GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jos-ir → CnC-detection

jos-ir / CnC-detection

Licence: other
Detecting PowerShell Empire, Metasploit Meterpreter and Cobalt Strike agents by payload size sequence analysis and host correlation

Programming Languages

Zeek
47 projects

Labels

meterpreterempiremetasploitdetectingcobaltstrike

Projects that are alternatives of or similar to CnC-detection

Ms17 010 Python
MS17-010: Python and Meterpreter
Stars: ✭ 305 (+1933.33%)
Mutual labels:  meterpreter, metasploit
Eggshell
iOS/macOS/Linux Remote Administration Tool
Stars: ✭ 1,286 (+8473.33%)
Mutual labels:  meterpreter, metasploit
Technowhorse
TechNowHorse is a RAT (Remote Administrator Trojan) Generator for Windows/Linux systems written in Python 3.
Stars: ✭ 189 (+1160%)
Mutual labels:  meterpreter, metasploit
MsfMania
Python AV Evasion Tools
Stars: ✭ 388 (+2486.67%)
Mutual labels:  meterpreter, metasploit
trolo
trolo - an easy to use script for generating Payloads that bypasses antivirus
Stars: ✭ 45 (+200%)
Mutual labels:  meterpreter, metasploit
scemu
x86 malware emulator
Stars: ✭ 150 (+900%)
Mutual labels:  metasploit, cobaltstrike
Autopwn
A simple bash based metasploit automation tool!
Stars: ✭ 99 (+560%)
Mutual labels:  meterpreter, metasploit
REW-sploit
Emulate and Dissect MSF and *other* attacks
Stars: ✭ 115 (+666.67%)
Mutual labels:  metasploit, cobaltstrike
Malleable-C2-Profiles
Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.
Stars: ✭ 168 (+1020%)
Mutual labels:  empire, cobaltstrike
Metasploit Cheat Sheet
Metasploit Cheat Sheet 💣
Stars: ✭ 139 (+826.67%)
Mutual labels:  meterpreter, metasploit
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (+2446.67%)
Mutual labels:  meterpreter, metasploit
Apkinfector
Advanced Android AV Evasion Tool Written In Python 3 that can Embed/Bind meterpreter APK to any Legitimate APK
Stars: ✭ 105 (+600%)
Mutual labels:  meterpreter
Python Rootkit
Python Remote Administration Tool (RAT) to gain meterpreter session
Stars: ✭ 358 (+2286.67%)
Mutual labels:  meterpreter
Ghostshell
Malware indetectable, with AV bypass techniques, anti-disassembly, etc.
Stars: ✭ 293 (+1853.33%)
Mutual labels:  meterpreter
Powershell Reverse Http
😇 A Powershell exploit service that opens a reverse http connection via meterpreter
Stars: ✭ 104 (+593.33%)
Mutual labels:  meterpreter
Egesploit
EGESPLOIT is a golang library for malware development
Stars: ✭ 275 (+1733.33%)
Mutual labels:  meterpreter
Terminhack
👨‍💻 Impress your friends by pretending to be a real hacker
Stars: ✭ 73 (+386.67%)
Mutual labels:  metasploit
ETWNetMonv3
ETWNetMonv3 is simple C# code for Monitoring TCP Network Connection via ETW & ETWProcessMon/2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
Stars: ✭ 32 (+113.33%)
Mutual labels:  meterpreter
Macro pack
macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.
Stars: ✭ 1,072 (+7046.67%)
Mutual labels:  meterpreter
Arcanus
ARCANUS is a customized payload generator/handler.
Stars: ✭ 130 (+766.67%)
Mutual labels:  meterpreter
View All Similar Projects ➔

Detecting domain fronted C&C channels

C&C beacons are used to poll the C&C server for further instructions. These beacons often have a stream of packets sharing the same payload size which provides chances for detection. Bro scripts cnc_type1 and cnc_type2 aim to detect C&C traffic leveraging the lack of payload size variance in a stream of TCP packets in a TCP flow. When C&C traffic is detected it requests process information on the end-point such as the process-name and path responsible for initiating the C&C traffic. Providing an analyst with information on both the host-level and network-level allows for faster decision making, an example of the alert is as follows:

Image of alert

The two Bro scripts cnc_type1.bro and cnc_type2.bro are can be run simultaneously. The first Bro script detects C&C traffic leveraging the lack of payload size variance in a sequence of packets in one TCP flow. Since malware agents often creates a new connection for each call to the C&C server, a second script was needed. This script detects C&C traffic leveraging the lack of TCP flow size variance in a sequence of TCP flows to the same IP address.

The scripts succesfully detect C&C channels launched with agents from PowerShell Empire, Metasploit Meterpreter and Cobalt Strike. Although false positives are raised, the ability to whitelist a falseley raised alert on process information decreases the number false positives overtime in an effort-less manner.

Requirements

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].