@ActiveCmeasures profile picture
Active Countermeasures @ActiveCmeasures

Threat Hunting your network has never been so awesome! Creators of AC-Hunter. Contact us for a personal Q&A session.

Joined February 2018
  • Tweets 753
  • Following 299
  • Followers 4,163
227 Photos and videos
Active Countermeasures retweeted
Antisyphon Training@Antisy_Training
Jun 5
Thanks to our sponsor, Active Counter Measures, for supporting the Threat Hunting Summit and helping defenders improve. Join ACM's lunch hour learning session: learning.antisyphontraining.…
1
183
Active Countermeasures retweeted
Antisyphon Training@Antisy_Training
Jun 14
Friendly reminder: The Threat Hunting Summit is free, speakers are ready, and the agenda is packed. Join us June 17 for expert talks and practical insights. Register here: learning.antisyphontraining.…
2
5
215
Detection often relies on consistency. ZetaSwitch relies on the opposite. By pivoting between DNS and HTTP, this C2 creates a moving target for defenders. We simulated the traffic with @faanross to show how to hunt this hybrid threat. Read more: activecountermeasures.com/ma…

Malware of the Day - ZetaSwitch - DNS/HTTP Multi-Modal C2 - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Custom Go-based C2 (ZetaSwitch) MITRE Tactics: TA0011 Command and Control, T1071.004 Application Layer […]

activecountermeasures.com
3
229
Defenders watch one channel. Numinon C2 uses two. By splitting traffic between HTTP and DNS, it hides in plain sight. We simulated and analyzed the traffic with @faanross to see how it bypasses detection. Read: activecountermeasures.com/ma…

Malware of the Day - Multi-Modal C2 Communication - Numinon C2 - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Custom Go-based C2 (Numinon) MITRE Tactics: TA0011 Command and Control, T1071.001 Application Layer […]

activecountermeasures.com
2
167
Is your DNS traffic hiding active C2? Join @faanross to learn how attackers abuse TXT records to bypass common tunneling detections. Reminder: Chat is in the BHIS Discord #live-chat for HACK IT credit. Date: Feb 20 Time: 12:00 PM EST Register: events.zoom.us/ev/Aqb16UU6sZ…

Threat Hunting C2: DNS TXT Record Abuse w/ Faan Rossouw

events.zoom.us
4
234
A predictable heartbeat is easy to find. Merlin C2 uses data jitter to make its pulse irregular and invisible. @faanross simulated and analyzed the traffic to show why it hides so effectively. Read: activecountermeasures.com/ma…

Malware of the Day - Merlin C2 Data Jitter - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: MerlinC2 MITRE Tactics: TA0011 Command and Control, T1566 Phishing, T1533.005 Mark-of-the-Web Bypass Traffic […]

activecountermeasures.com
1
2
199
IP blocks fail when an attacker has trillions of identities. IPv6 address aliasing turns one host into a ghost. We simulated and analyzed this traffic with @faanross to help you hunt the technique. activecountermeasures.com/ma…

Malware of the Day - IPv6 Address Aliasing - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Custom Go-based C2 MITRE Tactics: TA0011 Command and Control, T1017.110 Application Layer Protocol: […]

activecountermeasures.com
3
172
The ocean is vast. Without a compass, you aren't sailing; you’re drifting. Network security is the same. Even with the best ship, if you lack a map, you're lost at sea. Turn MITRE ATT&CK from a bingo card into your roadmap. New from @faanross: activecountermeasures.com/th…

The MITRE ATT&CK Framework: A Threat Hunter's Strategic Compass - Active Countermeasures

Why Use MITRE ATT&CK for Threat Hunting? When you first encounter the MITRE ATT&CK framework, it can feel overwhelming. Hundreds of techniques, thousands […]

activecountermeasures.com
1
2
130
An IcedID loader is often just an open door for ALPHV ransomware. @faanross simulated the attack and analyzed the traffic to pinpoint the pivot. Recognition is the key to defense. Read here: activecountermeasures.com/ma…

Malware of the Day - IcedID Loader to ALPHV Ransomware Campaign - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: IcedID Loader to ALPHV Ransomware Campaign MITRE Tactics: TA0011 Command and Control, T1219 […]

activecountermeasures.com
1
2
262
The signal evolved, but the hunt remains. @faanross simulated and analyzed complex C2 beaconing to reveal the unusual ways traffic hides in plain sight. This insight is what turns the tide for defenders. Read Part 2: activecountermeasures.com/ma…

Malware of the Day - Understanding C2 Beacons - Part 2 of 2 - Active Countermeasures

Introduction As a teacher of mine was fond of saying, “In science, you seek the ideal, but often encounter the real.” In our […]

activecountermeasures.com
1
2
170
The adversary hides in the encryption you provide. When DNS goes dark, defenders go blind. @faanross simulated and analyzed the traffic to find the signal. activecountermeasures.com/ma…

Malware of the Day - Encrypted DNS Comparison: Detecting C2 When You Can't See the Queries - Active...

