script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera | script:x509_ext_c2 [2018/02/08 23:53] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veera | ||
---|---|---|---|
Line 3: | Line 3: | ||
I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// | I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// | ||
- | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the " | + | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the " |
Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. | Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. |
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu