Hunting for Implant

Refs

https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/ (Great article shows how reading the C2 code can help to develop detection and hunt for the implant)

My Realization

There are network parts and there are host parts, which can all be used to hunt for Threat Actor's Implants, either by network behavior, IOC, or TTP of that implant. So I think: "Hey, the threat actor when I read DFIR report or any report besides nation-state threat actors always use a custom known implant, would it be cool if I study their behavior and then point out what is special about it" -> This question is kinda stupid in my opinion, not cost-effective and time effective either. So here we are, trying to learn one or 2 implants in order to get the hang of it, the hunting implant process

What is an Implant?

PreviousUseful Resources NextUsing STRIDE and DREAD

Last updated 2 years ago

Was this helpful?