CN109587137B - Method and device for escape C & C detection based on github - Google Patents
Method and device for escape C & C detection based on github Download PDFInfo
- Publication number
- CN109587137B CN109587137B CN201811477077.2A CN201811477077A CN109587137B CN 109587137 B CN109587137 B CN 109587137B CN 201811477077 A CN201811477077 A CN 201811477077A CN 109587137 B CN109587137 B CN 109587137B
- Authority
- CN
- China
- Prior art keywords
- file
- encrypted
- execution result
- controlled terminal
- suffix name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a device for escape C & C detection based on github, which are applied to a github platform and comprise the following steps: receiving request information sent by a control end; creating a first file according to the request information; encrypting the first file to obtain an encrypted first file; sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing request information in the first file to obtain an execution result, and encrypting the execution result; and receiving an encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file, and thus the github platform is used as a WEB service, sensitive data are prevented from being monitored, and the security is high.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for escaping C & C detection based on github.
Background
In some highly secure network environments with traffic data anomaly detection, machine learning detection, and the like, when sensitive data is sent by using a conventional TCP (Transmission Control Protocol) or DNS (Domain Name System), common WEB services are usually used as the C2 Domain Name, and when the common WEB services are used, the sensitive data is easily monitored, and the security is poor.
Disclosure of Invention
In view of this, the present invention aims to provide a method and an apparatus for avoiding C & C detection based on github, which use the github platform as a WEB service to avoid the monitoring of sensitive data and have high security.
In a first aspect, an embodiment of the present invention provides a method for evading C & C detection based on github, which is applied to a github platform, and the method includes:
receiving request information sent by a control end;
creating a first file according to the request information;
encrypting the first file to obtain an encrypted first file;
sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing the request information in the first file to obtain an execution result, and encrypting the execution result;
and receiving an encrypted execution result sent by the controlled terminal, and creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file.
Further, the requesting information includes control command information, the first file includes a first suffix name, and the sending the encrypted first file to the controlled end enables the controlled end to decrypt the encrypted first file to obtain the first file, execute the requesting information in the first file to obtain an execution result, and encrypt the execution result includes:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain a first suffix name file, executing the control command information in the first suffix name file to obtain the execution result, and encrypting the execution result.
Further, the requesting information includes screenshot command information, the first file includes a second suffix name, the encrypted first file is sent to the controlled end, so that the controlled end decrypts the encrypted first file to obtain the first file, executes the requesting information in the first file to obtain an execution result, and encrypts the execution result, including:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted second suffix name file from the encrypted first file, if the encrypted second suffix name file is found, decrypting the encrypted second suffix name file to obtain a second suffix name file, executing the screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
Further, the second file includes a prefix name, and the method further includes:
receiving updated online time information sent by the controlled terminal;
storing the updated online time information in the encrypted second file, so that the control end searches for the encrypted prefix name file from the encrypted second file, and if the encrypted prefix name file is found, decrypting the encrypted prefix name file to obtain the prefix name file, thereby obtaining the updated online time information in the prefix name file.
Further, the updated online time information is obtained by updating the online time information through the controlled terminal.
In a second aspect, an embodiment of the present invention provides a github-based apparatus for evading C & C detection, which is applied to a github platform, and includes:
the first receiving unit is used for receiving request information sent by the control end;
a creating unit configured to create a first file according to the request information;
the encryption unit is used for encrypting the first file to obtain an encrypted first file;
the first processing unit is used for sending the encrypted first file to a controlled terminal so that the controlled terminal decrypts the encrypted first file to obtain the first file, executes the request information in the first file to obtain an execution result, and encrypts the execution result;
and the second processing unit is used for receiving the encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file.
Further, the request information includes control command information, the first file includes a first suffix name, and the first processing unit includes:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain a first suffix name file, executing the control command information in the first suffix name file to obtain the execution result, and encrypting the execution result.
Further, the request information includes screenshot command information, the first file includes a second suffix name, and the first processing unit includes:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted second suffix name file from the encrypted first file, if the encrypted second suffix name file is found, decrypting the encrypted second suffix name file to obtain a second suffix name file, executing the screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
Further, the second file includes a prefix name, and the apparatus further includes:
the second receiving unit is used for receiving the updated online time information sent by the controlled terminal;
a third processing unit, configured to store the updated online time information in the encrypted second file, so that the control end searches for an encrypted prefix-name file from the encrypted second file, and if the encrypted prefix-name file is found, decrypt the encrypted prefix-name file to obtain a prefix-name file, thereby obtaining the updated online time information in the prefix-name file.
Further, the updated online time information is obtained by updating the online time information through the controlled terminal.
The embodiment of the invention provides a method and a device for evading C & C detection based on github, which are applied to a github platform and comprise the following steps: receiving request information sent by a control end; creating a first file according to the request information; encrypting the first file to obtain an encrypted first file; sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing request information in the first file to obtain an execution result, and encrypting the execution result; and receiving an encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file, and thus the github platform is used as a WEB service, sensitive data are prevented from being monitored, and the security is high.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart of a method for gimhiub-based evasive C & C detection according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for gimhiub-based evasive C & C detection according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a github-based escape C & C detection apparatus according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of another apparatus for github-based evasive C & C detection according to the second embodiment of the present invention.
