Sign in

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Hello and welcome to part 5 of “Understanding & Detecting C2 Frameworks”. You can read the previous blog posts below

Today we’re going to analyze the C2 PoC “DarkFinger”

DarkFinger-C2

The “DarkFinger C2” was created by hyp3rlinx as a proof of concept to showcase how can someone use the “finger.exe” utility as a channel for command and control. The server portion is written in python and the agent is…


In the first post of this series about Symantec EDR Internals, I've talked about “Criterion” a machine learning engine used by SEDR to detect files in the gray area. If you haven't read it please do (Link below)

For this post we’ll talk about a feature of SEDR called enrichment and how it works.

Enrichment Overview

From the oxford dictionary enrichment is:

The action of improving or enhancing the quality or value of something

In the context of detection and EDR. Enrichment is the idea of adding / giving context to an event or any piece of collected data.

So let’s say…


Hello and welcome to the fourth blog post in this series about understanding and detecting C2 frameworks.

As always if you haven’t checked the previous blogs. Please do via the following links

without further ado let’s get started.

BabyShark

This is a basic C2 generic server written in Python and Flask.

This code has based ideia to GTRS, which uses Google Translator as a proxy for sending commands to the infected host. The BabyShark project aims…


Introduction

Hello and welcome to the third blog post in this series about understanding and detecting C2 frameworks.

If you haven't checked the previous blogs please do as we’ve already analyzed both “Ares” and “TrevorC2”

Today we’re gonna take a look at framework created by “onSec-fr” called “HTTP/S Asynchronous Reverse Shell” (HARS). Still in a POC phase but interesting nonetheless. Without further ado let’s get started.

HTTP/S Asynchronous Reverse Shell

Before we dive into the code. …


Introduction

Hello and welcome to the second blog post of this series about understanding and detecting C2 frameworks. If you haven't read the first blog i highly suggest you do to get a feel of what i’ll be talking about today.

The next C2 framework i decided to look at today is “Trevor C2” by TrustedSec. Let’s get started.

TrevorC2

Here is a definition from their GitHub repository

TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil.

So…


Introduction

Hello and welcome to this new blog series titled “Understanding & Detecting C2 Frameworks”. In the coming weeks and months, i’ll be doing some analysis and deep dives into old and new open source C2 frameworks. Analyzing the source code and try to understand the inner workings in the hope to get more insights into the techniques being used in these different tools. So without further a do let’s start this one with a relatively simple and old framework (RAT) named “Ares” by “sweetsoftware”.

Ares

Here is a definition from their GitHub repository

Ares is a Python Remote Access Tool. …


In the recent weeks I’ve been doing some research into Symantec EDR and looking into the technologies that are used to generate the incidents and events inside of the platform. In the hope to get a better understanding of the detection process and mechanisms within.

Seeing a file classified as malicious or an incident being declared is all good and well. …


A couple of weeks ago I was tuning a log configuration in my lab and i encountered an event being generated quite often. (See below)

Seeing the “cscript” utility being used is always a point of interest for me especially in this case, since the process launching it was the the Symantec AV service host process (ccSvcHst.exe).

I decided to investigate and dig a little deeper behind the origin of this behavior. So i fired up process monitor on the host machine and waited a little bit. …


Last week I wrote a blog post about an interesting forensic artifact related to the Symantec EDR (localdatastore) that can be found inside the Symantec SEP “program data” folder. If you haven’t read it, i suggest you do before continuing as this is a direct continuation.

Last time i focused on the “.log” file that was being generated by the Symantec EDR while it was writing the collected events to the “.ldb” files. While this file can contains a ton of information about events happening on the system. One of the drawbacks of the method i described is that it…


Event Viewer

If you’ve been doing some digital forensics or threat hunting for some time. You’ll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the “main” sources of logs such as “System” or “Application”, even though windows provide many sources.

To get the full logging experience one need to enable additional logging from the Group Policy Editor or even installs something like Sysmon but what to do in the case where one cannot install or enable the aforementioned logs? Or let’s say you’re performing an…

Nasreddine Bencherchali

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store