox - C3 Channel – Slack - C3 Channel - GDrive - Attack Surface using Custom Command & Control - LIVE DEMO - Detecting Custom Command & Control - Q/A
  • 3. #WHOAMI MARK CHRISTIAN SECRETARIO | @iansecretario_ |www.iansecretario.com | www.redteam.blog - Founder of GuideM | Course Developer | Instructor - 8 yrs of experience - Sr. Penetration Tester | Security Consultant - Co-Founder of GuideM | Course Developer - OSCE | OSCP | CRTP | CRTE | | CRTO | CCNP | CFR | CCNA CyberOps Interests: Offensive Security | Red Team | Purple Team |Exploit Development | Security Architecture | Adversary Simulation
  • 4. RENZON CRUZ | @r3nzsec | www.renzoncruz.com - 8 yrs of experience - Sr. Security Consultant DFIR– National Security (GCC) - Co-Founder of GuideM | Course Developer | Instructor - GCFE | GCIH | eCTHP | eCDFP | eJPT | CFR | ITIL | MCP | MCS Speakership: - BSides Vancouver 2019 - BSides London 2019 - BSides Doha 2020 Interests: SOC | Threat Hunting | Digital Forensics | Incident Response | Malware Analysis | Adversary Simulation #WHOAMI
  • 5. #CAT /ETC/GROUP • GuideM is a top specialized training provider that delivers world approach in both Offensive (Red) and Defensive (Blue) disciplines of cybersecurity in the Philippines • GuideM provides professional training and services wherein we take pride in producing world class quality courses that are comprehensive, highly technical and purely hands-on
  • 6. LOCAL HOME LAB SETUP #1 https://detectionlab.network/ • Shoutout to Chris Long @Centurion for this detectionlab setup and scripts • Home Lab Setup for detection adversary behaviors • Mostly Splunk capabilities with Bro/Zeek logs for network detection • Sysmon installed mostly host artifacts and DNS queries as well
  • 7. LAB SETUP #2 (CLOUD) Click to add text Click to add text https://github.com/cyberdefenders/DetectionLabELK • DetectionLab is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk • Perfect for building effective detection capabilities • Designed with defenders in mind
  • 8. LAB SETUP #3 (CLOUD) Click to add text Click to add text Click to add text Click to add text https://github.com/DefensiveOrigins/APT-Lab-Terraform • Credits to @Rev10D @Krelkci from DefensiveOrigins and BlackhillsInfosec for a quick lab setup Attacker Controlled environment • Covenant C2 • Empire & Starkiller • C3 (Fsecure)
  • 9. WHY DO WE CARE?
  • 10. THE PROBLEM 10 10 Detection & Defense Complexity Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on Objectives Initial Attack Vector Access level maturity Full Control
  • 11. • C2, CnC, C&C, Command & Control • Control large pools of computers • Asynchronous • Client to Server COMMAND & CONTROL 101
  • 12. • Blending with the noise to disguise as common user traffic • Common protocols • HTTP/HTTPS, SMPT/POP, DNS, ICMP • Common Applications • Outlook, Spotify, PowerShell, Twitter, Gmail, Slack, OneDrive • The more benign the better • Low and slow traffic usage C2 HIDING IN PLAIN SIGHT
  • 13. • Infrastructure to carry out remote communication with the hosts • A number of different transport mechanisms can be utilized • Some tend to be more stealthy than the others • Many network security appliances are trying in various ways to detect these • But... bypasses exist in custom tools to get right by COMMAND & CONTROL 101
  • 14. 1. A user gets compromised. 2. Attacker establishes command & control channel through the user’s compromised machine. 3. Attacker issues commands on demand and compromised machine sends callbacks. TRADITIONAL C2 COMMUNICATION
  • 15. MITRE ATT&CK – COMMAND & CONTROL
  • 16. COMMAND & CONTROL CHANNELS
  • 17. 17 C2 CHANNEL - TWITTER • C&C channels can take the form of IRC chatter, peer to peer protocols, generic HTTP traffic and so on • Adversaries and several malware samples that appeared recently have also used social media for C&C • Twitter can be used for DGA too (Domain Name Generation)
  • 18. 18 C2 CHANNEL - TWITTER Twitter as C2 used by APT
  • 19. GADOLINIUM ● Nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries ● Rracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. https://www.microsoft.com/security/blog/2020/09/24/ gadolinium-detecting-empires-cloud/ 19 C2 CHANNEL - ONEDRIVE
  • 20. ● We are going to make the cloud-based file sharing service a middle-man to set-up the communication playground between the target server and the Empire C2 ● Assuming that the Empire C2 is properly installed and configured, we will be using MS OneDrive for the cloud base file sharing C2 20 C2 CHANNEL - ONEDRIVE