Icon:
10-a first receiving unit; 20-a creation unit; 30-an encryption unit; 40-a first processing unit; 50-a second processing unit; 60-a second receiving unit; 70-third processing unit.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For the understanding of the present embodiment, the following detailed description will be given of the embodiment of the present invention.
The first embodiment is as follows:
fig. 1 is a flowchart of a method for github-based evasive C & C detection according to an embodiment of the present invention.
Referring to fig. 1, when applied to the github platform, in some software development, the source code on the github platform is generally used, and the API of the github platform is easy to implement as C2, so that the cost is low. Wherein, C2 or C & C (command and control) is a server for sending control commands; the github platform is a hosted platform for open source and private software projects.
On the github platform, a user needs to perform anonymous authentication to obtain an account and a password, and logs in the github platform through the account and the password, wherein the account comprises a parameter access tokens, and the access tokens are unique identifiers used for distinguishing user identities.
The process of setting access tokens is as follows: after logging in a gitubb platform, entering a developer setting page, adding a token newly, and after generating a new token, the new token can be used for accessing all Application Programming Interfaces (APIs). The APIs for the github platform are shown in table 1:
TABLE 1
In fig. 1, the execution subject is a github platform, the method comprising the steps of:
step S101, receiving request information sent by a control end;
step S102, a first file is created according to the request information;
step S103, encrypting the first file to obtain an encrypted first file;
step S104, sending the encrypted first file to the controlled terminal, so that the controlled terminal decrypts the encrypted first file to obtain the first file, executes the request information in the first file to obtain an execution result, and encrypts the execution result;
and step S105, receiving the encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file, and viewing the execution result of the second file.
Here, the controlled terminal and the control terminal may be user terminals.
Further, the request information includes control command information, the first file includes a first suffix name, and step S104 includes:
and sending the encrypted first file to the controlled terminal so that the controlled terminal searches the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain the first suffix name file, executing the control command information in the first suffix name file to obtain an execution result, and encrypting the execution result.
Specifically, the controlled end sends control command information to the github platform, the github platform creates a first file, agent1.cmd.1(1 is the serial number of the current command) according to the control command information, and encrypts the first file to obtain an encrypted first file, and file content information in the first file also needs to be encrypted. And then sending the encrypted first file to a controlled terminal, searching the encrypted file with the first suffix name being the cmd sequence number from the encrypted first file agent1.cmd.1 by the controlled terminal, decrypting the encrypted file with the first suffix name being the cmd sequence number if the encrypted file is searched, obtaining the file with the cmd sequence number, executing control command information on the file with the cmd sequence number, obtaining an execution result, and encrypting the execution result to obtain the encrypted execution result.
And sending the encrypted execution result to a github platform, creating a second file by the github platform according to the encrypted execution result, viewing the second file by the control end at preset time intervals, decrypting the encrypted execution result to obtain the execution result, and outputting the execution result.
Further, the request information includes screenshot command information, the first file includes a second suffix name, and step S104 includes:
and sending the encrypted first file to the controlled terminal so that the controlled terminal searches the encrypted second suffix name file from the encrypted first file, decrypting the encrypted second suffix name file if the encrypted second suffix name file is found to obtain the second suffix name file, executing screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
Specifically, the controlled terminal sends screenshot command information to the github platform, the github platform creates a first file, agent1.screen.1, according to the screenshot command information, encrypts the first file to obtain an encrypted first file, and file content information in the first file also needs to be encrypted. And then sending the encrypted first file to a controlled terminal, searching the encrypted file with the second suffix name screen from the encrypted first file agent1.screen.1 by the controlled terminal, decrypting the encrypted file with the second suffix name screen if the encrypted file with the second suffix name screen is searched, obtaining the screen file, executing screenshot command information by the screen file, obtaining picture content information, and encrypting the picture content information to obtain the encrypted picture content information.
And sending the encrypted picture content information to a github platform, creating a second file by the github platform according to the encrypted picture content information, viewing the second file by the control terminal at preset time intervals, decrypting the encrypted picture content information to obtain the picture content information, and outputting the picture content information.
The execution process of the control command information and the execution process of the screenshot command information both use a github platform as a medium to achieve the purpose of obtaining sensitive information, thereby improving the security of the network.
Further, the second file includes a third suffix name, and referring to fig. 2, the method further includes the steps of:
step S201, receiving updated online time information sent by a controlled terminal;
here, the controlled end creates a warehouse on the github platform during operation, and creates a corresponding file under the warehouse, where the file may be a string file, and includes the basic information of the controlled end, and the basic information of the controlled end includes the online time and the name information of the controlled end, etc. The online time needs to be updated at intervals, and the controlled end can update the online time in the old file at the current time. The time between access to the API can be randomized, and if it is a fixed interval, it is easily recognized by the security model as the C2 domain name.
Step S202, storing the updated online time information in the encrypted second file, so that the control end searches for the encrypted prefix name file from the encrypted second file, and if the encrypted prefix name file is found, decrypting the encrypted prefix name file to obtain the prefix name file, thereby obtaining the updated online time information in the prefix name file.