What is Malware of the Day?   Lab Setup Malware: dns-c2-comparison (Custom Go-based DNS C2 simulator) MITRE Tactics: TA0011 Command and Control, T1071.004 […]

activecountermeasures.com
2
4
174
Malware doesn't scream; it whispers in a rhythm. @faanross simulated and analyzed C2 traffic to decode these hidden heartbeats. Recognizing the pattern is how you find the breach. Read here: activecountermeasures.com/ma…

Malware of the Day - Understanding C2 Beacons - Part 1 of 2 - Active Countermeasures

Introduction In our previous Malware of the Day posts we used specific, fixed Command and Control (C2) beaconing properties to simulate real-world attacks. […]

activecountermeasures.com
1
2
239
A clock sync seems harmless until it becomes a backdoor. @faanross explores how Gomesa hides C2 in NTP traffic. We simulated and analyzed this traffic to reveal what defenders often miss. activecountermeasures.com/ma…

Malware of the Day - C2 over NTP (goMESA) - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Custom Go-based C2 (goMESA) MITRE Tactics: TA0011 Command and Control, T1071 Application Layer […]

activecountermeasures.com
1
5
185
An algorithm finds the hash, but it can't find the why. When attackers pivot, they aren't just changing code they're testing your intuition. Automation has a ceiling; human hunting doesn't. Learn why context is the key to the game: activecountermeasures.com/co…

Context Over Code: The Irreplaceable Role of Human Hunters - Active Countermeasures

The Automation Seduction The cybersecurity industry has a dangerous love affair with automation. Every vendor promises that their AI-powered, machine-learning-enhanced, proprietary-analytics-driven...

activecountermeasures.com
1
2
127
What happens when DFIR tools are used for harm? Join Episode 6 of Command & Convo this Friday to see how threat actors misuse Velociraptor for C2. As part of our hunt-it program, join the new chat location here: discord.com/invite/BHIS Register here: events.zoom.us/ev/Ak_PCWcDND…

Join the Black Hills Infosec Discord Server!

Welcome to the Black Hills Infosec Discord server. This is a community where you can ask and answer infosec questions. | 59810 members

discord.com
1
3
226
We simulated the traffic to see what your logs won't show. Microsoft Dev Tunnels allow RDP to blend into legitimate streams, bypassing standard blocks. See @faanross's analysis on how to detect this hidden activity: activecountermeasures.com/ma…

Malware of the Day - Tunneling RDP with Microsoft Dev Tunnels - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: RDP and MS Dev Tunnels MITRE Tactics: TA0011 Command and Control, T1572_Protocol_Tunneling, T1021.100 Remote […]

activecountermeasures.com
1
2
149
What happens when legitimate DFIR tools are used for harm? Join Episode 6 of Command & Convo to see how threat actors misuse Velociraptor for C2 and how to hunt for these pivots. Date: Jan 9 Time: 1:00 PM EST Register: events.zoom.us/ev/Ak_PCWcDND…

Command & Convo - The C2 Webcast - Episode 6: Velociraptor as C2

events.zoom.us
1
5
176
A simple tool in the wrong hands becomes a silent backdoor. We simulated XenoRAT to analyze its SOCKS5 reverse proxy techniques. For defenders, spotting these patterns is vital to stopping the threat. Read the analysis by @faanross: activecountermeasures.com/ma…

Malware of the Day - XenoRAT - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: XenoRAT MITRE Tactics: TA0011 Command and Control , T1571 Non-Standard Port Traffic Type: […]

activecountermeasures.com
1
3
135
A foundational protocol designed for network health is being weaponized by threat actors. ICMP, the simple troubleshooting tool, can be used to bypass defenses and maintain a covert C2 channel. Is your team hunting the echoes? Read the analysis: activecountermeasures.com/ma…

Malware of the Day - C2 over ICMP (ICMP-GOSH) - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Custom Go-based C2 (ICMP-GOSH) MITRE Tactics: TA0011 Command and Control, T1071 Application Layer […]

activecountermeasures.com
1
724
You blocked the IPs, but the payload still arrived. How? It came in over DNS. Joker Screenmate hides tools and data inside TXT records, delivering malware under the cover of normal-looking DNS traffic. More here: activecountermeasures.com/ma…

Malware of the Day - TXT Record Abuse in DNS C2 (Joker Screenmate) - Active Countermeasures

What is Malware of the Day?   Lab Setup Malware: Joker Screenmate (DNS C2 variant) MITRE Tactics: TA0011 Command and Control, T1071.004 Application […]

activecountermeasures.com
1
172
Load more