Chris McNab
Chris McNab
An increasing amount of malware is using non-ICANN domains (e.g. `.bazar` as used by [Team9](https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/)) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as `alt_dns`....
SCTP can be used to bypass monitoring and filtering, along the lines of http://0x27.me/ssh/sctp/privacy/security/evasion/2015/07/27/SSH-Over-SCTP/. It's a different protocol than TCP or UDP, and I'd like to do some marketing around...
DNS tunneling over DNS-over-HTTPS (DoH) to `*.sandbox.alphasoc.xyz` via a random public server picked from the list below. ``` https://dns.google/dns-query https://cloudflare-dns.com/dns-query https://dns.quad9.net/dns-query https://doh.opendns.com/dns-query https://doh.powerdns.org -- shutdown planned for 15.09.2021 according to...
As per https://github.com/krmaxwell/dns-exfiltration we should synthesize Base64 encoding and exfiltration of data to hostnames under `base64.alphasoc.xyz`, as below: 1. Generate a long random binary value from `/dev/random` or similar 2....
We should synthesize a large outbound FTP transfer to a valid service endpoint that we control (e.g. `ftp.sandbox.alphasoc.xyz`) by using `/dev/random` or similar, establishing a connection, and uploading the content....
It seems we can spoof JARM server fingerprints, i.e. https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b The idea would be to set up a TLS server and have _flightsim_ interact with it to generate the bad...
We should synthesize [Gcat](https://github.com/byt3bl33d3r/gcat) / [Gdog](https://github.com/maldevel/gdog) traffic if possible. Let's knock around some ideas.
This will require some research and integration. We'll need to have `flightsim` set up a Tor circuit. Output would look something like this: ``` Time Module Description -------------------------------------------------------------------------------- 11:26:01 tor...
Similar to https://github.com/alphasoc/nfr/issues/71. Reading the documentation, Bro doesn't have JA3 values in their `ssl.log` officially. I need to ask Corelight about this and get the data format and details so...
These sections are missing `http` it seems: https://github.com/alphasoc/nfr/blob/44ae68a6b3c0e9a5d777521c7699c3e8ca83d1a6/config.yml#L28-L35 https://github.com/alphasoc/nfr/blob/44ae68a6b3c0e9a5d777521c7699c3e8ca83d1a6/config.yml#L67-L69