Red Team Village - Total E(A)gression
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49194 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Intrusion detection systemAsynchronous Transfer ModeIntrusion detection systemComputer animation
00:26
Information securityProduct (business)Modul <Datentyp>Asynchronous Transfer ModeSoftwareConnected spaceMereologyDesign by contractMultiplication signInformation securityProjective planeBitEnterprise architectureData managementOperator (mathematics)Hacker (term)Software frameworkProxy serverSoftware developerSoftware bugProduct (business)Group actionComputer animation
01:24
Intrusion detection systemComputer networkSoftware frameworkModul <Datentyp>Server (computing)SoftwareClient (computing)Skeleton (computer programming)Module (mathematics)Hacker (term)String (computer science)Internet service providerFeedbackTransport Layer SecurityAsynchronous Transfer ModeSoftwareNetzwerkdatenbanksystemServer (computing)Rule of inferenceStreaming mediaPublic domainEmailFeedbackService (economics)CodeWeb browserSoftware frameworkTransport Layer SecurityDataflowFingerprintMalware1 (number)Skeleton (computer programming)String (computer science)Computer animation
02:48
Intrusion detection systemDifferent (Kate Ryan album)Computer networkTransport Layer SecurityProxy serverRule of inferenceInformationBlock (periodic table)Public domainFingerprintSoftwareAsynchronous Transfer ModeSoftwareProxy serverSet (mathematics)Computer wormPhysical systemDataflowPublic key certificateBitString (computer science)Rule of inferencePublic domainField (computer science)Machine visionLevel (video gaming)LaptopRight angleTransport Layer SecurityMereologyComputer animation
03:58
Intrusion detection systemAsynchronous Transfer ModeFingerprintTransport Layer SecurityServer (computing)BitWeb browserService (economics)Physical systemSoftwarePublic domainComputer wormRange (statistics)Scripting languageConnected spaceRight anglePublic key certificateLaptopCommunications protocolStructural loadClient (computing)Direct numerical simulationIP addressStreaming mediaMereologyEmailComputer animation
05:37
Asynchronous Transfer ModeTransport Layer SecurityFingerprintInformationSoftwareEmailCommunications protocolClient (computing)Computer networkMathematical analysisSimilarity (geometry)Server (computing)DatabaseTransport Layer SecurityProxy serverHash functionPairwise comparisonEncryptionNumberFingerprintMultiplication signIntrusion detection systemAntivirus softwareSoftwarePrice indexDigital photographyPhysical systemConnected spaceComputer animation
06:25
Asynchronous Transfer ModeSocket-SchnittstelleTransport Layer SecurityServer (computing)Source codeInformationScripting languageLibrary (computing)BitExtension (kinesiology)Matching (graph theory)Client (computing)SoftwareMultiplication signRevision controlWritingHash functionDataflowTouchscreenOpen sourceWeb browserNetwork socketComputer animation
08:02
Asynchronous Transfer ModeServer (computing)Transport Layer SecuritySet (mathematics)Revision controlTouchscreenDataflowDecimalSheaf (mathematics)Hash functionClient (computing)EmailWeb browserExtension (kinesiology)Connected spaceSoftware
08:45
Client (computing)Transport Layer SecurityElectronic signatureSource codeNetwork socketEntire functionJava appletSoftware frameworkControl flowExtension (kinesiology)Asynchronous Transfer ModeSoftwareTransport Layer SecurityClient (computing)outputProgramming languageSource codeConfiguration spaceBitSocket-SchnittstelleComputer configurationControl flowWeb browserLibrary (computing)CASE <Informatik>Hash functionLink (knot theory)Order (biology)Network socketComputer programComputer animation
09:59
Asynchronous Transfer ModeTransport Layer SecurityLoop (music)Order (biology)Transport Layer SecurityWeb browserLine (geometry)Graph (mathematics)String (computer science)outputFormal languageConfiguration spaceSource codeDataflowSimilarity (geometry)QuicksortComputer virusComputer animation
10:52
Asynchronous Transfer ModeOrder (biology)Transport Layer SecurityLoop (music)Software suiteHausdorff spaceClient (computing)Compilation albumWeb browserCASE <Informatik>Graphical user interfaceDecimalClient (computing)Source codeTransport Layer SecurityFingerprintDataflowLink (knot theory)Extension (kinesiology)CodeMereologyOrder (biology)Multiplication signComputer animation
11:49
Library (computing)GoogolTransport Layer SecurityComputer configurationAsynchronous Transfer ModeMusical ensembleConnected spaceSource codeFault-tolerant systemWeb browserSoftwareRight angleDataflowComputer animation
12:23
Token ringAsynchronous Transfer ModeGoogolTransport Layer SecurityOperator (mathematics)AuthenticationMobile appBitServer (computing)Connected spaceWeb browserDataflowGraphical user interfaceFingerprintGoogolProxy serverComplete metric spaceInformationGraph (mathematics)Computer animation
13:20
Proxy serverSoftwareTransport Layer SecurityLaptopString (computer science)Content (media)CryptographyAsynchronous Transfer ModeThread (computing)Symmetric-key algorithmArrow of timeString (computer science)BitMedical imagingProxy serverSoftwareLibrary (computing)DataflowCryptographyPhysical systemEmailNetzwerkdatenbanksystemMultiplication signError messageEncryptionComputer animation
