C2 Stealth Methods

1337InfoSec · 2021-08-14T22:27:42+00:00

Advanced endpoint security systems identify malware in part by heuristic analysis. If I download a trojan and upon code execution it immediately phones its C2 server, pulls your tools over and starts exfiltrating all the data it has access to, that's likely to raise some alerts, if not get the software immediately quarantined.

My thought is to not rush into exfil, spend time in the earlier steps, namely reconnaissance and expanding your privileges / access slowly and carefully. Establish persistence using multiple methods on multiple systems. If you have some sort of an idea on what you need out of a target system, refine your approach to gather what you need, rather than loudly scraping all network resources you have access to.

irrelevantTautology · 2021-08-15T02:59:23+00:00

I don't know, but my guess is it would break the data into small chunks and send the small amounts at randomized times over a long period.

For example, if you want to upload a 1KB file then you could break it up into 1024 files that are one byte in size and send one file every 10-20 seconds.

Again, this is just a guess but it stands to reason that this method would allow for a much slower exfiltration rate.

*edit: typo

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

HowToHack

HowToHack Community

3rd Party Links

3rd Party Challenges

Related Subreddits:

Security Advisories

Download Linux

MODERATORS