chrisforce1
commented
5 years ago As per chat we could also extend the c2 module so it can scan for a particular family.
Closed chrisforce1 closed 5 years ago
chrisforce1
commented
5 years ago As per chat we could also extend the c2 module so it can scan for a particular family.
chrisforce1
commented
5 years ago Please let's get some coverage here now that open-wisdom is fixed up? We could probably set this as an argument for the c2 command / module to describe the family (as discussed above) and essentially roll this into https://github.com/alphasoc/flightsim/issues/7.
tg
commented
5 years ago Fixed in flightsim v2, merged to master. A C2 family can be now passed to a c2 module like this:
./flighsim run c2:trickbotI plan to reuse this pattern for other modules in the future, where one could pass a network to scan module, or domain to tunnel module etc.
It would be really useful to test for these particular malware families. The abuse.ch tracker shows the active C2s that we can use, and the CSV we can use is available from https://feodotracker.abuse.ch/downloads/ipblocklist.csv.
We'd pull C2 IP:port material from the CSV and connect out to the 5 latest pairs for each family with a vanilla TCP connection to the IP:port. The Emotet C2s are listed in the CSV as
Heodo.