13:59
String (computer science)Asynchronous Transfer ModeSymmetric matrixSharewareComputer wormPhysical systemEncryptionModel theoryString (computer science)Multiplication signModule (mathematics)Graph (mathematics)Symmetric-key algorithmComputer animation
14:21
Software frameworkNormal (geometry)Module (mathematics)SharewareFingerprintTransport Layer SecurityProxy serverRule of inferenceExtension (kinesiology)Asynchronous Transfer ModeConnected spaceBitSoftwareGraphical user interfaceIntegrated development environmentPhysical systemFingerprintReading (process)outputNetwork topologyMultiplication signTransport Layer SecuritySource codeComputer animation
14:50
Asynchronous Transfer ModeTransport Layer SecurityWeb browserConnected spaceNetwork topologySharewareProxy serverSoftwareVirtual machineFingerprintServer (computing)EmailWorkstation <Musikinstrument>Physical systemProcess (computing)WindowPolarization (waves)Graphical user interfaceComputer animation
15:29
Asynchronous Transfer ModeGraphical user interfacePhysical systemMultiplication signProcess (computing)Right angleVector spaceComputer animation
15:47
Asynchronous Transfer ModeComputer fileReading (process)Rule of inferenceOnline helpHash functionClient (computing)Line (geometry)Content (media)EncryptionEmailDiscrete element methodEinstein field equationsVector spaceRule of inferenceVirtual machineBitConnected spaceTransport Layer SecurityDatabasePlug-in (computing)Hash functionWeb browserEmailMatching (graph theory)Computer virusComputer animation
16:22
Asynchronous Transfer ModeMIDIRule of inferenceHash functionReading (process)Interior (topology)Public key certificateTransport Layer SecurityClient (computing)FingerprintHigh-level programming languageFingerprintWindowGoogolRight angleClient (computing)Computer animation
16:40
Asynchronous Transfer ModeDefault (computer science)Configuration spaceClient (computing)Hash functionWeb browserDatabaseComputer animation
16:59
Client (computing)Asynchronous Transfer ModeDatabaseGoogolServer (computing)Token ringAuthorizationLoginMultiplication signTransport Layer SecurityFingerprintWeb browserGraphical user interfaceComputer animation
17:24
Asynchronous Transfer ModeClient (computing)Transport Layer SecurityWeb browserGraphical user interfaceFingerprintDataflowProcess (computing)Computer animation
17:47
Client (computing)Asynchronous Transfer ModeNetwork socketProxy serverObject (grammar)Transport Layer SecurityGraphical user interfaceComputer animation
18:05
Asynchronous Transfer ModeComputer virusWeb browserGraphical user interfaceFingerprintTransport Layer SecurityComputer animation
18:31
Asynchronous Transfer ModeFingerprintSoftwareTransport Layer SecurityHash functionPolarization (waves)2 (number)Physical systemFrame problemoutputSheaf (mathematics)Process (computing)Proxy serverDifferent (Kate Ryan album)Multiplication signComputer animation
18:59
FingerprintTransport Layer SecuritySingle sign-onAsynchronous Transfer ModeJava appletWeb browserClient (computing)Graphical user interfaceLibrary (computing)DatabaseMultiplication signSource codeComputer animation
19:19
Asynchronous Transfer ModeGastropod shellReverse engineeringInformationComputer animation
19:39
Asynchronous Transfer ModeFingerprintTransport Layer SecurityMathematical analysisOpen setString (computer science)Similarity (geometry)Software developerEncryptionGastropod shellOperator (mathematics)FingerprintFocus (optics)Bit rateTransport Layer SecurityScripting languageComputer animation
20:19
Transport Layer SecurityComputer virusAsynchronous Transfer ModeConditional-access moduleInternet forumHash functionClient (computing)Right angleTouchscreenFilm editingLoop (music)Extension (kinesiology)Scripting languageEmailComputer-assisted translation
20:56
Physical systemFocus (optics)MalwareProcess (computing)SoftwareAsynchronous Transfer ModeGroup actionSoftwarePower (physics)Electronic signatureCellular automatonOperating systemComputer animation
21:19
Asynchronous Transfer ModeBitWindowScaling (geometry)Source codeBenutzerhandbuchSlide rulePhysical systemElectronic program guideSoftware frameworkSource codeComputer animation
Transcript: English(auto-generated)
00:00
All right, we're back and thank you, Alvaro, for supporting the community, supporting DEFCON, for your, of course, presenting here and definitely supporting the Red Team Village as well. We're glad to have you here and the floor is yours. Take it away. Thank you so much, Omar. I'm so happy to be here another year presenting the DEFCON Red Team Village. Welcome to Total Eaggression, a evading intrusion detection
00:23
system for stealthy implants. So, first of all, I would like to introduce myself. My name is Alvaro Falgado, and I was a product security engineer where I perform a lot of software and architecture security reviews. I do a lot of offensive appsec, bug hunting, a little bit of research about this last topic, but in my free time, I have been spending more or less the
00:45
