Tim Crothers - Infiltrating C2 Infrastructure

I asked Doug if I could come and just kind of substitute for him for this particular draft that he's going to do in mind. Because I really wanted to introduce this next speaker. The next speaker, I had the privilege of working with this gentleman as a co-worker, as a subordinate, as a good friend, and as a rep from a company servicing his account. So it's been sort of a unique relationship, I'd say. Would you, Tim? I would say so. Over the years. Tim has a wide breadth of experience dating back to when I was in high school, so that's been a while. And really has a lot of good knowledge to share. So really excited for you

guys to hear this talk, because I've definitely seen different pieces of this and been looking forward to this for a few months. So without further ado, I gave you 10 projects. Thank you. So we have some video problems also. I can be sure they'll solve it in a second. When we're getting back going, I'll give a little bit of background on this talk. This talk is not necessarily truly blue talk. I think Phil put me in the blue because I am definitely a blue guy. If you heard Ed's talk this morning, I'm kind of as polar opposite in many respects. Instead of act all the things, my goal is to act all the things. A key part of that is understanding what the

adversaries do. Not at a hypothetical level, oh, I think they do this. One of the interesting things, as Phil mentioned, we had the opportunity to work together for a while. That was advantage. For me as a long-time practitioner, what was really interesting was getting to see what's going on really in the regions. Because what comes out in the media is not actually, there's bits and pieces of facts, but not really totally accurate. And so one of the failures that I see commonly in our space as blue is we fall into this trap, I think, right when we go to Sands and some of this great training Please be clear, I'm not talking the same as trading, on how do you

pen test and all that kind of stuff. And then we as defenders fall into this trap of, oh, well, the bad guys are all using medicine. The bad guys are using MNAP, et cetera. Not that there aren't bad guys who do, but those aren't the ones that are responsible for all these big leases that are going on. Literally, in a lot of these cases, it is absolutely not. That we can't detect these guys, we can. The issue is just that we as good guys, defenders are looking over here and the bad guys are just simply over here. Right? And so, to combat that, a number of years ago, what I started doing... Let me see

if we can get out of this in the back end and talk to you guys. Yeah.

Let's see. Technical problems we've got in here. and don't want me to show you how to get the basis.

Yeah. After. Does he have a Thunderbolt with HDMI adapter in there? All right. In here's. Hmm. Can you send him to the new woman? I want to know if he has a Thunderbolt with HDMI.

There

we go.

So what I was going with is that I decided to start infiltrating and controlling the target. So that's the gist of this talk, is how do we get inside the enemy's camp, as it were, to see what they're doing? So what we're going to do today is I'm going to cover with a simple one because we only have an hour, less than that at this point, right? And I want to try and give you a fully functioning one. I'm actually going to outsource some open source, rather, some code here today as well to, again, help support this. Because at the end of the day, we as defenders need to have a really, really good understanding of what the adversaries are doing. not at

a theoretical level, but at a specifically what's their TTPs, right? You know, if you saw Mike Grieff's talk earlier, right, where he's talking about ECOR and then going back and forth, that only occurs when we truly understand very deep how they're going about it, right? So the wires are pretty straightforward, right? We need that much deeper understanding of our adversaries. It also allows us to see if they're targeting something we care about. Today's example, I'm going to be focusing on GapGen. And the reason I picked that is for a couple. One, it's a really easy protocol, really easy backdoor. We don't even frankly need a breakout item pro to be able to construct the bot element for it, right? But secondly, I did this, I

originally wrote this particular piece of code back in early January because when, if you guys may recall, the good old, our friends, The Lizard Squad took down our old Xbox and PlayStation networks, right? And they did that basically as a big marketing tool to sell their DDoS for higher services. Well, I'm a big vendor. I want to know if they're targeting an entity that I care about. So I wrote this bot, injected it into their backdoor system. We'll see how we do all of that in just a second here. And basically just monitored. My version of the bot that I was running in production until their bot had stayed down here a few weeks ago actually would text me if they targeted something that I

