Active Countermeasures

Detection often relies on consistency. ZetaSwitch relies on the opposite. By pivoting between DNS and HTTP, this C2 creates a moving target for defenders. We simulated the traffic with @faanross to show how to hunt this hybrid threat. Read more: activecountermeasures.com/malware-of-the…

Defenders watch one channel. Numinon C2 uses two. By splitting traffic between HTTP and DNS, it hides in plain sight. We simulated and analyzed the traffic with @faanross to see how it bypasses detection. Read: activecountermeasures.com/malware-of-the…

@saidesheikh @BHinfoSecurity Hey there, yes our webcasts are always recorded, you can find them at our YouTube channel, here's the link to the latest one: youtube.com/watch?v=ccgdD2…

@BHinfoSecurity @ActiveCmeasures @BHinfoSecurity @ActiveCmeasures will this be recorded?

The next free monthly one-hour training session with @ActiveCmeasures is on Threat Hunting C2: DNS TXT Record Abuse w/ Faan Rossouw! Join us for a free monthly one-hour training session on command & controls and malicious traffic with Faan Rossouw (Active Countermeasures) and learn a stealthy C2 technique that bypasses common DNS tunneling detections and how to catch it. Register: events.zoom.us/ev/Aqb16UU6sZM…

Is your DNS traffic hiding active C2? Join @faanross to learn how attackers abuse TXT records to bypass common tunneling detections. Reminder: Chat is in the BHIS Discord #live-chat for HACK IT credit. Date: Feb 20 Time: 12:00 PM EST Register: events.zoom.us/ev/Aqb16UU6sZM…

A predictable heartbeat is easy to find. Merlin C2 uses data jitter to make its pulse irregular and invisible. @faanross simulated and analyzed the traffic to show why it hides so effectively. Read: activecountermeasures.com/malware-of-the…

IP blocks fail when an attacker has trillions of identities. IPv6 address aliasing turns one host into a ghost. We simulated and analyzed this traffic with @faanross to help you hunt the technique. activecountermeasures.com/malware-of-the…

The ocean is vast. Without a compass, you aren't sailing; you’re drifting. Network security is the same. Even with the best ship, if you lack a map, you're lost at sea. Turn MITRE ATT&CK from a bingo card into your roadmap. New from @faanross: activecountermeasures.com/the-mitre-attc…

An IcedID loader is often just an open door for ALPHV ransomware. @faanross simulated the attack and analyzed the traffic to pinpoint the pivot. Recognition is the key to defense. Read here: activecountermeasures.com/malware-of-the…

The signal evolved, but the hunt remains. @faanross simulated and analyzed complex C2 beaconing to reveal the unusual ways traffic hides in plain sight. This insight is what turns the tide for defenders. Read Part 2: activecountermeasures.com/malware-of-the…

The adversary hides in the encryption you provide. When DNS goes dark, defenders go blind. @faanross simulated and analyzed the traffic to find the signal. activecountermeasures.com/malware-of-the…

Malware doesn't scream; it whispers in a rhythm. @faanross simulated and analyzed C2 traffic to decode these hidden heartbeats. Recognizing the pattern is how you find the breach. Read here: activecountermeasures.com/malware-of-the…

A clock sync seems harmless until it becomes a backdoor. @faanross explores how Gomesa hides C2 in NTP traffic. We simulated and analyzed this traffic to reveal what defenders often miss. activecountermeasures.com/malware-of-the…

An algorithm finds the hash, but it can't find the why. When attackers pivot, they aren't just changing code they're testing your intuition. Automation has a ceiling; human hunting doesn't. Learn why context is the key to the game: activecountermeasures.com/context-over-c…

What happens when DFIR tools are used for harm? Join Episode 6 of Command & Convo this Friday to see how threat actors misuse Velociraptor for C2. As part of our hunt-it program, join the new chat location here: discord.com/invite/BHIS Register here: events.zoom.us/ev/Ak_PCWcDNDa…

We simulated the traffic to see what your logs won't show. Microsoft Dev Tunnels allow RDP to blend into legitimate streams, bypassing standard blocks. See @faanross's analysis on how to detect this hidden activity: activecountermeasures.com/malware-of-the…

What happens when legitimate DFIR tools are used for harm? Join Episode 6 of Command & Convo to see how threat actors misuse Velociraptor for C2 and how to hunt for these pivots. Date: Jan 9 Time: 1:00 PM EST Register: events.zoom.us/ev/Ak_PCWcDNDa…

A simple tool in the wrong hands becomes a silent backdoor. We simulated XenoRAT to analyze its SOCKS5 reverse proxy techniques. For defenders, spotting these patterns is vital to stopping the threat. Read the analysis by @faanross: activecountermeasures.com/malware-of-the…

A foundational protocol designed for network health is being weaponized by threat actors. ICMP, the simple troubleshooting tool, can be used to bypass defenses and maintain a covert C2 channel. Is your team hunting the echoes? Read the analysis: activecountermeasures.com/malware-of-the…

You blocked the IPs, but the payload still arrived. How? It came in over DNS. Joker Screenmate hides tools and data inside TXT records, delivering malware under the cover of normal-looking DNS traffic. More here: activecountermeasures.com/malware-of-the…

You don't want to miss next week's guest webcast!