last two years working in a main project that is an implant framework. It's kind of divided in two parts. The first part is the C2O, the operation manager, growth on Golang. Most of it, it is the reform to deploy infrastructures, proxies, and redirectors. And the other half
01:02
is the modular Beechito that is called on Go, C++, to perform a little bit more of like native action over the target device. I had the lag in the past, as I said, to present this framework on the DEFCON Red Team Village of the past year alongside Shellcom. I am here again to speak a little bit of the same topic, but connected to other stuff I'm
01:21
going to develop. So the connection here, in the last year when I was presenting this framework, one of the stuff that I was kind of most proud about is the ability of my implant of egressing, not just using HTTPS against a custom server, but using Gmail itself. I was saying in my talk, give me a string to progress and I shall hack the planet because
01:44
you can use email, but you can use any other software service. And from that talk, I got an amazing amount of cool feedback, but one of the most interesting ones was from one blue team engineer back then that told me, you know, this looks cool, but you know that by analyzing some header of your flow, like the TLS fingerprints,
02:04
we could personally detect that as a Go HTTP client. And if we kind of, while this is the kind of software we have in the domain host of a corporate network, that will look sketchy. So I was like, okay, so you're telling me I am egressing through Gmail, but still not even by, you know, doing a deep packet inspection, you're able to detect I'm using
02:22
some kind of malware. So, you know, this really triggered my attention. So I focus my next year research on them towards like creating kind of a skeleton network model, not just for my tool, but also as a piece of code for everything around the community to be able to use this for bypassing this kind of filtering of this kind of rules that
02:43
the blue team could have deployed in a corporate network. So, you know, if we focus on this, you know, on this field and we really want to like look stealthy on the network level, I wanted to start a little, we do like a high level vision of kind of the different techniques
03:01
that a blue team or sister could deploy in a corporate network towards detecting or running in planning a foothold just by looking at the network package. So I like to divide in kind of like two big parts, right? We have all the deep packet inspection techniques where, you know, somehow the blue team has deployed the infrastructure to force every domain host
03:21
network package to go through a proxy, right? And this proxy normally is a TLS proxy that filter out all this flow and make the target operating system all up to set the certificates so I can deep look at the body of the flow. And then, you know, by looking at this body, I can grab kind of common strings that match to malware and I can try to create a
03:43
set of fine grained rules to detail which one are the flows that match most common like indicative of compromise and most common like problems, right? But I'm not going to get still really deep into these techniques. I want to focus a little bit in deep packet inspection techniques, right? Those techniques will be focused not in what the body of the payload is,
04:03
but more in things like where the aggression is going, right? Which is the server or foothold is connecting to. So, you know, the blue team will start to look at things like sketchy IP range or if we're using some kind of service like Amazon or Azure, they can start to look at the domain, right? Which kind of domain we're using. And if we use something like domain
04:23
fronting, they start to look at, oh, which kind of operating system or software is listening to the connection, right? Which kind of certificate is this server like serving, is it self-signed or not? And then they will also could look at the wire itself, which kind of protocol we
04:41
are using. If there is a huge amount of package load on a DNS aggression, they could say, oh, something is going on here. So, you know, if we come back to the concept of a service like email, then we can finish with all the problems of detection by then almost all of them. And we can do this easily because if it's a software as a service,
05:05
as the opportunity to modify a string, we can make our foothold to communicate through the C2 just by pulling, pushing data on it. And now it's where it comes the funny part, like we have finished with the problem with the endpoint, but still the blue team has powerful tools to analyze which kind of HTTP client we're using. And they can say, oh, this domain host is
05:25
using a common browser that looks good to me, but oh, this human resource laptop is running a Python script to go to whatever server or a go client that kind of look a little bit more sketchy. So at the end of the day, the blue team has a powerful tool to analyze before
05:41
breaking the encryption through TLS fingerprints, which kind of software the foothold is using which kind of software we're using or redirect or proxy or whatever to receive the connection. And by matching both of them, they could get a really strong indicator of compromise. This will work similarly to like antivirus or all hosts introduced in the technical system