cared about. Literally just text to my cell phone so I knew, oh, they just issued a DDOS, a tactic command, to do something that matters to me. And then of course, ultimately, because I'm also ex-law enforcement, sometimes these

that use legal or correct term-class votes. Nah, scumbags. We can take down their infrastructures. And so in order to be able to do that again, you've got to have good evidence. You can't go into a court of law and just say, hey, we kind of think it's these guys. Why don't you let us agenda and throw that out? So we've got to have a lot of deeper evidence on how to go about doing that. So that's what it does. So what does it look like? The leaders are actual anonymized laws. This isn't the particular one we're looking at today, but this is an example of the logs that can be helpful. This one happens to be some logs from some monitoring tools for some of our Mandarin speaking

friends, right? So pulling directly from their C2 server as they're typing the command, so those are the real dates and times that this particular, a real attack is a real target occurred, right? And by analyzing that, that's where I'm coming from when I say we can get a much deeper understanding of what the adversaries are really doing to us. So someone this morning showed the pyramid of pain. I think Reeves had this talk, I think it's been in a couple of talks. So David Bianco, great, great guy, spoken here before as well. So David created this back when we were together back at GE, on their real surveyor, right? And the idea here, and especially the paint part, is all

about the better we understand the adversaries, right? We've got not just the IP addresses, domain names, right? That's trivial for them to be able to obey. They can change up, they can come back, they can obey our detection. If our detection, however, is tied to their TTPs, we can create detection that is so

that they can't evade it without completely dumping and strapping everything. And nobody wants that. So at the end of the day, our kind of holy grails at work from my perspective is if I can take specific adversaries, understand them so well that I can create detection that is unebatable, I win. Because they have no opportunity then to harm us without us knowing immediately that they're present. so that we can boot them out before they complete the mission. So that's ultimately the goal. Now, this is a really dangerous area we're treading here. I'd be remiss not to put this out here, right? Because what we're doing in this is we're interacting directly with criminals, citizens. You need to think really carefully before you take that step. What we're

doing is not illegal. We're not hacking into anything. We're not buffer overflowing anything. Nothing like that. You'll see in just a minute here. But you are interacting with them. If they have good OPSEC, operational security, they potentially will find you. That's not necessarily a good thing. If you're infiltrating a DDoS botnet and they find you, guess what's coming your way? right? And especially if you get into some of the nation state stuff. So there's lots of precautions that you want to take. Okay? So we're going to do this literally live. I'm going to set up a new C2 interaction here because why not? I like poking fun with the bad guys. So I really do consider those companies.

But when I do this, I'm tunneled out of my laptop to a burner hosted server. From that burner hosted server, I'm connecting through, so I've got multiple layers, really, really tight, I've tabled rules, et cetera. None of that ultimately prevents them from getting back to us and figuring out who we are. So this isn't something you want to enter into like that. The other thing you want to be aware of is there are government agencies. and intelligence firms that are doing work on these groups as well. So you also have some potential here to burn some existing operations. So you want to think really hard about that. And ultimately, as the slide said, doing good

operational security so that you can't get found is hard. Unfortunately, we can't cover how to do all of that in an hour. That's why I've chosen something very simple that's fairly low-risk. So let's just make sure everybody's on the same page on what we're talking about with C2. C2 is Command and Control Server, right? And the whole idea with C2 is it gives an asynchronous command, right? So I love all of the stuff in the media that comes out where people are going, oh, well, that's not China or that's not Russia or that's not whatever source. just because those address, they're not connecting from their original source to the endpoints, right? They're connecting to middle layers, command and control

layers, those are what your backdoors, your RACs, your LOSS, etc., are communicating with, right? And of course we have tons of protocols. IRC was the first protocol for most of this stuff, just a really neat protocol. We still see IRC used, mostly now in the drug malware, right? I haven't seen a lot of new malware for PCs that uses IRC for comms, but for whatever, we're seeing tons and tons of Android malware that's using IRC for its command and control infrastructure. So it certainly still exists. Any of these can be leveraged for the communications, right? So pretty straightforward there. And then ultimately, we really have two broad flavors things that we're dealing with. One is what we call

