[Bro] X.509 extensions can be used for covert channel data transfer and C2
andrew.ratcliffe at nswcsystems.co.uk
Thu Feb 8 02:33:04 PST 2018
Has anyone looked at this research https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities with a view to creating a Bro detection?
Looks as simple as checking a value in the TLS extension to see if it falls on an expected length to be a hash value.
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, CSTA, CSTP, CWSA
GIAC: GCIA, GCIH, GPEN, GWAPT, GCFE, GREM, GPYC, GNFA
Computer Forensic & Security Specialist
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro