Presented at
CactusCon 11 (2023),
Jan. 27, 2023, 6 p.m.
(60 minutes).
The adversary’s toolkit is intrinsically linked to the ever-changing threat landscape of cybersecurity. Attackers leverage unique capabilities from both adversary developed tooling and the creative repurposing of legitimate software. Overwatch’s threat hunters have a front row seat to witness how the tools favored by criminal and nation state actors evolve over time.
This talk focuses on tools we have observed in interactive intrusions over the past 12 months. Through the use of demos, attendees will gain an understanding of these tools from an adversary’s perspective and walk away with techniques to detect them. Tools include: anydesk, fscan, sliver C2 Framework, Sweet Potato, and ngrok.
Presenters:
-
Ryan Thompson
- Senior Intrusion Researcher - Crowdstrike
Ryan Thompson is currently working as a Senior Intrusion Researcher at Crowdstrike. His primary functions include conducting post-mortem analysis on hands-on intrusions and researching attacker techniques and trends. Previously, Ryan has worked as an Instructor at Elastic teaching the Air Force, Navy, and Army to conduct threat hunting using open source tools such as Kibana, Suricata, and Zeek. Before that, he was a Senior Security Analyst at Alert Logic providing weekly recommendations to clients using packet analysis, IDS alerts, and log-based investigations. He currently holds several SANS certs and is a TA for SANS FOR508 (GCFA).
Links:
Similar Presentations: