Cracking the Beacon: Automating The Extraction of Implant Configurations
SANS DFIR Summit 2022
Speakers: Derek Ditch & Jessica David
Threat Hunting
Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
Видео Cracking the Beacon: Automating The Extraction of Implant Configurations канала SANS Digital Forensics and Incident Response
Speakers: Derek Ditch & Jessica David
Threat Hunting
Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
Видео Cracking the Beacon: Automating The Extraction of Implant Configurations канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
23 ноября 2022 г. 1:25:26
00:27:28
Другие видео канала
Episode 129: Encryption - Part 5Atomic Ransomware EmulationDeciphering Browser Hieroglyphics - SANS Digital Forensics and Incident Response Summit 2017Why take FOR585: Smartphone Forensic Analysis In-Depth OnDemandApplying Threat Intelligence Practically to Meet the Needs of an Evolving Regulatory EnvironmentHow has FOR578 - Cyber Threat Intelligence helped you in your current job?Ransomware Running Wild in the CloudEpisode 156: IPv4 - Part 2SANS Threat Analysis Rundown (STAR) with Katie NickelsA New Perspective on Resource-Level Cloud ForensicsSANS Threat Analysis Rundown (STAR)Tracking Traces of Deleted Applications - SANS DFIR Summit 2019The Truth About USB “Serial Numbers” – ReduxEpisode 155: IPv4 - Part 1Episode 102: USB Forensics Series - Part 4 of 7SANS Threat Analysis Rundown (STAR)How an Info Sharing Analysis Center Works w/ its Members to Improve Cyber Defenses for Their SectorSANS Threat Analysis Rundown (STAR)SANS DFIR WEBCAST: Smartphone Forensics Moves Fast. Stay Current or You May Miss Relevant Evidence!FOR585 Course Animation: Solid State Memory Properties