The Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals. The Iscariot Suite takes its name from the famous traitor Judas Iscariot, who - according to biblical tradition - betrayed Jesus.
The Iscariot Suite was discussed in the presentation "Stop writing malware! The Blue team has done it for you!" The slides for this presentation are in this repo.
Traitorware (noun)
trai·tor·ware | \ˈtrā-tər-ˌwer\
1 : software that betrays the trust placed in it to perform malicious actions
2 : trusted software with benign original intent used for malicious actions
// The red team bypassed all our detections using traitorware.
- Uses Splunk native features to act as a full-blown Command and Control framework. The agent component is possible by installing the splunk universal forwarder. The server component is the standard Splunk Enterprise server.
- Using an osquery extension, a user can execute binaries, shell commands, unmodified Cobalt Strike BOFs, and C# assemblies in memory
- The extension runs as its own process, but a child of the digitally signed osqueryd.exe
- 2021 Adversary Infrastructure Report
- The C2 Matrix
- Cobalt Strike specific YARA rules
- Easily Identify Malicious Servers on the Internet with JARM
- Red Canary - 2022 Threat Detection Report
- Rule against Offsec tool author handles
- Cobalt Strike, a Defender’s Guide
- Cobalt Strike, a Defender’s Guide – Part 2
- Inno-shellcode-example
- Dumping Memory with AV - Avast Home Security
- Backstab
- OffensivePH
- Using Power Automate for Covert Data Exfiltration in Microsoft 365
- Quick Tunnels: Anytime, Anywhere
- Living Off Trusted Sites (LOTS) Project
- Splunk Universal Forwarder Hijacking
- Splunk Universal Forwarder Hijacking 2: SplunkWhisperer2
- How to Leverage Splunk as an Offensive Security Tool
- Abusing Splunk Forwarders For Shells and Persistence
- osquery
- fleet
- sliver