| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
As a defender, you can recognize a potential compromise when a new WMI class appears on an endpoint that constantly connects to mflzwsyimbwkrlnvhrp.xyz. But how likely are you to notice a regular-looking Symantec virus definition file, placed in its designated folder, on a machine that,s communicating with a Wikipedia-based C&C, about once a week and only after previous, legitimate visits to the site? Or a malware saving keystrokes to a Word dictionary file, reading it five days later using Outlook, embedding the captured data in an email header to a legitimate-looking recipient?
This talk will cover common and uncommon channels attackers can use to communicate and hide information. From prefetch files and Search Index to event logs and Recent Documents, free disk space, Excel templates, and many otherwise inconspicuous objects, the goal of this talk is to show that a clever attacker can hide anywhere that is considered too normal and noisy to monitor.
Aelon Porat is an information security manager at Cision. He has extensive experience attacking and defending corporate environments.
Recorded at BSides Philly 2017
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast