A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Abusing Normality: Data Exfiltration in Plain Site - Aelon Porat BSides Philadelphia 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Abusing Normality: Data Exfiltration in Plain Site
Aelon Porat

BSides Philadelphia 2017

As a defender, you can recognize a potential compromise when a new WMI class appears on an endpoint that constantly connects to mflzwsyimbwkrlnvhrp.xyz. But how likely are you to notice a regular-looking Symantec virus definition file, placed in its designated folder, on a machine that,s communicating with a Wikipedia-based C&C, about once a week and only after previous, legitimate visits to the site? Or a malware saving keystrokes to a Word dictionary file, reading it five days later using Outlook, embedding the captured data in an email header to a legitimate-looking recipient? This talk will cover common and uncommon channels attackers can use to communicate and hide information. From prefetch files and Search Index to event logs and Recent Documents, free disk space, Excel templates, and many otherwise inconspicuous objects, the goal of this talk is to show that a clever attacker can hide anywhere that is considered too normal and noisy to monitor.

Aelon Porat is an information security manager at Cision. He has extensive experience attacking and defending corporate environments.

Recorded at BSides Philly 2017

Back to BSides Philly video list

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast