Explore command and control (C2) channel identification techniques using Security Onion in this conference talk from Security Onion Conference 2016. Delve into Eric Conrad's presentation on leveraging Security Onion to detect various C2 communication methods, including Echo Request, SSH Tunnel, ICMP, and DNS-based techniques. Learn about whitelisting, blacklisting, and analyzing long requests, DNS resolution, and subdomain patterns. Gain insights into using Server View and Client View for effective C2 detection, and discover practical tips for identifying raw UDP and null DNS records. Enhance your network security skills with this comprehensive overview of C2 channel detection strategies.
Overview
Syllabus
Intro
Echo Request
SSH Tunnel
ICMP
White Cap
Blacklist
Whitelist
Justin Henderson
Long Requests
DNS Resolution
DNS Sales
DNS CAD
Server View
Client View
DNS
subdomains
bro
use case
oneliner
GMB
IDO
Raw UDP
Null DNS Records
Wrapup
Taught by
Security Onion