Specific detections
Brute Ratel C4 (BRc4) is the newest red-teaming and adversarial attack simulation tool. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.
References:
If installed, in the event of a laptop being stolen, the Computrace software tracks the stolen computer and provides to authorities the information they need to get it back. The issue is that this same software can download and install unknown programs in an unauthorized manner, even if explicitly disabled by the user.
References:
Core Impact is a penetration testing platform designed to enable security teams to conduct advanced tests with ease. Can be used in malware attacks.
References:
Covenant is a .NET C&C framework, that aims to (ab)use offensive .NET tradecraft capabilities and serve as a collaborative command and control platform for red teamers. Network security analysts should investigate similar detections and determine if such frameworks are authorized to be run inside the organizational network.
References:
Detection of network communication attempts for North Korea's SiliVaccine anti-virus software.
References:
- https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/
- https://otx.alienvault.com/pulse/5c96b4b5fed1b34723da7b54/
Mythic is a collaborative, multi-platform, framework. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
References:
Nighthawk is an advanced C2 framework intended for red-team operations through commercial licensing. Leaked versions of Nighthawk are being used by attributed threat actors in the wild. The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code.
References:
Malicious campaign abusing push notifications to impact systems with malfeasant push notifications. This activity to date represents a type of social engineering, bypassing many security controls and potentially obtaining persistence by installing a service worker in the browser.
References:
Python BYOB (Build Your Own Botnet) is an open-source project, that provides a library of packages and modules which provide a basic framework for testing the limits of security assets capacity for local network defense.
Note: Network security analysts should investigate similar cases to determine if such framework is authorized to run inside the organizational network.
Sliver is an open source, cross-platform adversary simulation/red team platform, it can be used by organizations of all sizes to perform security testing.
References:
Framework using several social engineering themes for impersonating browser updates (Chrome/Firefox), Flash Player updates, Microsoft Teams updates.
References:
Detection of domains and IP addresses, that are related to Lenovo laptops preinstalled adware, named as Superfish.
References: