05-02-2019 ACM Webcast: Network Decoding Gcat Command & Control

Active Countermeasures Webcast


Network Decoding Gcat Command & Control

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we’ve decided to continue the C&C decoding series.

In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection.

Here is a link describing how this backdoor was used in the Ukranian power grid attack.

Presented by: Chris Brenton


  • 1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can’t help identify an attack
  • 14:22 Using packet data to help determine a Gcat attack
  • 21:32 Analyzing packet data with RITA and AI-Hunter
  • 29:43 Lessons Learned
  • 33:52 Q&A
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To