I'm sure most of you have heard about the recent remote code execution
(RCE) exploit dubbed as PrintNightmare. It is an attack against the
printer spool service that allows an attacker, with normal user
credentials, to execute with SYSTEM level privi...
Introduction When a C2 platform is hardcoded to beacon in a particular
fashion, its detection from a defender’s perspective is trivial. Namely,
we merely need to create a single signature based on the hardcoded
characteristics, which would then be ca...
Carrying on with the theme of Remote Access Tools (RATs), in this blog
post will be covering Void-RAT. This tool is still in development and
currently at alpha release so doesn't come with as many features as
other RATs we've looked at, with that bei...
Delving back into the C2 Matrix to look for some more inspiration for
blog posts, we noticed there are a number of Remote Administration Tools
(RATs) listed. So we decided to start taking a look at these RATs and
see how we can detect their usage in ...
We have had some feedback on the rules from individuals who have had
this up and running in their envrionments. That feedback has been
applied to the latest set of rules that is uploaded to this post. The
code was also updated to create rules for the...
Hey All, Since I had the code already extracting the necessary fields, I
made it output the content as Yara rules. These rules may work on raw
PCAP data as well as memory dumps, the executables, however, are
normally encoded and would not necessarily...
Hey Matthew, Correct, the app rules detailed in this post would most
likely have no benefit being on a Log Decoder, nor on an ESA that is
ingesting log metadata, this is because the proxies capturing the
information typically won't log everything in ...
Hey Matthew, Typically, the data sent within the POST is not logged by
proxies, remember this is outbound C2 data, therefore NetWitness does
not receive that information, so the app rule looking for the double
asterisk may not work in this case. The ...
Hey Shane, With this tool, everything that gets uploaded or downloaded
is decimal encoded. As an example, if you uploaded a malicious binary,
it will look like this across the wire: Which after decimal decoding,
you can reconstruct the binary (simila...