  • 21. 1. Create an application and register 2. Setup Microsoft account permissions 3. Obtain the AuthCode 4. Run the listener 21 Click to add text CREATING C2 CHANNEL - ONEDRIVE https://www.bc-security.org/post/using-the-onedrive- listener-in-empire-3-1-3/
  • 22. ● Attacker leverages OneDrive as medium to store results from the C2 channel ● Once Agent has been created delivering the payload through email would be trivial. https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/ 22 CREATING C2 CHANNEL - ONEDRIVE
  • 23. ● Payload executed on user machine ● Compromised machine connects through OneDrive C2channel ● Attacker sends command through C2 channel using OneDrive https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/ 23 Click to add text Click to add text C2 CHANNEL – ONE DRIVE OPERATIONS
  • 24. 24 Click to add text Click to add text C2 ONEDRIVE – DETECTION (MITRE ATT&CK T1059.001) https://attack.mitre.org/techniques/T1059/001/
  • 25. 25 Click to add text Click to add text C2 ONEDRIVE – DETECTION (POWERSHELL | SPLUNK) EventCode=3 Network Connection Click to add text Command & Scripting Interpreter: Powershell • PowerShell execution with network connection towards to 13.107.43.12 (Kali instance in Azure)
  • 26. 26 Click to add text Click to add text C2 ONEDRIVE – DETECTION (SYSMON| SPLUNK) https://github.com/EmpireProject/Empire/blob/master/lib/listeners/onedrive.py EventCode=22 DNSEvent (DNS query)
  • 27. 27 Click to add text Click to add text C2 ONEDRIVE – DETECTION (SYSMON| SPLUNK) https://github.com/EmpireProject/Empire/blob/ master/lib/listeners/onedrive.py EventCode=1 Process Creation
  • 28. 28 Click to add text Click to add text C2 ONEDRIVE – DETECTION (POWERSHELL | SPLUNK) Empire Multi/Launcher Stager • Adversary was able to deploy this payload to the victim's computer • The script well then execute and connect to the empire control server • The attacker will then be able to issue arbitrary commands and run Empire modules on the compromised system PowerShell Event Logs EventID: 4103 CommandLine: "-noP –sta –w 1 –enc"
  • 29. 29 Click to add text Click to add text C2 ONEDRIVE – BEACONING DETECTION (BRO / SPLUNK) • Did you see some beaconing traffic here? • Hard to detect due to its nature • Defender's dilemma
  • 30. 30 Click to add text Click to add text C2 ONEDRIVE – BEACONING DETECTION (BRO / SPLUNK) BRO/ZEEK logs utilizing DNS Beaconing traffic with check-in interval for almost every 2hrs. See the pattern there?
  • 31. 31 Click to add text C2 ONEDRIVE – SSL FINGERPRINT DETECTION (BRO SSL | SPLUNK) JA3 value: - 235a856727c14dba889ddee0a38dd2f2 - Identified as PowerShell User-Agent - Empire heavily used PowerShell https://ja3er.com/form
  • 32. Latin word for “Sneaky” is “Callidus”. It was developed using .net core framework in C#. Allows operators to leverage O365 services for establishing command & control communication channel. It uses the Microsoft Graph APIs for communicating with the O365 services. Microsoft Graph is a gateway to the data and intelligence in Microsoft 365. It provides a unified programmable model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security. Thanks to! Chirag Salva – author of Callidus for helping us! 32 CALLIDUS C2 https://3xpl01tc0d3r.blogspot.com/2020/03/introduction-to-callidus.html
  • 33. Register for an azure application and set access to Microsoft graph API. Permissions Required for the application to be used as C2 channel Grant access to the compromised account for the registered application c3-0365 we created. 33 CALLIDUS 0365 C2
  • 34. Callidus also has modules for Outlook,One note and Microsoft Teams as of this moment. 34 CALLIDUS 0365 C2
  • 36. 36 C2 OFFICE 365 - DETECTION
  • 37. 37 C2 OFFICE 365 - DETECTION
  • 38. - C3 started as an “External C2” implementation, but is intended to be framework agnostic - Design requirements - Enable rapid prototyping - Be dynamically adaptable - Allow chaining - Credits to William Knowles, Janusz Szmigielski & Nick Jones - Huge thanks to F-secure & mwrlabs for this awesome toolkit INTRODUCTION TO C3
  • 39. CUSTOM COMMAND & CONTROL COMMUNICATION ● Connector – connection between Gateway and the C2 Framework. ● Gateway – a main node which allows to set up other infrastructure around it ● Channel – a communication medium, by default we can use Slack or UNCShare. ● Relay – this is the payload of C3, however, it does not allow you to execute any commands.
