Zach Edwards

As threat actors evolve, so must our detection methods. In this workshop, we will delve
into advanced tactics, techniques, and procedures (TTPs) used by adversaries to
conceal malicious infrastructure. You will learn how to leverage passive DNS (PADNS)
data, WHOis domain registration data, SSL certificate data, content hash data (JS and
HTML), favicon hash searches, header hash values, html title searches, and more to
create effective strategies for tracking malicious infrastructure.

We will explore how IP and ASN diversity and entropy patterns can be used to identify
fresh FastFlux infrastructure. Additionally, we will demonstrate how advanced regex
searches on domain names can uncover infrastructure used for brand name spoofing
and by threat actors like Scattered Spider, enabling the detection of their newest
phishing domains.

Adversaries using domain generation algorithms often make mistakes by reusing
specific hosts/ASN ranges or having consistent processes in their deployments. We will
show you how to identify these patterns and mistakes to effectively track threat actors
such as Scattered Spider, SocGholish, and others, along with specific C2 infrastructure
and global threats.

Through real-world examples and hands-on exercises, you will gain practical skills to
enhance your threat detection capabilities and stay ahead of evolving adversaries.