Alumn @ NCC Group, Mandiant Red Team, Palantir 
Likes RF and deniable infra
Sweet. I've been looking for something like this (ref D16707582)
Today I'm releasing a novel DNS covert channel implant. Everything is done over encoded AAAA requests (hostnames) and responses (IPv6 addresses) so it evades existing DNS detections. Low bandwidth, 100% Python3 with no dependencies, run it anywherehttps://github.com/facebookincubator/WEASEL …
-
-
-
Yep, it gets through poorly airgapped networks just fine because in the end everything tends to resolve DNS names (even if they really shouldn't, easy oversight to make). It's a good argument for having all your devices use a resolver you control and monitoring that.
Kraj razgovora
Novi razgovor -
-
-
What about a fully working IP tunnel over DNS? https://code.kryo.se/iodine/
-
Iodine is cool, but we couldn't use it for a Red Team Op because it is loud and detections exist for it. We needed something that generated as little traffic as possible. Didn't need a full IP tunnel.
Kraj razgovora
Novi razgovor -
-
- Kraj razgovora
Novi razgovor -
-
Are there any resources as part of this release for defenders / blue team folks?
-
The functionality is documented, the code is open, and I'm discussing on here about which detections would work to catch it. I'm also trying to release detections for it too, which is a work in progress.
- Još 24 druga odgovora
Novi razgovor -
-
-
-
Oh no....
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.