Adversary Emulation System - Flightsim
Emulating the adversary in Internal Pentest assignment is need of current market trend. Today we are going look at tool Flightsim by AlphaSOC.
Brief description of tool (straight from GitHub page)
Flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
Lets grab the latest binary from releases, in our case we have Kali (2018 release) which is connected in clients Internal Infrastructure with Internet access. Looking at help of tool, gives us detailed usage of tool and supported modules.
Verifying generated traffic in wireshark and respective DNS requests.
Reference :- https://github.com/alphasoc/flightsim
Brief description of tool (straight from GitHub page)
Flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
Lets grab the latest binary from releases, in our case we have Kali (2018 release) which is connected in clients Internal Infrastructure with Internet access. Looking at help of tool, gives us detailed usage of tool and supported modules.
Below are the modules supported by tool.
Lets take example of c2-dns module. This module generates a list of current C2 destinations from Cybercrime Tracker website and performs DNS requests to each.
Verifying generated traffic in wireshark and respective DNS requests.
Lets look at status of first URL generated by tool : dellobusiness.com on the cybercrime-tracker.net. Aaah, now we have its IP address and family of malware (e.g. Zeus) detected on same.
Clicking on IP address (104.24.99.162) it redirects us to Virustotal, where we can get all information about malicious URLs, Domains, etc associated with IP address.
Below are snippets of other modules too.
C2-IP Module |
Spambot Module |
Tunnel Module |
DGA Module |
So what we deduce from above, all the malicious request or network traffic generated by this tool should be flagged as malicious by various security defences (e.g. SIEM). If it not detected or flagged, raise the red flag ;)
Reference :- https://github.com/alphasoc/flightsim
Excellent writeup, cheers
ReplyDeleteNice blog! Thanks for sharing this valuable information
ReplyDeletePython Training in Bangalore
Python Classes in Pune
Python Training in Hyderabad
Python Classes in Gurgaon
A Brief Overview of Baccarat - FBCasino
ReplyDeleteThe most popular type of 1xbet Baccarat is its baccarat. Baccarat 바카라 사이트 originated in Austria. It 바카라 was introduced in 1912 by King Arthur and his wife,