An interesting POC using Palos

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

An interesting POC using Palos

L4 Transporter

Just watched an interesting way of hiding C2 traffic which bypasses Palos in the demonstration. Would be good to know if there is solution to capture this.

https://www.youtube.com/watch?v=eVr0kKdgM2I

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

I'm also curious and opened a support case to verify my theory on how to block this. However it seems that if you have say application whitelisting or a good XDR, the software performing the beacon should be caught even before it tries to beacon out.

Regards,

L5 Sessionator

I believe this is in relation to a CVE we patched in 10.1: https://security.paloaltonetworks.com/CVE-2020-2035

Help the community! Add tags & mark solutions please.

Cyber Elite
Cyber Elite

Hello,

Would be nice to have a patch for the other code versions as well. However Support did tell me that with everything enabled, this should get caught. However I do not have a lab to test this in.

 

Regards,

L5 Sessionator

Yes, the new features introduced in DNS security are able to detect/respond to this. It's on PM's agenda to backport, the Randori CVE took some engineering resources to respond to. 

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!