bots, which is just a proof of bots. The point of bots is to have one to many communications. With bots, you've got one controller that wants to be able to control a complete army of bots, potentially into the millions. Whereas RAPs, remote access trojans, which also can be infiltrated, command and control for those as well, those have a one-to-one typically, right? And so that looks out something like this. So this particular one's IRC, but it could as well be any other protocol, right? It's simply a mechanism where you have all the different victim PCs, right, with the malicious software running on them, connecting into the overall central architecture, okay? Pretty straightforward. That guy also logs in, issues his commands, So the one

we're dealing with today, although it doesn't use IRC, it uses a, just a open protocol, it's very HTTP-like, but it's not HTTP, it's kind of a custom protocol, but the effect is very IRC-like, as you can see here shortly. And then the RAS, typically, at least the medium scale ones and off, actually have two levels of C2 servers that you have to deal with, sometimes even three. So we have what we typically call a parking server, right? And that's where the beacons are going to. So you'll get a RAM installed on a host, it'll connect out every, say, five minutes or one hour or whatever the beacon interval is for that. It can be typically very custom. An hour is

pretty common. And what's going on there is the RAC's going out to the stage one C2 server, right? And it's just going, hey, have you got anything for me? And if so, then it switches typically to a stage two server. Now that may involve downloading an additional piece of code into the host, maybe part of the core functionality. Again, it all just depends. But the stage two C2 server is where the bad guy's going to interact directly with the host. So now is where he's typing commands, where she's typing commands and the backdoor in that victim machine is executing those commands. And again, we need to understand those differences because of course that plays out in how we do it. So the process we're

doing about this all is pretty straightforward. Obviously we need our hands on the malware. I'm going to show you the technique for that here in a second. Then we've got to reverse engineer the protocol. We've got to figure out what's the protocol being used Now, even if they're using a standard protocol, like, say, IRC or HTTP, we've got to know things like what are the commands, what are the responses that the bot's going to send back. Because what we're doing here, effectively, is we're building a fake bot. Right? So I'm building a bot that looks to the server like it's just an old bot, but it's not. Now, some people will do things like take the malware and neuter it. You'll drop, say, the attack

mechanisms that are in that bot. I prefer just to write a complete thing from scratch to mimic the bot because it's much safer. There could be things in that code that I'm not aware of, and again, we're dealing with black criminals here, I really don't want any of this stuff escaping. My tool of choice is Python, it could be whatever language that you prefer when you do that. So in particular, we need to determine those four key things. Is there encryption occurring in the communications protocol? Is there some sort of authentication mechanism that's taking place? You've got to understand that. What are the demands to the bot and what are the responses from the bot? So those are really the four key things that you've

got to figure out. Once you've got that done, then you just simply prototype it in our language. figure out where the C2 servers are, and the infiltrator. Fairly straightforward. Tools, of course, are the standard tools we use in any malware analysis. In particular here, though, Wireshark is going to be your best friend. So the way I usually go about this is I will set up on one of my burner servers out on the internet, say maybe something running on AWS, one of the malware with Wireshark TCP dump, whatever, capture the communications going back and forth between the bot and the C2. So you're doing live here at this point. Most of the time, that's all you need. You let it

run for a while, put some, maybe some, I would really recommend if you take that route, put some restrictions about what that bot can do. So when I do that, for instance, I'll drop in some my tables rules, So literally that bot can only come back and forth to that C2 server that I've determined that it comes to, right? So definitely you need to, again, think about some precautions on what you're doing here. Of course we can break out iPro, et cetera, and do that. But again, let's start with a real one here. So most of this today, I'm gonna focus on doing this for real. So one of the things that I mentioned To start with, let's make this a little bigger here. So

