- Microsoft Dev Tunnels: Tunnelling C2 and MoreAttackers utilize Microsoft Dev Tunnels to establish undetected command and control (C2) channels, taking advantage of legitimate traffic. Their methods include using tunnel domains that pass through security systems due to trust in Microsoft. Detection remains difficult because the attacker’s software may not be present on victim machines, complicating cybersecurity efforts.
- SVCHost.exe and Internet Sharing TriageIntro I recently had an interesting case, which involved some digging into SVCHost.exe and command line parameters parsed to it. The Scenario It started with an alert for a large number of DNS requests associated with an InfoStealer, ViperSoftx, from a user laptop. There were thousands of requests to the domains in a 90-minute period. Looking at the Endpoint telemetry available for the device, I could see… Read more: SVCHost.exe and Internet Sharing Triage
- Virtual Machine Aware Phishing SitesThe Phish Page Recently I came across an interesting phishing page which when I browsed to, showed nothing but a white blank page. There was no 404, or server not found error, just an empty page. I found this curious, so I observed the source code for the page. Much of the page was junk, however, after scrolling to the bottom, I did notice a script that… Read more: Virtual Machine Aware Phishing Sites
- A Guide to Threat Hunting in a SOCIntroduction You’d be forgiven for thinking that Threat Hunting is just another Cyber Buzz Word/Phrase spreading throughout the industry, the latest term used to push more product and managed services on a SOC. The reality, however, is that Threat Hunting is an extremely valuable skill and one that every SOC should have. In fact, I believe that Threat Hunting provides more value than the traditional approach that… Read more: A Guide to Threat Hunting in a SOC
- Cobalt Strike – Bypassing C2 Network DetectionsIntro In this mini-post, we’re going to look at how to easily bypass network detections for Cobalt Strike beacons. Many AV products like Symantec Endpoint Protection (SEP) have network detection capabilities that monitor traffic passing through a device’s network interface. Additionally IDS and IPS also have basic detections for C2 traffic. These detections are basically looking for specific patterns in network packets. For popular tools like Cobalt… Read more: Cobalt Strike – Bypassing C2 Network Detections