06:04
where they will extract a hash from the binary and compare it with a public database. Instead of now doing that with the binary, they will do that with a TLS handshake and they will extract a certain number of bytes, perform a hash and compare it with a public database. This is a really interesting research that was done time ago by a bunch of blue team engineers.
06:24
And I was saying with this research, they published it with this GA3 tool. It's a Python script. I'm going to do a little bit of a deep dive, what's going on. So let's imagine we're writing our implant and now we need to think about how he's going to address or how he's going to connect to the C2, right? So if we are going to use HTTPS and a lot of you will say,
06:45
okay, don't use HTTPS, use HTTP, but for some reason we need to use HTTPS or endpoint, for some reason you just accept HTTPS. The first thing that our implant will perform is opening a TCP socket. And following that TCP socket, the TLS handshake will start.
07:00
And that TLS handshake has a lot of information on it because first the client is going to tell to the server which kind of TLS version we want to use, which kind of C4C you want to use, but particularly which kind of extension he wants to use. And a lot of these bytes, they're really related to the kind of software we are using or the kind of library we're using to write our implant. In the same way, the server will do the same. So the Python script
07:25
will parse this pickup of, you know, if we're using YSHOW or any other software to get them. And then we'll just select this package and we'll analyze the bytes, transform them in an MD5 hash and match them to a really particular software. If we're writing our implant, sometimes we rely on those libraries and other times we're
07:44
going to use some software that is already matched and is already giving us a particular alert to the blue teamers. So if you follow the source code, you can go to the gf3 tool and see exactly what he's doing when you provide to the Python screen a pickup. But if we go to the Y shack and we start listening to the flows and we just open a browser
08:06
that is performing HTTPS connection, we can easily filter those packages and we can see what's going on. We can go to the header of the secure socket layer and we can see all these particular bytes that we have. And while TLS version and C++ are kind of easy to modify, there is
08:21
a bunch of extensions that are assisted by the RVC that can be configured. So the Python screen will just go over that set of package, divide those bytes in five sections, transform them and then generate this MD5 hash that particularly match a certain version of a software for the
08:41
client and server. So, okay, where are the red teamers? We know this is a problem and we know that we may be detected because of this. So now it's where it becomes the idea of blending in the network and trying to like abating these techniques. So I had a bunch of ideas. My first idea was, okay, I'm using a programming language. This programming language give me the
09:04
option to create my own HTTP client, choose the library I want to. But the problem is like most of the HTTP client that accept TLS configuration, while they provide you a lot of bytes for configuring your own TLS handshake, they really don't provide you like an input where you can put all the bytes you like and the order you like so you can have the hash to decide
09:23
for copying another client software. So this was kind of a tricky one. So my next idea was, okay, I will just open a TCP socket and throw there my copy a client hello package and see what happened. Obviously the TLS handshake breaks and it's not interesting to us because at the end of
09:41
the day we need to use HTTPS. So my last option were like getting a little bit my hand dirty and go and modify the source code of the programming language I was using. In this case was Golang. So I will say, okay, I will add a feature and this is more or less how it works. So, you know, and I'm sort of dissimilar in other languages that relate to which kind of language
10:05
you're using for writing your input, but at least in Golang, when you want to, you need to graph your HTTP client and when you create a HTTP client and you want to use HTTPS, you provide the TLS configuration that is like a struct. Before requesting to the endpoint with a post get
10:20
whatever HTTP request you want to, the language will go through the flow of crafting this TLS hello. And it will take kind of your configuration and then grab up the bytes and send them to perform the handshake. The problem is, I was telling before, we don't have a feature where we can like put whatever bytes we want to. So I modify the source code of Golang and
10:44
HTTP client to accept in the TLS configuration a new string input and this string input will be exactly what the GA3 tool provide to us. So in that case, we can use the GA3 tool for copying a Chrome Firefox Opera browser and throwing in the compilation of our implant.
