Hello and welcome to the fourth blog post in this series about understanding and detecting C2 frameworks.
As always if you haven’t checked the previous blogs. Please do via the following links
without further ado let’s get started.
This is a basic C2 generic server written in Python and Flask.
Hello and welcome to the third blog post in this series about understanding and detecting C2 frameworks.
If you haven't checked the previous blogs please do as we’ve already analyzed both “Ares” and “TrevorC2”
Today we’re gonna take a look at framework created by “onSec-fr” called “HTTP/S Asynchronous Reverse Shell” (HARS). Still in a POC phase but interesting nonetheless. Without further ado let’s get started.
Before we dive into the code. …
Hello and welcome to the second blog post of this series about understanding and detecting C2 frameworks. If you haven't read the first blog i highly suggest you do to get a feel of what i’ll be talking about today.
The next C2 framework i decided to look at today is “Trevor C2” by TrustedSec. Let’s get started.
Here is a definition from their GitHub repository
TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil.
Hello and welcome to this new blog series titled “Understanding & Detecting C2 Frameworks”. In the coming weeks and months, i’ll be doing some analysis and deep dives into old and new open source C2 frameworks. Analyzing the source code and try to understand the inner workings in the hope to get more insights into the techniques being used in these different tools. So without further a do let’s start this one with a relatively simple and old framework (RAT) named “Ares” by “sweetsoftware”.
Here is a definition from their GitHub repository
Ares is a Python Remote Access Tool. …
In the recent weeks I’ve been doing some research into Symantec EDR and looking into the technologies that are used to generate the incidents and events inside of the platform. In the hope to get a better understanding of the detection process and mechanisms within.
Seeing a file classified as malicious or an incident being declared is all good and well. …
A couple of weeks ago I was tuning a log configuration in my lab and i encountered an event being generated quite often. (See below)
Seeing the “cscript” utility being used is always a point of interest for me especially in this case, since the process launching it was the the Symantec AV service host process (ccSvcHst.exe).
I decided to investigate and dig a little deeper behind the origin of this behavior. So i fired up process monitor on the host machine and waited a little bit. …
Last week I wrote a blog post about an interesting forensic artifact related to the Symantec EDR (localdatastore) that can be found inside the Symantec SEP “program data” folder. If you haven’t read it, i suggest you do before continuing as this is a direct continuation.
Last time i focused on the “.log” file that was being generated by the Symantec EDR while it was writing the collected events to the “.ldb” files. While this file can contains a ton of information about events happening on the system. One of the drawbacks of the method i described is that it…
If you’ve been doing some digital forensics or threat hunting for some time. You’ll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the “main” sources of logs such as “System” or “Application”, even though windows provide many sources.
To get the full logging experience one need to enable additional logging from the Group Policy Editor or even installs something like Sysmon but what to do in the case where one cannot install or enable the aforementioned logs? Or let’s say you’re performing an…
Recently one of my colleagues shared with me an interesting set of blog posts called “Your AV is Trying to Tell You Something” by @bmmaloney97. Where the author explores and analyze a set of log files from Symantec Endpoint Protection (SEP for short) and uncovers a lot of interesting information stored in there. Similarly, I thought i’ll take a look at Symantec EDR and try to look for interesting artifacts. In this quick blog post i describe my findings so far.
For anyone not familiar with Symantec EDR here is the a quick overview of the product (at least the…
Hello and welcome to part 2 of this blog post. If you haven’t caught the first part, please do as this is a direct continuation.
In this second part, will take a look at some of the most common techniques used by threat actors and malware authors. From initial access to data ex-filtration. We’ll see how we can identify these kind of techniques by looking at logs and discussing some detection opportunities. So let’s get started.
Note: This is not by any mean an exhaustive list of all the techniques out there, different actors and malware uses different techniques and…