11-09-2021 11:19 PM
Just watched an interesting way of hiding C2 traffic which bypasses Palos in the demonstration. Would be good to know if there is solution to capture this.
11-18-2021 08:54 AM
Hello,
I'm also curious and opened a support case to verify my theory on how to block this. However it seems that if you have say application whitelisting or a good XDR, the software performing the beacon should be caught even before it tries to beacon out.
Regards,
11-19-2021 08:47 AM
I believe this is in relation to a CVE we patched in 10.1: https://security.paloaltonetworks.com/CVE-2020-2035
11-30-2021 11:38 AM
Hello,
Would be nice to have a patch for the other code versions as well. However Support did tell me that with everything enabled, this should get caught. However I do not have a lab to test this in.
Regards,
11-30-2021 05:22 PM
Yes, the new features introduced in DNS security are able to detect/respond to this. It's on PM's agenda to backport, the Randori CVE took some engineering resources to respond to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
