Cracking the Beacon: Automating The Extraction of Implant Configurations
SANS DFIR Summit 2022
Speakers: Derek Ditch & Jessica David
Threat Hunting
Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
Видео Cracking the Beacon: Automating The Extraction of Implant Configurations канала SANS Digital Forensics and Incident Response
Speakers: Derek Ditch & Jessica David
Threat Hunting
Threat actors and red team members routinely use turnkey offensive security tools such as Cobalt Strike and other commodity malware to carry out intrusion campaigns and emulate adversary behavior. Many of these tools are designed to validate security detection capabilities, but in the wrong hands, can be configured to operate in an abusive way. These generic offensive platforms carry a wealth of information about the campaign configuration. As a defender, knowing this information can significantly equip you to dismantle malicious campaigns and proactively defend your network. This talk will focus on collecting memory segments from several malware families, extracting and parsing configurations, writing the data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose costs on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using open-source tools we have released to the community.
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
Видео Cracking the Beacon: Automating The Extraction of Implant Configurations канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
23 ноября 2022 г. 1:25:26
00:27:28
Другие видео канала
Episode 129: Encryption - Part 5
Atomic Ransomware Emulation
Deciphering Browser Hieroglyphics - SANS Digital Forensics and Incident Response Summit 2017
Why take FOR585: Smartphone Forensic Analysis In-Depth OnDemand
Applying Threat Intelligence Practically to Meet the Needs of an Evolving Regulatory Environment
How has FOR578 - Cyber Threat Intelligence helped you in your current job?
Ransomware Running Wild in the Cloud
Episode 156: IPv4 - Part 2
SANS Threat Analysis Rundown (STAR) with Katie Nickels
A New Perspective on Resource-Level Cloud Forensics
SANS Threat Analysis Rundown (STAR)
Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
The Truth About USB “Serial Numbers” – Redux
Episode 155: IPv4 - Part 1
Episode 102: USB Forensics Series - Part 4 of 7
SANS Threat Analysis Rundown (STAR)
How an Info Sharing Analysis Center Works w/ its Members to Improve Cyber Defenses for Their Sector
SANS Threat Analysis Rundown (STAR)
SANS DFIR WEBCAST: Smartphone Forensics Moves Fast. Stay Current or You May Miss Relevant Evidence!
FOR585 Course Animation: Solid State Memory Properties