-
Notifications
You must be signed in to change notification settings - Fork 14
Active Discovery
Through a detailed analysis of a malware family's protocol, we may be able to exploit this knowledge by scanning endpoints to see if they are serving as controllers for a given malware family. Certain malware families may lend themselves more toward this initiative than others. Ones that do allow us to gain more intelligence not only on active controllers, but other stages that may be part of a broader attack chain.
Templates have been developed for the creation of active discovery scripts.
A small module designed to ease the re-use of code and help facilitate content creation has been created for those using TCP/UDP sockets and HTTP(S) requests. It manages the work of validating inputs, attempting asynchronous discovery requests for each input, and storing results. It contains a tickle_http, tickle_tcp, or tickle_udp method which is designed to be overridden by the developer of an active discovery script. Within these overridden methods is where the majority of development efforts will be focused. The connection and measurement of what (if any) response there is takes place here.
For more examples of active discovery scripts, see the link below.