  • 40. - Primary means of extending C3; Intended to make it “modular”. Has 2 types: - Channel Interface: - The “path” to another relay - Function as what is commonly associated with the notion of a C2 channel (e.g http) - Implant Interface: - The “path” to a framework implant (e.g a named pipe) MAKING IT EXTENSIBLE: INTERFACES
  • 41. 41 C3 CHANNEL - SLACK https://www.praetorian.com/blog/using-slack-as-c2-channel-mitre-attack-web-service-t1102?edition=2019 https://github.com/praetorian-inc/slack-c2bot • Organizations are embracing the cloud based technology for collaboration and bots such as Slack • Several security researchers have experimented with Slack as a C2 channel, creating “Slackor”, Slack C2bot and Slackshell • Legitimate applications and are frequently used to move files around • Little risk that anti-virus or endpoint solutions will detect the infiltration of malicious code or the exfiltration of sensitive data
  • 42. 42 C3 CHANNEL - SLACK https://www.praetorian.com/blog/using-slack-as-c2-channel-mitre-attack-web-service-t1102?edition=2019 Executing the commands using the implant (win_slack_implant.exe) Running "whoami" using slack against the compromised machine
  • 43. 43
  • 44. 44 C3 CHANNEL – SLACK (ATTACKER)
  • 45. 45 Click to add text C3 CHANNEL – DROPBOX • Dropbox has a rich and well documented API • HTTPs enabled and trusted cloud service • Therefore, Dropbox isn't categorized as a malicious domain right off the bat • Cobaltstrike added External C2 feature to allow 3rd party programs to act as a communication layer between Cobalt Strike and its Beacon payload
  • 46. 46 Click to add text C3 CHANNEL – DROPBOX
  • 47. 47 Click to add text C3 CHANNEL – DROPBOX (VICTIM) Click to add textClick to add text Victim's view after executing the implant from C3
  • 48. 48 C3 CHANNEL – DROPBOX (ATTACKER)
  • 49. Summary exfiltration 49 C3 CHANNEL – DROPBOX (ATTACKER)
  • 50. 50 Click to add text C3 CHANNEL – UNC SHARES https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/ • C3 can use UNC path in order to laterally move through the network and use the shared folder for command and control communication. • As you can see below every time our covenant C2 sends a task through a file will be created that will be used for relay communication
  • 51. 51 C3 CHANNEL – DROPBOX https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-3/ ● Using the same Dropbox app we can create. ● Once the relay is executed on the victim it will query and resolve the domain api.dropboxapi.com which is used for polling the folder. ● Relays will often check the contents of the Dropbox folder for files to read. C3 will create a new folder the Dropbox app folder
  • 52. 52 C3 CHANNEL – DROPBOX Even in this case there is no integration with our command and control (C2) framework, Covenant, we can see that details such as operating system and user is already.
  • 53. 53 C3 CHANNEL – DROPBOX EXFILTRATION Once we have our Dropbox channel fully functional we can now use this channel for exfiltration. As seen here we can also configure jitter and delay or remove files Successful Data exfiltration using Dropbox on C3 channel
  • 54. 54 C3 CHANNEL – DROPBOX EXTERNAL C2 As the objective of C3 is to be fully extensible we can turn on connector to our C2 of choice (Covenant/Cobalt Strike) Setup Connector for covenant & Add a peripheral grunt
  • 55. 55 C3 CHANNEL – DROPBOX EXTERNAL C2 Every time we execute a task in our C2, it will go through the Dropbox channel then the relay will upload files in our Dropbox folder through the guidem-drop which is our application. Successful connection on our Covenant C2
  • 56. 56 C3 CHANNEL – GOOGLE DRIVE https://threatpost.com/roguerobin-google-drive-c2/141079/ A custom malware used by the APT known as DarkHydrus uses a mix of novel techniques, including using Google Drive as an alternate command- and-control (C2) channel.