11:03
In that way, when you go to TLS flow and lead to another part of the code where you are like marshaling or creating this claim hello, I added a for loop and for each decimal value, I kind of copy a reference, which is the package or the syntax that respect the RPC. So if you have
11:22
a bunch of the sub decimal bytes in the right order, you can extract the fingerprint of the browser you are targeting. It's true that a lot of them, and I'm sure this extension will be modified with the time, but I have enough right now entropy or like availability of like the sub decimal bytes already code for like setting most of the browser. If you feel
11:42
you need more decimal bytes, I will add them. There is no problem. The source code is already published in this links on GitHub. So, okay, now we have the HTTPS client we need for copying rightful connection of browsers and any other software you like, antivirus, aggression, whatever. But now it's kind of the problem that we want to address using Gmail that I need to
12:17
to change on the source code. So that say, I want to like provide you a flow of how this
12:27
implant will work on the background once we get the execution on the foothold. So when we graph our implant, the first thing we need to have is the Gmail connected app. We configure it and we provide those credentials to the C2. And the C2 on the completion of the implant
12:42
will provide both the credential to the, to the digital alongside with the TLS fingerprint. And then the implant will start with the aggression and for aggressive. The first thing he will do is using the refresh token against the Google authentication servers. And then when he get the access token, we will start to like push pool information through Gmail. The C2
13:02
or the operation server will do similarly, and we will create a data connection for sending received commands perfectly and totally transparent into the operator. At the eyes of the blue team that is looking at this proxy, it will just look like a Chrome browser, which is good to go.
13:20
So to speak a little bit about Deepak's inspection on how we can bypass or avoid this stuff. So, you know, if we have the bad luck that the sock or the scissor is gripping common string within or like flow against Gmail, we could kind of use some kind of cryptography and share a symmetric key with the C2 and then common grips or common errors will not
13:43
pop up. If we have the bad luck that is a threat hunter catching or flows, we can also, we can also use other techniques like stenography. I wouldn't be not as difficult because also Gmail provide us the ability to attach images to the draft emails. So a little bit of how the network model with the encryption will work in system time
14:03
is just doing the similar thing, putting on the body of the draft, whatever JSON payload we want to process by Hive. But instead of just putting playing the strings, we can use like encrypted with the symmetric key. I have a still not developed this full model, but it will be added to siesta time in the future. So let's, let's go ahead with the demo. So what I have created
14:24
here is to try to reproduce this environment where the blue team has deployed this kind of detection technique in a network. I have created two different implants. This is the graphical interface of siesta time and alongside all the inputs that I'm not going to speak about each one of them, particularly we see here, we have this TLS fingerprint with an extra 4G32.
14:44
In that way, we can create different implants that mimic whatever connection we want. If we focus a little bit the network topology of the demo, what this is going to look like, I am using a BIMI workstation with three machines on it, but particularly interesting is we have the
15:00
Windows 10 foothold that is going to run two different implants and every connection that they get through email is going to be read by a Ubuntu server that is a polar proxy, it's a TLS proxy with polar proxy, which is not the most interesting. The important thing is running a Suricata network system. And you have a bunch of alert just to like detect
15:21
that if the TLS fingerprint from a HTTP claim to show me an alert, if not, you can go ahead. So let's go to the demo. So as you can see here, this is a graphical interface of siesta time. These are all the jobs that the Hive has processed already. And now we have two implants that are created. That means we can just download the executable and somehow we
15:44
will make the foothold to execute through any attack vector we want to. So this is the Ubuntu machine that is listening to all the connection or the aggression of the foothold, and we have the Suricata running on it. Suricata will match the two following rules.
