Search For Content
Search Result
55 item(s) found so far for this keyword.
Tor Network C2
Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as "relays," to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.
Malware …
Read moreC2 via Social Networks
Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the …
Read moreIndicator Removal: Network Share Connection Removal
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \system\share /delete command.
Read moreIndicator Removal: Clear Network Connection History and Configurations
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze …
Read moreDisabling Antivirus
Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..
Read moreFast Flux
Fast flux is a technique used by botnets to conceal the location of their phishing and malware delivery sites by using a constantly changing network of compromised hosts as proxies. This makes it difficult for law enforcement and other security actors to track down and shut down the sites, as the IP addresses of the sites are constantly changing.
…
Read moreDNS Tunneling
DNS tunneling is a technique that uses the Domain Name System (DNS) protocol to transfer data in an encrypted and covert manner. It involves encoding the data of other programs or protocols in DNS queries and responses, and using DNS servers as a means of communication.
To carry out DNS tunneling, the attacker typically needs access to a compromised …
Read morePeer to peer C2
Peer-to-peer (P2P) botnets are a type of botnet that uses a decentralized network structure, without a central command and control (C&C) server. Each infected machine in a P2P botnet maintains a list of other trusted computers (including other infected machines), as well as information drop locations and locations where the malware can be updated. Some P2P botnets also use encryption …
Read moreUnloading Sysmon Driver
Sysmon is a tool that can be used to monitor system activity on Windows systems. It records various types of events, such as process creation, network connections, and registry changes, and stores them in the Windows Event Log. Security analysts can use this information to detect and investigate malicious activity on a system.
One way that malware can evade …
Read moreDomain Fronting
Domain fronting is a technique used to hide the true destination of internet traffic. It may be used to hide the real destination of an offensive payload or is could be used to bypass censorship or any form of network restriction. The technique may be used through CDN infrastructure or on any infrastructure that perform separation between SSL and http …
Read more