![]() ![]() ![]() We'll use C3 to establish a command and control channel over Dropbox, masking our implant traffic as file uploads and downloads. In our final lab of the workshop, and of the series, we're going to be looking at a C2 technique that makes the identification of command and control channels even more challenging. Of course, we could enrich these detections using external sources, such as domain categorisation and domain age. We looked at ways to analyse these, using attributes like user agents, URIs, packet size and uncommon DNS record types. In the previous two labs ( here and here), we looked at HTTP and DNS C2 channels - two common protocols that are typically permitted out of a corporate network. A recording of the workshop can be found here. As with previous workshops, the following blog provides a final step-by-step guide to recreating the demos from that C2 and Exfiltration workshop, as well as exercises to further the reader's understanding of the concepts shown. We also explored the detection strategies that can be employed to spot these channels using our own detection stacks, including ways to spot these channels being used for exfiltration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |