Olivia
Online
Active Countermeasures
@ActiveCmeasures
Threat Hunting your network has never been so awesome! Creators of AC-Hunter. Contact us for a personal Q&A session.
Joined February 2018
299 Following
4.2K Followers
751 Posts
Detection often relies on consistency. ZetaSwitch relies on the opposite. By pivoting between DNS and HTTP, this C2 creates a moving target for defenders. We simulated the traffic with @faanross to show how to hunt this hybrid threat.
Read more: https://t.co/9IZkKAKmtw
Defenders watch one channel. Numinon C2 uses two. By splitting traffic between HTTP and DNS, it hides in plain sight. We simulated and analyzed the traffic with @faanross to see how it bypasses detection.
Read: https://t.co/y9StAwbx3j
@saidesheikh @BHinfoSecurity Hey there, yes our webcasts are always recorded, you can find them at our YouTube channel, here's the link to the latest one: https://t.co/b91KHOuDU1
Who to follow
Black Hills Information Security 
@BHinfoSecurity
Specializing in pen testing, red teaming, and Active SOC. We share our knowledge through blogs, webcasts, open-source tools, and Backdoors & Breaches game.
Olaf Hartong
@olafhartong
@FalconForceTeam | researcher with a camera | Microsoft MVP | Snow man role model
Security Onion
@securityonion
Peel back the layers of your enterprise and make your adversaries cry!
FREE and OPEN platform BY defenders FOR defenders!
A predictable heartbeat is easy to find. Merlin C2 uses data jitter to make its pulse irregular and invisible. @faanross simulated and analyzed the traffic to show why it hides so effectively.
Read: https://t.co/jaDn4UA8R5
IP blocks fail when an attacker has trillions of identities. IPv6 address aliasing turns one host into a ghost. We simulated and analyzed this traffic with @faanross to help you hunt the technique. https://t.co/xU2peTKppv
The ocean is vast. Without a compass, you aren't sailing; you’re drifting.
Network security is the same. Even with the best ship, if you lack a map, you're lost at sea.
Turn MITRE ATT&CK from a bingo card into your roadmap.
New from @faanross: https://t.co/baznxY6GVE
An IcedID loader is often just an open door for ALPHV ransomware. @faanross simulated the attack and analyzed the traffic to pinpoint the pivot. Recognition is the key to defense.
Read here: https://t.co/XkG2ccHk9h
The signal evolved, but the hunt remains. @faanross simulated and analyzed complex C2 beaconing to reveal the unusual ways traffic hides in plain sight. This insight is what turns the tide for defenders.
Read Part 2: https://t.co/BJHM6FmXeq
The adversary hides in the encryption you provide. When DNS goes dark, defenders go blind. @faanross simulated and analyzed the traffic to find the signal.
https://t.co/m4CzXjLX09
Malware doesn't scream; it whispers in a rhythm. @faanross simulated and analyzed C2 traffic to decode these hidden heartbeats. Recognizing the pattern is how you find the breach.
Read here: https://t.co/ER2gvieloH
A clock sync seems harmless until it becomes a backdoor. @faanross explores how Gomesa hides C2 in NTP traffic. We simulated and analyzed this traffic to reveal what defenders often miss.
https://t.co/feqDW6jUtH
An algorithm finds the hash, but it can't find the why. When attackers pivot, they aren't just changing code they're testing your intuition. Automation has a ceiling; human hunting doesn't. Learn why context is the key to the game: https://t.co/SVlGXsOdl5
What happens when DFIR tools are used for harm? Join Episode 6 of Command & Convo this Friday to see how threat actors misuse Velociraptor for C2.
As part of our hunt-it program, join the new chat location here: https://t.co/S3wqIxt3pp
Register here: https://t.co/uQvsrb4OQP
We simulated the traffic to see what your logs won't show. Microsoft Dev Tunnels allow RDP to blend into legitimate streams, bypassing standard blocks. See @faanross's analysis on how to detect this hidden activity:
https://t.co/ybbQ8RDZGK
What happens when legitimate DFIR tools are used for harm? Join Episode 6 of Command & Convo to see how threat actors misuse Velociraptor for C2 and how to hunt for these pivots.
Date: Jan 9 Time: 1:00 PM EST Register: https://t.co/uQvsrb4OQP
A simple tool in the wrong hands becomes a silent backdoor. We simulated XenoRAT to analyze its SOCKS5 reverse proxy techniques. For defenders, spotting these patterns is vital to stopping the threat. Read the analysis by @faanross: https://t.co/8Uy2fMfdS5
A foundational protocol designed for network health is being weaponized by threat actors. ICMP, the simple troubleshooting tool, can be used to bypass defenses and maintain a covert C2 channel. Is your team hunting the echoes?
Read the analysis: https://t.co/Nab5gOreQ7
You blocked the IPs, but the payload still arrived.
How? It came in over DNS.
Joker Screenmate hides tools and data inside TXT records, delivering malware under the cover of normal-looking DNS traffic.
More here: https://t.co/l22Z6fBWIl
You don't want to miss next week's guest webcast!
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers