05-02-2019 ACM Webcast: Network Decoding Gcat Command & Control

Active Countermeasures Webcast

05-02-2019

Network Decoding Gcat Command & Control

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we’ve decided to continue the C&C decoding series.

In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection.

Here is a link describing how this backdoor was used in the Ukranian power grid attack.

Presented by: Chris Brenton

Timeline:

  • 1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can’t help identify an attack
  • 14:22 Using packet data to help determine a Gcat attack
  • 21:32 Analyzing packet data with RITA and AI-Hunter
  • 29:43 Lessons Learned
  • 33:52 Q&A
AI-Hunter Datasheet
Schedule an AI-Hunter Demo
Subscribe to Our Blog
Archives

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required