Red Team bad opsec part 2
Let's start with this legit-looking website
facilities-awareness.]com
13.249.22.]98
When you pay attention you can spot one interesting detail here.
The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com
Let's start with this legit-looking website
facilities-awareness.]com
13.249.22.]98
When you pay attention you can spot one interesting detail here.
The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com
According to Cisco Talos website is categorized as Real Estate.
Now let's find out more details about the domain
You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range
You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range
Now lets investigate this one
64.69.57.]212
Looks like we have found something interesting here
64.69.57.]212
Looks like we have found something interesting here
Cobalt Strike shellcode connecting to 64.69.57.]212
Right, so we know that azuerlink.]net is a Cobalt Strike C2 (other domains are Cobalt Strike C2's as well)
but what about facilities-awarness.]com?
but what about facilities-awarness.]com?
and this is the beacon
Short summary
and this is the real Model Remodel website
https://modelremodel.]com
https://modelremodel.]com
• • •
Missing some Tweet in this thread? You can try to
force a refresh