16:01
These two rules, they're using a GFC plugin for Suricata and they will get the header of the TLS connection of every aggression package. They will generate a MD5 hash. If that hash match this one, we will pop up an alert. We can check that these two hashes, they match by the public database of VS3, a Go HTTP client. So let's search for the hash. Similarly to virus
16:29
total, but with TLS fingerprints, we see this is a Go HTTP client, right? We are going to run the first implant in the Windows 10 foothold and we're going to be detected. So the interesting thing about these two is like, obviously this Go client is going
16:48
to be using the default configuration, but we can change things. But the cool thing about this is it doesn't matter how many configuration is changed by using a Go HTTP client, by the end of the day, all those hashes, they will be registered with this public database. So we have
17:02
two appearance on the log of Suricata. And the reason is because I was saying before, one request is for getting the access token for the Google authorization servers, and the second one is for pushing pulling data from Hive through Gmail. So let's clean the logs. And now we are going to do exactly the same, but using the implant that has been creating
17:23
with siesta time and with the TLS fingerprint for Chrome browser. So the creation of the implant is using the same process, which is going to change with the execution of it and how we detect it. And the data flow is using the same. So let's just execute the implant that now is copying the fingerprint of our Chrome browser.
17:45
And let's go back to the Suricata, and we see there is not any log, but let's recheck what's going on. So let's open a Wireshark and let's start to detect and read all the packets that are going through the TLS proxy. And the objective of this is, since we maybe don't trust
18:04
what Suricata is saying to us, let's make sure that this thing is bringing us a Chrome browser instead of a Go HTTP client. So let's filter, let's get all the make hello, and then let's export it in a pickup. And we can use this pickup for like a
18:20
JS3 to parse it and tell to us which fingerprints of bytes is detecting from this accuracy. This way will be the same that we need to follow if we need to copy the TLS fingerprint for any other rightful software. So here you see there is like this five section of bytes. This one will be the input for siesta time frame we want to generate an implant with
18:43
fingerprints. And there is two different MD5 hashes because as this is a TLS proxy, there is a second fingerprint for polar proxy itself. But as we go and we take the fingerprint of the implant, we are going to see that this is effectively the public database,
19:01
JS3 is effectively pointing it to a Chrome browser instead of a Go HTTP client or a Java client, Python client, whatever we have HTTP library we have used for our implant to address. So if we go back to siesta time graphical interface, we can see we already have the host
19:21
infected. We have killed one implant, so that's offline, but the other is still alive. So now we can do things like injecting a shell or injecting a reverse secure shell. We have all the information from the target host that we have infected. And we also have an asynchronous interactive shell and all these will happen,
19:42
totally transparent to the operator and through Gmail, you see the fingerprints we need. So I want to speak last but not least, how to help defender, how to make them better because at the end of the day, the routing operation has a lot of reasons, but we want to make
20:02
the defenders to be better and to be prepared to this kind of attack. So if I focus on the techniques and in the TLS fingerprint detection, if you ask me if there is a gap of improvement, I will say yes. There is for one reason that the Python script for JS3 is going through all
20:23
these extensions by it so the big entropy happens, but it's just taking the headers. The Python screen, we could write a new for loop for getting more bytes inside this anonymous layer. And this is something that JS3 is not doing right now, that we always generate more MD5 hashes and more different to search. But that's cool.
20:45
But this is the catch of the cat of the mouse. If they do that, I will just add another for loop in my HTTPS client and then we're in the same. What I think is interesting is not just using the network detection technique, but focusing on the host introducing the techniques or now
21:03
called EDR and trying to match the two signatures and see if something is going on. I say this because while it might be Cheetos, it's progressing really efficiently, this is still doing not so straightforward actions in the operating system. And this could be easily detected, like pomega cmd.x, power cell x, or for persistent use,
21:23
calling the APIs of the scheduled desktop windows, this could be a little bit more shiny at the hour of detection. So that's everything. Thank you so much. The source code is already published for everything and there is a user guide for the system framework as well.
21:44
I have the discord and I can answer questions, so just let me know. Okay, yeah, the slides will publish the slides, source code is there, the user guide, yeah. That's everything. Thank you so much.