- October 29, 2020 at 11:00 pm #324046
Encoding is the best way to get a re-used payload into a network without detection, but the resulting data format is subject to scrutiny.
Let’s say an IDS analyzes patterns of life and flags any data formats it doesn’t recognize for investigation, or at least performs closer analysis to flag any abnormal activity emitted from a machine after an unusual data format has been downloaded by the machine. If you’re an attacker, this possibility means you’ll want to encode data in a format that would commonly be downloaded to avoid potential scrutiny by the target. PDF, HTML, JS, CSS, JPEG, GIF, PNG, MP4, and so on. The list can get pretty long, there are plenty of less common formats that wouldn’t qualify as unusual, but I would daresay the list of data formats that could safely be used to avoid any possibility of pattern-of-life suspicion contains less than 1000 formats.
Based on that line of thinking, I think there are limited ways to encode a payload while avoiding suspicion of the best IDS. Therefore the structure of a decoder may serve as a vulnerability in even the best attack.
Would anyone disagree? Agree? Devils advocate? Details I should consider? This seems sort of obvious / straightforward but I could be missing something.
You must be logged in to reply to this topic.