I'm fortunate enough to have a VirusTotal intelligence subscription. Highly, highly recommended. So in this case, notice one of my malware analysts wrote this nicely, and what Yara rules set it for you. So as you saw with what Paul was doing with Viprin in the last talk, Yara is tremendously useful for a lot of this stuff. So this is a specific Yara signature looking for the Gap Hit bot. So we run this and literally we will do some live here again. So I go over here to Notifications. So the way Byers Total Intelligence works, you can upload Yara rules and then it goes out and runs it. And this is live. This isn't made out here. So notice our date and time and actually we just got a

new Gafkit which so notice I've got lots of ER signatures looking for stuff here so we go out here to our particular sample this one just came in hot because literally I was just checking to make sure everything was working and in this case I'm just going to go out to the strings here because we'll see if we've got Gafkit's really nice because frankly It's about as simple as it gets. And notice here, here's our C2 server and port. Okay? So in a few minutes we'll try that. Since it's a new sample, it's probably live. Now in this case, just to make things easy, now unfortunately it wasn't available when I initially wrote this particular bot, emulate bot rather,

But in March of this year, somebody leaked the actual GapKit source code. So I'm running that in a separate VM. I'll show that here in a second. But let's talk about figuring out those commands and stuff. So in this case, I used Google GapKit this afternoon here a few minutes ago. Notice I've got some really good write-ups on what this is doing. So here's an actual sample of the traffic going back and forth. Notice the pings and the pongs. Almost all back doors have some sort of a keep alive mechanism. And so that's what we're seeing with the pongs and pings there. So on a particular interval in Gapit's case, every 30 seconds it sends a ping to the

server and the server sends a pong back. At the same time, On the server side, the server is sending beams down to the back door and the back door is expected to respond with a pump. So that's why you'll notice multiple. The commands in GapGit are all preceded with the exclamation asterisk. So exclamation asterisk scanner on is a command that tells GapGit to start sweeping a random set of IP addresses and it's using the good old, I just blanked on that, shell shock. So this was one of the early shell shock pieces of malware. And so literally, it runs shell shock. It also does some really simple group forcing. So it scans for open port 22.

Yeah, there it shows. Here, let me make this a little bigger. So notice, it sweeps for port 22. If it finds an open telnet, it tries to log in with those password, user password combinations. So really simple scanning. If then it succeeds in doing that, it then just simply executes a command. So in this case, notice there's this BusyBox, Echo Dash, so on and so forth. That's actually a technique for detecting honeypots. What it's doing is trying to make sure that what it's trying to export and log into is not Honeypot. If it doesn't get the expected response, it just drops. And most Honeypots will respond incorrectly to this particular command. So it's just a

really simple technique for Honeypot addition. If it works, then it just simply runs some command to download. in the Lizard Squad's case, and part of the reason why they were able to get such a large botnet so quick, the vast majority of their bots were our TiVo boxes. So the vast majority of our good old folks providing us with those nice embedded Linux TiVos have really simple password combinations and also were all susceptible to shell shock and allowed them to At one point, there were well over several million TiVos that were running inside Lizard Squad's botnet. And that's what they were using to execute all of these denial of service attacks from. So U of May have been helping them and didn't

even know it. And then here we've got an example of the commands that are in there, right? So we've got the ping command, we've got the shell command, That local IP is pretty obvious in terms of response. Scanner on and off. Pretty straightforward. We've got junk, UDP, and TCP flooding. And it's just the command, the target IP, target port, how many seconds. Then there's some few other optional parameters you can supply. Kill attack will kill the flood. Hold will also stop the flooding. And then the lolno gtfo, I'm sure you can figure out what that means, is actually used in two cases. The server itself has a protection mechanism, so if two bots from the same IP address log into the C2, it

will execute that command and terminate all of the bots. It can also, of course, be typed in manual. cause the watts to terminate. Now that doesn't remove them however, so the next time there's still persistence, the next time that system is rebooted, they'll connect back into C2. So that's giving us a really good feel for what our traffic looks like. Again, I've got other articles, and literally

GapGit, and that's part of why it shows it here today, is so simple that in most cases we can just literally not even have to break open IDAPRO in this case. When I wrote this one initially, I did use IDAPRO because all of these weren't done, but at this point in time, it is absolutely not necessary. So what I've got here in this system is the actual GapGit. Oops, wrong screen there. the actual Gap gets server running. So, in the lower right-hand window, this is the server itself, the C2 server. Literally, I just compiled this from the leaked source code and executed it. Pretty straightforward. In the left window, you can see I've just downloaded into the C2 server's

control port, and I'm emulating the bad guy from that side. And then last but not least, I've got here the actual source code, or the, my bot source code that I've got.

