Closed fpusersuggest closed 1 year ago
Thank you but no thanks: we're only using ip addresses when they're directly used by stalkerware, otherwise, we're using domain names as much as possible.
do U think that my work could be totally unusefull because basically the ioc are founded on the domain detection ? But is not easy for a software change its c2 address from the domain to the raw ip ?
Hello guys, I'm victim of espionage and I'm trying to find some clue. Because I know I'm spied but I haven't found anything on my devices (pc and phones). In my opinion it's something of very sophisticated and could be something life a file-less tool. For file-less I mean something that is not installed on the disk but it's resident only in ram. The the pc can be infected everytime I connect the browser to the net. Anyway, my problem is that, as I can see all the IOC are in the domain format and not ip. I installed a raspberry with suricata and default free rules but it's not connected to the internet. It's just connected to the mirroring port of the switch, the ethernet port is just sniffing the traffic but can't resolve any domain. Then I'lll try to resolve the hosts file in the ip format but I'll do that from the infected machine after that I'll copy the files in the suricata rpi.. so if you're interested I'll send you the converted files... but to be honest maybe would be better if this work will do by someone else.. or I'll try to write a script to convert all the files and I'll send u the script..