Showing Articles About
c3
-
Alfie Champion James Coote - 2 Nov 2020
Using and detecting C2 printer pivoting
A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.
- James Coote
- 6 Oct 2020
Introducing LDAP C2 for C3
A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #3
This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3
This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.
- Tim Carrington
- 10 Mar 2020
Making Donuts Explode – Updates to the C3 Framework
The C3 framework's "Exploding Donut" release introduces significant updates to cybersecurity operations. Key improvements include integration with the Covenant C2 framework and Donut for compressed shellcode generation. The ChannelLinter project was added to simplify channel development for cybersecurity professionals.