“at all. so this is important for two separate reasons. one it ’ s important because this backdoor is heavily utilized by black hills information security in our pentests, or variations of this particular backdoor. two, it doesn ’ t really get caught all that much. and three, we h…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.004DNS
88%
“s interesting about this, is if you look, the dns server that it ’ s talking to is 8. 8 8. 8. now, there are a couple of interesting things. first, this is interesting because it is google ’ s dns server. that ’ s kind of weird. does this mean that google ’ s dns server is evil? …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1560.001Archive via Utility
84%
“going to drop into the directory in bro where we ’ ll do some quick bro log analysis for dns backdoors. now you can see our evil domain is nanobotninjas. com and you can see that the file that we are looking at is dnscat _ log / 2017 - 03 - 21. that ’ s exactly the directory that…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
50%
“dns files there, what we ’ re going to do instead, is we ’ re going to use a tool that can grep up out of those compressed archives anything or any line that has the string nanobot, specifically looking at any file with dns in the name. i ’ m going to hit enter, here we go. now a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.004DNS
47%
“dns files there, what we ’ re going to do instead, is we ’ re going to use a tool that can grep up out of those compressed archives anything or any line that has the string nanobot, specifically looking at any file with dns in the name. i ’ m going to hit enter, here we go. now a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
32%
“that i ’ m working through. once again, we ’ re using adhd instead of security onion today because adhd has this packet capture, that i use in my cyber deception active defense class for various classes like black hat and wild west hackin ’ fest, built into it. you would follow t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.004DNS
32%
“this example, you can see that the number of subdomains are 23, 362 or hosts associated with nanobotninjas. that ’ s not normal. that ’ s like, if you think of google. com, right? you have maps. google. com, mail. google. com, you have drive. google. com those are all subdomains …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Hello and welcome, my name is John Strand and in this video, we’re going to be talking about RITA, Real Intelligence Threat Analytics and how it can quickly do DNS […]
