Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network signatures for detection, and highlights recently identified servers. The infrastructure exhibits distinctive HTTP response patterns, allowing for structured detection queries. Nine IP addresses across different ports were identified matching the criteria. Three of these IPs were previously associated with RansomHub activities. The post emphasizes the importance of proactive detection strategies to counter evolving tactics by adversaries using open-source offensive security tools.
OPENCTI LABELS :
open-source,c2,python,ransomhub,more_eggs,post-exploitation,network signatures,detection,pyramid,http server
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt