A comprehensive view on the techniques used to fingerprint Cobalt Strike’s C2s — Introduction If you are looking for a method to hunt Cobalt Strike servers this is the article for you. I have grouped different techniques for this purpose and I created Shodan queries to have an overview of all active Cobalt Strike command and control (C2) servers. Why do this? To date, having an updated…

Pivoting the ShadowPad C2s SSL Certificate to track the malware’s infrastructure — Key takeaways ShadowPad malware has been used for years by the Chinese state-sponsored group named Winnti (aka APT41, AXIOM, WICKED SPIDER & PANDA); The SSL certificate used by the ShadowPad C2s has remained unchanged over the years, allowing analysts to keep track of the evolution of malware and its infrastructure;

An overview of the most commonly advertised information related to financial institutions on the Dark Web in 2021 Key Takeaways: Over 300 advertised financial institutions in 64 different countries around the world. The United States is the most targeted; In Europe, the most affected country is Germany. …

Results of a 1 year espionage operation in the Top-tier Russian underground communities — Top 10 Key Takeaways Analyzed traffic data comes from exclusively private Russian underground communities where various accounts with different backgrounds persuaded Threat Actors to click on specific links; During about 1 year of undercover operation, data from 550 unique hosts was collected; In total, connections from 68 different countries were collected;

How to engage Threat Actors during undercover operations in the cyber-crime battleground — Introduction Monitoring cyber crime forums is certainly very important but when information arrives on a forum it is often already too late or has already been exploited by some Threat Actor previously who exchanged it or sold it privately with his most trusted contacts or buyers. To be able to get…

Top 30 questions to understand the maturity of your Cyber Intelligence program Adversaries — What adversaries are likely to target financial services organizations? Financial (Motivation) — What are the financial motivations for targeting banks or financial services organizations? Nation State (Motivation) — What nation-state agendas may result in the targeting…

Magecart JS Web Skimmer is present on the same C2 related to Cerberus Banking Trojan. Magecart Web Skimmer: My analysis started from a Web skimmer that is impersonating sucuri.net hosted on hxxps://sucurl.net/cdn/au.js The script is still there: https://urlscan.io/result/db8a149a-75c2-414d-a89e-b991e7a3689b

Batch script to automate collection, credential dumping, discovery and exfiltration techniques — CONTEXT Each time during a red team or a PT we always find ourselves performing manual reconnaissance actions before deciding how to move laterally or perform more aggressive post exploitation actions. This article will give you a vision of how to automate the initial reconnaissance actions without user interaction by presenting…

A walkthrough to discover the best tool to run powershell scripts and commands without using powershell.exe During last months, observing how the attackers and consequently the antivirus are moving, I thought of writing this article for all the pen testers and red teamers who are looking for the best technique…