I guess that was kind of readable. Okay, so now I've written this, I rewrote this to try to be a little modular and a little easy to do.

try to make a really simple Python code here, not doing anything fancy. Really the only tricky bit with writing a lot of these is you've got to set up some Cinder function for the keep-alive. And so in this case, I've got my initial header stuck, I'm just setting up some variables here that I'll use so the IP addresses is the C2 server, the bumper size, to communicate. 99 times out of 100, you just need to set the C2 address and the C2 port. Now, I've also got this bot name and bot pass. That's for bots that use authentication. The Gaffet does not. So in this case, I don't actually use them. Then I've got a bot responses

little thing set up here, which I've only got once set up. and that's because I create static responses for most of the things that I want to supply information. So in this case, when it gets the command, get local IP, I always just respond 192.168.1.42. I know that as a common RFC 1918 address, that a lot of these infected systems are going to be sitting behind some side of the firewall. It gives no real address. but yet it also doesn't show the outside address of where I'm coming from, right? And so it just makes it easy to look like, yep, this is just a vulnerable box that's sitting inside a network somewhere that's communicating out. Obviously, if you do use the source code,

change that address to something else just so, you know, they find a code. Then I've just got a couple blocks here that are setting up the... I've got one that just does reverse lookup for the target ID so I've got a name. Then these blocks are really where the bulk of the work is done. So in this case, notice I'm just supporting the different commands. So I've got my people-eye function. So the people-eye function is just simply looking for that ping and sending that ping that's expected every 30 seconds. I've also got a couple functions that I'm not using here. I call it x-min garble and x-min ungarble. Those are the sub-functions I use if there's encryption going on. So again, I'll

just feed it into the function, decrypt it, feed it into the function, encrypt it, so I can support whatever encryption that they're employing. Then I've got my ping response function, my UDP response function, TCP flood, junk flood, and then support for the long-off. Now you'll notice there's a number of things I'm doing because remember my goal in doing this is I want Intel. What I'm trying to do is determine what is it that the adversary is using this for, right? So notice all of these functions are transmitting whatever is expected and then I'm writing it out to a log with a date and time state. In this case I literally just called it .log and so I write that data out there with the date and

time and notice things like UDP flood, in this case target 1 is the actual IP address being targeted, target 2 is the port, target 3 is the duration. Not too complex. Again, obviously we don't quite have time to cover teach python per se, but it's not too terribly difficult. And then finally we have the loop, or the main function for the bot, Notice here I've got just opening up my file, opening up my socket, and then these patterns here again are not used with GapGit. What you get though with a lot of the, especially the one, the many bots, is they'll have the capability to individually address bots. And so what that's a setup for is those kind of bots, because what you want to do is those

sorts of bots will authenticate to the server. You need to look for the bot's name being addressed so you know that that command is aimed at that bot. But the one of the many that have individual addressing like that, so Gaffet's not that smart. Any command type goes to all bots, all bots are executed. It's just that simple and dumb, frankly, right? But if it's individually addressed, you've got to make sure your bot recognizes, oh, I got a command so that it can respond accordingly. So I'm just using a regex there to look for the bot name in the incoming. Again, not used in this particular one. Again, I've also got the authentication section commented out in this case because we don't need it for this bot.

And then when we initially come in, we're expected to identify ourselves. So in this case, the way GapNet works is it just sends a simple string saying, hey, this is my operating system. Again, I'm just sending completely bogus crap. I put the current date and time in there so that it's current as expected by the C2 server, but I'm just telling it that I'm a i686 Athlon running new Linux. Completely irrelevant. They have no way of validating that data, so I want to pick something that's very generic to try and blend in. and that's something that you can look for when you're doing the actual kind of setup and then otherwise it's literally just I

take in the data coming from the C2 server and then I just simply look and see oh is this one of my canned bot responses where I want to send it a specific just canned response or is it something that I need to send it specific and in that case called the appropriate function for the command that came in. Pretty straightforward. And I've tried to make this really easily extensible. So if you want to do this, just replace those functions with the appropriate ones and the appropriate responses up in those functions. So fairly, hopefully, simple to use. And then the last thing is I just put in a keyboard interrupt to detect it. So let's try it. This one I'm just going to run

here locally. The IP address and port here just connect to that virtual machine. I'm just going to execute this.