  • 57. 57 C3 CHANNEL – GOOGLE DRIVE
  • 58. 58 C3 CHANNEL – GOOGLE DRIVE (VICTIM)
  • 59. 59 C3 CHANNEL – GOOGLE DRIVE (ATTACKER)
  • 60. 60 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Sysmon Event ID 3 - Network Connection • Relay_x64_f575_relay-victim.exe suspicious binary having a network connection towards 13.228.49.204
  • 61. 61 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Sysmon Event ID 22 - DNS Query • Relay_x64_f575_relay-victim.exe suspicious binary having a DNS query towards slack.com
  • 62. 62 C3 CHANNEL – SLACK DETECTION (ZEEK| SPLUNK) BRO DNS Query = slack.com
  • 63. 63 C3 CHANNEL – SLACK DETECTION (SYSMON | SPLUNK) Post Exploitation after running the implant from C3 (Slack Channel) Discovery – T1033 (System Owner/User Discovery) cmd.exe /c whoami
  • 64. 64 Click to add text C3 CHANNEL – DROPBOX DETECTION (SYSMON | ELK) SYSMON Event ID 22 DNS Query calling api.dropboxapi.exe
  • 65. 65 Click to add text C3 CHANNEL – DROPBOX DETECTION (ZEEK| SPLUNK) Zeek Logs = bro.dns.json DNS Query calling api.dropboxapi.exe, content.dropboxapi.com
  • 66. 66 Click to add text C3 CHANNEL – DROPBOX DETECTION (ZEEK| SPLUNK) Sysmon Event ID 3 – Network Connection Relay_x64_f576_dropbox-relay.exe connecting to external IP
  • 67. 67 C3 CHANNEL – DROPBOX DETECTION C3 Function URL WriteMessageToFile https://content.dropboxapi.com/2/files/upload ListChannels https://api.dropboxapi.com/2/files/list_folder CreateChannel https://api.dropboxapi.com/2/files/create_folder_v2 GetMessageByDirection https://api.dropboxapi.com/2/files/search_v2 ReadFile https://content.dropboxapi.com/2/files/download DeleteFile https://api.dropboxapi.com/2/files/delete_v2 https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-3/ Dropbox URL calls credits to F-secure (C3 workshop)
  • 68. 68 Click to add text C3 CHANNEL – UNC DETECTION (SYSMON | ELK) SYSMON Event ID 10 Process Access – can be indication of thread injection CallTrace: ntdll.dll Attacker was attempting to inject malicious code into a process and has been using it to beacon out to C2 server
  • 69. 69 Click to add text HOST ARTIFACTS DETECTION – PS TRANSCRIPTS
  • 70. 70 Click to add text HOST ARTIFACTS DETECTION – CREATE ACCOUNT Post Compromise artifacts (Creation of Account)
  • 71. 71 Click to add text HOST ARTIFACTS DETECTION – RARE PROCESS CHAINS
  • 72. C3 CHANNEL – GITHUB DETECTION
  • 73. ● Identify data sources to leverage detection of common C2 traffic ● Understand and identify detection opportunities ● Learn about real-world use cases on advanced types of C2 such as custom command and control channels ● Take advantage of the MITRE Framework HOW CAN WE IMPROVE
  • 74. • Look for unknown protocols • Look for beaconing behavior • Unusual traffic volumes • Investigate typical C&C protocols • HTTP: User-Agent, HTTP Referrer • DNS: Query Length, Query Types, Query Entropy DETECTING C2/C3
  • 75. Freq.py https://github.com/sans-blue-team/freq.py RITA (Real Intelligence Threat Analytics) https://github.com/activecm/rita JA3 https://github.com/salesforce/ja3 C2 Matrix https://www.thec2matrix.com/matrix Slingshot C2 Matrix VM https://www.sans.org/slingshot-vmware-linux/download TOOLS TO DETECT C2/C3
  • 76. Follow us on Twitter/Linkedin Ian Secretario – @iansecretario_ https://iansecretario.com/ Renzon Cruz - @r3nzsec https://renzoncruz.com/ 76 THANK YOU FOR LISTENING
  • 78. https://labs.f-secure.com/ https://github.com/FSecureLABS/C3 https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ https://www.insomniacsecurity.com/2018/01/11/externalc2.html https://github.com/Und3rf10w/external_c2_framework https://github.com/RhinoSecurityLabs/external_c2_framework/ https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki#domain-fronting https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2 https://www.cobaltstrike.com/help-externalc2 https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols- 895587e7f325 https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise- Abusing-Office365-Powershell-For-Covert-C2.pdf https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook- Backdoor.pdf https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox- extension-abusing-instagram https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears- instagram-posts-to-control-malware https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and- evasive-global-criminal-operation.html https://securingtomorrow.mcafee.com/mcafee-labs/vpnfilter-botnet-targets-networking- devices https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-new- chat-platforms-abused-by-cybercriminals https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan- leveraging-telegrams-bot-api-to-target-iranian-users https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F- Secure_Dukes_Whitepaper.pdf https://3xpl01tc0d3r.blogspot.com/2020/03/introduction-to-callidus.html https://rastamouse.me/blog/c3-first-look/ @FSecureLabs @mwrlabs @nmonkee @william_knows @Rev10D @Krelkc @grzryc Grzegorz Rychlik @cobbr REFERENCES & THANKS!