As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news
Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news