You'll notice there, again, I didn't write the server, so hose connected 1. That's my fake bot, just connected to the channel. The pinch connected, of course, is because I'm logged in. the server. So now I can issue commands to the bot, right, so I can say, alright, so, you know, give me your local IP. Get local IP, type here today, right, and if you notice over here, we got a response from the bot, my IP is that 192.168.1042. Notice, by the way, here was that initial sign-in string, right, in terms of the identification on what sort of Linux that I'm running. Okay? Notice there came a Pong. That's that 30-second just automated mechanism, right? And, of course, I can tell it, all right, let's UDP flood...

I'll go for EvilCorp here.

We'll flood their DNS server for 500 seconds. Okay? And notice the bot responded, UDP flooding 3232, 53 for 500 seconds. Right? Simple as that. Not that you fancy, no rocket science here. But what's nice about this is that we get logs of all this activity. And some of these guys are really...

Geniuses isn't the right word. You know, so just over the last week while I was tuning up this code, I've been running this bot in three different new GapHits. Two servers that I saw spring up in the virus code stuff, and some real brain, I mean, clearly rocket science material, has been trying to SIN flood via UDP. I suspect that's not working out very well for him. Probably need some basic protocol instructions, but not my problem. So, tell the bot to get off. Alright, bot got off. Alright, so let's do this for real though. Because that's a lot more fun. Alright, so you guys saw me pull this up here, right? So this is virus total, this came up a few minutes ago. Let's copy that server.

and I should have a shell here somewhere. So let's make a directory. So typically the way I do this, oh, I made it when I was testing earlier. That's a little different one. That's a new one for an existing one. Let's see if we can get, I've already been monitoring that guy. Let's take another GapHit sample. Here's another GapHit sample. Again, we'll just open it up.

strings because this is a really sophisticated backdoor. Yeah, there we go. This one's a different C2. I'm going to copy my generic bot down in. We need to edit it.

change our C2 server.

Alright, that's our C2 server, 49921. Now let's run. Most of the gap gets served and we're in. It's as simple as that. So we're now live monitoring a new, very real C2 server out on the interwebs. I have no idea who this is. It just popped up on our social today. You notice the initial command, and that's an automated command. As soon as the back door connects, it just turns around and immediately says, turn the scanner on. It starts sweeping for posts. try logging in on Telnet of port 22 using those and notice our cubalized aroma. And so now it's just a matter of the litogram, right? And let it collect in Telferi. And that's

literally all there is to this in terms of it. Now, I want to be clear, this is definitely one of the simplest ones, which of course is why I chose it, because I wanted something that we could cover in the time we have today. But that's really all there is to the process. It's just that figuring out what that protocol is so you can emulate this malicious software and win. What I can tell you from having done this now for five or six years with probably at this point thousands of C2 servers and infrastructures is that the adversaries are not doing what you think they're doing. It's not rocket science, but in most cases it's very different. So if you go

out to GitHub, you can get a copy of the code that I've got. Use it at your own risk. You're not responsible for you getting DDoS or anything like that, which is clearing the MIT license I put on it. This is, again, be very careful with going into this. And of course, the last one, the things we can do with this, like I said, adding the ability to text you if it's something interesting goes on. But otherwise, instead of just collecting these logs and analyzing them, it's kind of a reverse honeypot, as it were. Rather than us waiting for them to come to up to us, we go up to them. Yeah, in my opinion it's a lot of fun. So, questions?

