https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/446663#M100608 <P><SPAN>Just watched an interesting way of hiding C2 traffic which bypasses Palos in the demonstration. Would be good to know if there is solution to capture this.</SPAN></P><P><SPAN><A href="https://www.youtube.com/watch?v=eVr0kKdgM2I" target="_blank">https://www.youtube.com/watch?v=eVr0kKdgM2I</A></SPAN></P> Wed, 10 Nov 2021 07:19:38 GMT raji_toor 2021-11-10T07:19:38Z https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/446663#M100608 <P><SPAN>Just watched an interesting way of hiding C2 traffic which bypasses Palos in the demonstration. Would be good to know if there is solution to capture this.</SPAN></P><P><SPAN><A href="https://www.youtube.com/watch?v=eVr0kKdgM2I" target="_blank">https://www.youtube.com/watch?v=eVr0kKdgM2I</A></SPAN></P> Wed, 10 Nov 2021 07:19:38 GMT https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/446663#M100608 raji_toor 2021-11-10T07:19:38Z https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/448441#M100815 <P>Hello,</P> <P>I'm also curious and opened a support case to verify my theory on how to block this. However it seems that if you have say application whitelisting or a good XDR, the software performing the beacon should be caught even before it tries to beacon out.</P> <P>Regards,</P> Thu, 18 Nov 2021 16:54:36 GMT https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/448441#M100815 OtakarKlier 2021-11-18T16:54:36Z https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/448715#M100847 <P>I believe this is in relation to a CVE we patched in 10.1:&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2020-2035" target="_blank">https://security.paloaltonetworks.com/CVE-2020-2035</A></P> Fri, 19 Nov 2021 16:47:01 GMT https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/448715#M100847 LAYER_8 2021-11-19T16:47:01Z https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/450466#M101052 <P>Hello,</P> <P>Would be nice to have a patch for the other code versions as well. However Support did tell me that with everything enabled, this should get caught. However I do not have a lab to test this in.</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 30 Nov 2021 19:38:56 GMT https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/450466#M101052 OtakarKlier 2021-11-30T19:38:56Z https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/450547#M101064 <P>Yes, the new features introduced in DNS security are able to detect/respond to this. It's on PM's agenda to backport, the Randori CVE took some engineering resources to respond to.&nbsp;</P> Wed, 01 Dec 2021 01:22:40 GMT https://live.paloaltonetworks.com/t5/general-topics/an-interesting-poc-using-palos/m-p/450547#M101064 LAYER_8 2021-12-01T01:22:40Z