Justin Grosfelt

Command and Control (C2) detections play a crucial role in identifying malicious infrastructure within an environment. Whether dealing with financially motivated or nation state actors, targeting C2 infrastructure enables the potential blocking of malicious infrastructure as attackers bring it online.

As a threat analyst, it's easy to feel overwhelmed when identifying malicious infrastructure using tools like ZGrab2 or by searching databases like Censys and Shodan. In this workshop, we will explore simple and enjoyable methods for detecting and tracking malicious infrastructure. We'll utilize an open-sourced tool, NoWhere2Hide, to streamline the process from start to finish, facilitating the identification of malicious infrastructure and validation of your own C2s.

NoWhere2Hide assists threat researchers in identifying malicious infrastructure, creating C2 signatures, and continuously tracking and validating C2s. It encourages unique methods for identifying malicious infrastructure without scanning the entire internet and provides a format and framework for sharing C2 signatures within our community.

Throughout this workshop, we'll cover various methods and tools for internet scanning and demonstrate how NoWhere2Hide simplifies this process. Additionally, we'll explore general hunting and pivoting through data points, showing how these methods can serve as seeds for NoWhere2Hide scanning.

Finally, we'll put it all to the test with guided real-life exercises, demonstrating how to utilize NoWhere2Hide to uncover malicious infrastructure.