IronDefense documented a unique Black Hat NOC environment where real malware activity and classroom demos co-exist, revealing notable infections like SHARPEXT, Shlayer, and NetSupport RAT. The findings highlight the challenges of defending a highly segmented, rapidly changing network and demonstrate cross-team collaboration to detect and triage threats. #SHARPEXT #Shlayer #NetSupportRAT #BlackHatNOC
Keypoints
- The Black Hat network is more unique and complex than a standard enterprise network due to the number and diversity of devices connected, the abundance of trainings and labs, and the rapid engagement.
- IronDefense NDR generated 31 malicious alerts and 45 suspicious alerts across the event, detecting both real malware activity and simulated attack tactics from classes and demos.
- Notable malware infections observed: SHARPEXT (North Korean attribution), Shlayer (macOS), and NetSupport RAT on attendees’ devices.
- Overall conference traffic was lower per 5,000 attendees than in 2021, with fewer authentic malware detections despite more total alerts.
- Key challenges included differentiating classroom/demo activity from real malicious behavior and prioritizing alerts by asset criticality.
- Detections encompassed a mix of absolute behaviors (DGA, DNS tunneling, beaconing, phishing) and analytics (Knowledge-Based Detections from Suricata rules), leading to several notable findings.
- Notable follow-ups included observed Shlayer C2 HTTP POSTs, DNS-based exfiltration demo, and a fully active NetSupport RAT C2 infrastructure on a user’s device.
MITRE Techniques
- [T1566] Initial Access: Phishing – Classified as PII Data Loss in the alert mapping; “PII Data Loss” and “(T1566) Initial Access: Phishing” are shown in the article.
- [T1132] Command & Control: Data Encoding – DNS Tunneling observed; “DNS Tunneling” and “(T1132) Command & Control: Data Encoding” appear in the mapping.
- [T1071] Command & Control: Application Layer Protocol – DNS tunneling uses application-layer protocols; “Application Layer Protocol” appears in the mapping.
- [T1568] Command & Control: Dynamic Resolution – DGA activity linked to dynamic resolution; “(T1568) Command & Control: Dynamic Resolution” is listed.
- [T1566] Initial Access: Phishing – Suspicious Phishing HTTPS activity noted; “Phishing HTTPS” mapped to (T1566) Initial Access: Phishing.
- [T1095] Command & Control: Non-Application Layer Protocol – Consistent Beaconing HTTP/HTTPS touches on non-application layer channels; “(T1095) Command & Control: Non-Application Layer Protocol” is cited.
- [T1571] Command & Control: Non-Standard Port – Part of Consistent Beaconing with non-standard port usage; “(T1571) Command & Control: Non-Standard Port” is cited.
- [T1090] Command & Control: Proxy – Tor Traffic observed; “(T1090) Command & Control: Proxy” is cited.
- [T1046] Discovery: Network Service Scanning – Internal Port Scanning detected; “(T1046) Discovery: Network Service Scanning” is cited.
Indicators of Compromise
- [IP] SHARPEXT IOCs – 199.188.200.186, 198.54.126.155 (SHARPEXT C2 IP addresses)
- [Domain] SHARPEXT IOCs – gonamod[.]com, siekis[.]com (SHARPEXT C2 domains)
- [IP] NetSupport RAT IOCs – 135.84.124.41
- [IP] Shlayer IOCs – 23.63.71.26
- [Domain] Shlayer IOCs – api.commondevice[.]com, download.commondevice[.]com (Shlayer C2 domains)
Read more: https://www.ironnet.com/blog/a-view-from-the-black-hat-noc-key-findings