Sir? How do you deal with, or have you run into, you know, communication with CTS, like the interactive things, like, you know, SAH. Yeah, yeah. Yeah, great question. So, what happens if they drop a shell, for instance, you know, the GACA, the supported shell command. I just respond, with an error message. I pretend that the bot shell is not working because that happens in the real world. That particular thing has burned me a few times, but not too often. Most of them will go, oh, there's something wrong with that implementation. They'll just move on to the next bot. I have burned C2s. There is no question I have been found over the years. But I'll be honest, it's rare.

probably one in 500 maybe. Most of these guys have no operational security. Typically there's hundreds or thousands or hundreds of thousands of these bots in these channels and it's really easy to go under this. But the biggest trick is trying to make sure upfront that you really closely emulate what they're expecting going back to that C2 server.

Well, yeah, so his question was what's the difference between working with commodity and nation state? Nation state has more resources and better operational security, right? So with nation states, they actually check their logs. With nation states, they won't immediately let on that they figured out that you're in their base, as it were. So your operational security is even more important, quite frankly.

It's a really good idea to put multiple, multiple layers of things between you. But that said, I don't think I'm so smart that I'm probably not on some lists. It is what it is. Probably don't want to think about traveling some of those countries perhaps. Sir? This is kind of useful to say, okay. I'm a little inspired and, hey, these are my IPs that I care about. What other things are going to be used operationally with this information? Well, so this particular bot, there's not a ton, right? It's just an E-box bot. But the bots that are much more sophisticated, where they can do a much greater range of things, then you get a lot of

things like DTPs potentially, especially the one-to-ones, right? So the large botnet herds, those aren't, frankly, for what most of us as defenders are hearing about that big of a deal because they're mostly sending spam, doing drive-by installs, things like that. Now that's useful, but that's useful mostly for intel purposes and attribution. Where it's interesting for us as defenders are when you get things like the snippet that I showed earlier. Like I said, this is anonymized with real logs, right? So here you're actually seeing everything they're typing, right? This gives you invaluable amounts of data on things like what directories are they using, what are their tools, what's there, so on and so forth, right? Which allows you then to craft really tight. I've got a dangerous question.

So say you found this inside your environment. Yes.

I plead the fifth. Leave it up to you to decide. Is that something you can do? It certainly is.

everything like you indicated. Do you usually advance notification, hey guys, I have this potential pressure that's coming in and will locate the notification? So short answer, just because we're almost out of time, yes. So I have clearances, I work with several three-letter agencies, you know, pass the logs along with the program. So let's say I find in a C2 server and I see somebody attacking something that I think my friends at the Bureau would care about, and I will pass it with one of the students. The key, though, from my perspective is my risk, personally, of burning operations is very, very low, specifically because I am taking acting. I am purely taking a passive listening. So in

my case, I don't act on any of this data directly. certainly not going after them, et cetera. So because of that, my likelihood, I'm not publishing papers on what I'm finding, that sort of thing, while it's tempting, that's what gets operations burned, right? So the easiest way for you to burn Intel op is to publish data on what's going on in a particular C2, like a blog post or something like that, which then tips the bad guys off that they're being monitored if the other good guys, agency type good guys, are also then that they potentially lose. So that's the main reason why don't do that, specifically. But I mention that one specifically so people are cognizant

of the nature, right? McAfee did that with Big Post a number of years ago, completely burned an infrastructure down that really hurt a lot of Intel agencies and private folks monitoring. I think there was one more question. You said something about what we did and what it really is. Yeah. So I think this would be a good example of that. So this happens to be a group that Mandy calls APT1. Their remote is very simple. They don't, for instance, ever use NMAP or tools like that. They dump their list via Active Directory. That group, quote, domain admins, code slash domain, stuff like that. They're dropping these tools. NetView, for instance, is a tool that shows authenticated

sessions. So they dump the local password cache, use it on the authenticated sessions, which, of course, is what the passwords are good for. Lens and repeat until they find a host that's got a data in power into a cache. Just simple things like that that are just not the typical way you think the actors are operating, right? And so then understanding that better then allows you better to do your passion. All right, so I think we're out of time. We have some giveaways. Three giveaways, it looks like.