05-02-2019 ACM Webcast: Network Decoding Gcat Command & Control

Active Countermeasures Webcast

05-02-2019

Network Decoding Gcat Command & Control

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we’ve decided to continue the C&C decoding series.

In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection.

Here is a link describing how this backdoor was used in the Ukranian power grid attack.

Presented by: Chris Brenton

Timeline:

  • 1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can’t help identify an attack
  • 14:22 Using packet data to help determine a Gcat attack
  • 21:32 Analyzing packet data with RITA and AI-Hunter
  • 29:43 Lessons Learned
  • 33:52 Q&A
AI-Hunter Datasheet
Schedule an AI-Hunter Demo
Subscribe To Our Blog
Get email notification of our new blog posts and our occasional emails about events, webcasts and product updates. We are not spammy and you can unsubscribe at any time.
Archives