Christoffer S.Hmm... wouldn't it be kind of fun to use RSS + RPCJSON as a C2-channel?
Given how often RSS-feeds contain descriptions of C2, why not use it as a C2?
#ThreatIntel #Cybersecurity #Infosec
@cybersecurity@a.gup.pe @threatintel@a.gup.pe
cR0w@nopatience@swecyb.com @cybersecurity@a.gup.pe @threatintel@a.gup.pe NOT NOW CHRISTOFFER
Christoffer S.@cybersecurity@a.gup.pe No... I'm dumb. One way communication. Jesus... my brain, please get back to work... slacker...
or... what if the RSS-endpoint actually accepted PUT/POST... then it could work. It doesn't have to be a "real" RSS, just appear to be one...
... perhaps I should stop trying to think, it's not working.
Troed SΓ₯ngberg@nopatience@swecyb.com Hide your outbound communication in the GET URL when you "fetch" the feed.
@cybersecurity@a.gup.pe
Dr. Christopher Kunz@nopatience@swecyb.com @cybersecurity@a.gup.pe A POST to an RSS endpoint would trigger alerts no less than a POST anywhere else, wouldn't it?
Christoffer S.@christopherkunz@chaos.social There are very likely a bazillion ways of detecting deviations from "normal" RSS-fetching behaviour.
But possibly encoding in the GET-request, that could work.
I don't know, it was just an idea that popped into my head... sometimes they should remain ideas, in your head. ;-)