当前位置:首页 > 报告详情

你意想不到的C2技术:重新定义隐蔽性的APT C2技术.pdf

上传人: S** 编号:1241045 2026-05-16 51页 6.11MB

1、About UsThreat researcher at Palo Alto Networks,focusing on threat hunting,malware analysis,and tracking nation state APTs.Lior RochbergerPrincipal Threat ResearcherThreat researcher at Palo Alto Networks.Focuses on threat hunting,malware research,and threat intelligence.Tom FaktermanSenior Threat R

2、esearcherAgendaGlobal Trend:Abusing Legitimate Services Case Studies:How APTs Abuse Legitimate ServicesDefending and Hunting Next-Gen C2Key TakeawaysPayloadsCommands executionReconnaissanceData staging for exfiltrationLateral movementScheduled taskServicesSuspicious IPsRare connections/portsSuspicio

3、us domainBlocked trafficAs Technology Evolves-94%of enterprises use cloud services78%of organizations adopted AI/ML toolsOver 40%of enterprise networks allow unrestricted communication to cloud providers99%of companies use at least one SaaS applicationSo Do The ThreatsAs Technology Evolves-So Do The

4、 ThreatsTraditional C2Attacker-controlled servers:Custom serversDedicated infrastructureCompromised websitesDomain generation algorithmsNext-Gen C2Abusing trusted services your business already uses:Cloud servicesPublic content-sharing platformsSocial media and forumsAI/ML platformsChallenges For De

5、fendersHard to blockHard to detectHard to attributeAbuse of Social MediaTwitter(x)FacebookInstagramRedditYouTubeTumblrAbuse of Social Media-Twitter Twitter memesBERBOMTHUM(.NET malware)2018MemesC2Abuse of Social Media-Twitter Memeshttps:/ regex to extract the most recent uploaded image1.Downloads th

6、e Twitter pageAbuse of Twitter Memes-Steganography*“ICC_Profile”section=defines specific color space of the imageAbuse of Social Media-Facebook PostsFacebookpostsMolerats Middle East espionage campaign2020DropBook(Python backdoor)C2https:/ CodeReads Facebook post#1Post#1-Dropbox TokenDropBookDropbox

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
1. **技术趋势与威胁演变**:94%企业使用云服务,78%采用AI/ML工具,40%企业网络允许与云提供商无限制通信,99%企业使用至少一种SaaS应用,威胁随之转向滥用合法服务(如云平台、社交媒体、AI/ML工具)。 2. **新型C2攻击方式**: - **社交媒体**:Twitter(如BERBOMTHUM隐写术)、Facebook(Molerats的DropBook后门)用于C2通信。 - **云服务**:AWS Lambda URL(HazyBeacon代理)、Google Sheets/Calendar(Voldemort、TOUGHPROGRESS恶意软件)、Outlook API(Squidoor后门)作为命令控制通道。 - **AI/ML滥用**:OpenAI Assistants API(SesameOp后门)实现代理式C2。 3. **防御挑战**:难以阻断、检测和溯源,需从IOC转向基于异常行为的检测,建立基线识别滥用模式。
**如何防御新型C2?** **APT如何滥用合法服务?** **如何检测异常行为?**
客服
商务合作
小程序
服务号
折叠