Specifically, the controlled end updates the online time information to obtain updated online time, stores the updated online time in a warehouse on the gitubb platform, and the control end acquires all encrypted second files under the warehouse at intervals of preset time, screens out the encrypted files with prefix names of agents, and after decryption, obtains basic information such as the updated online time information in the files with prefix names of agents.
Further, the updated online time information is obtained by updating the online time information through the controlled terminal.
The embodiment of the invention provides a method for evading C & C detection based on github, which is applied to a github platform and comprises the following steps: receiving request information sent by a control end; creating a first file according to the request information; encrypting the first file to obtain an encrypted first file; sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing request information in the first file to obtain an execution result, and encrypting the execution result; and receiving an encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file, and thus the github platform is used as a WEB service, sensitive data are prevented from being monitored, and the security is high.
Example two:
fig. 3 is a schematic diagram of a github-based escape C & C detection apparatus according to a second embodiment of the present invention.
Referring to fig. 3, the apparatus applied to the github platform includes:
a first receiving unit 10, configured to receive request information sent by a control end;
a creating unit 20 for creating a first file according to the request information;
an encrypting unit 30, configured to encrypt the first file to obtain an encrypted first file;
the first processing unit 40 is configured to send the encrypted first file to the controlled end, so that the controlled end decrypts the encrypted first file to obtain the first file, executes the request information in the first file to obtain an execution result, and encrypts the execution result;
and the second processing unit 50 is configured to receive the encrypted execution result sent by the controlled end, create a second file according to the encrypted execution result, enable the control end to decrypt the encrypted second file, and view the execution result of the second file.
Further, the request information includes control command information, the first file includes a first suffix name, the first processing unit 40 includes:
and sending the encrypted first file to the controlled terminal so that the controlled terminal searches the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain the first suffix name file, executing the control command information in the first suffix name file to obtain an execution result, and encrypting the execution result.
Further, the request information includes screenshot command information, the first file includes a second suffix name, the first processing unit 40 includes:
and sending the encrypted first file to the controlled terminal so that the controlled terminal searches the encrypted second suffix name file from the encrypted first file, decrypting the encrypted second suffix name file if the encrypted second suffix name file is found to obtain the second suffix name file, executing screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
Further, the second file includes a prefix name, and referring to fig. 4, the apparatus further includes:
a second receiving unit 60, configured to receive updated online time information sent by the controlled end;
the third processing unit 70 is configured to store the updated online time information in the encrypted second file, so that the control end searches for the encrypted prefix name file from the encrypted second file, and if the encrypted prefix name file is found, decrypt the encrypted prefix name file to obtain the prefix name file, thereby obtaining the updated online time information in the prefix name file.
Further, the updated online time information is obtained by updating the online time information through the controlled terminal.
The embodiment of the invention provides a github-based escape C & C detection device, which is applied to a github platform and comprises the following components: receiving request information sent by a control end; creating a first file according to the request information; encrypting the first file to obtain an encrypted first file; sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing request information in the first file to obtain an execution result, and encrypting the execution result; and receiving an encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file, and thus the github platform is used as a WEB service, sensitive data are prevented from being monitored, and the security is high.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the steps of the method for evading C & C detection based on github provided in the foregoing embodiments are implemented.
Embodiments of the present invention further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for evading C & C detection based on github of the foregoing embodiments are executed.
The computer program product provided in the embodiment of the present invention includes a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, which is not described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. A method of avoiding C & C detection based on github, applied to github platform, the method comprising:
receiving request information sent by a control end;
creating a first file according to the request information;
encrypting the first file to obtain an encrypted first file;
sending the encrypted first file to a controlled terminal to enable the controlled terminal to decrypt the encrypted first file to obtain the first file, executing the request information in the first file to obtain an execution result, and encrypting the execution result;
receiving an encrypted execution result sent by the controlled terminal, and creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file;
the second file includes a prefix name, the method further comprising:
receiving updated online time information sent by the controlled terminal;
storing the updated online time information in the encrypted second file, so that the control end searches for the encrypted prefix name file from the encrypted second file, and if the encrypted prefix name file is found, decrypting the encrypted prefix name file to obtain the prefix name file, thereby obtaining the updated online time information in the prefix name file.
2. The method of claim 1, wherein the request information includes control command information, the first file includes a first suffix name, the sending the encrypted first file to a controlled end causes the controlled end to decrypt the encrypted first file to obtain the first file, execute the request information in the first file to obtain an execution result, and encrypt the execution result, the method comprising:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain a first suffix name file, executing the control command information in the first suffix name file to obtain the execution result, and encrypting the execution result.
3. The method of claim 1, wherein the request information includes screenshot command information, the first file includes a second suffix name, the sending the encrypted first file to the controlled end causes the controlled end to decrypt the encrypted first file to obtain the first file, execute the request information in the first file to obtain an execution result, and encrypt the execution result, the method comprising:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted second suffix name file from the encrypted first file, if the encrypted second suffix name file is found, decrypting the encrypted second suffix name file to obtain a second suffix name file, executing the screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
4. The method of github-based escape C & C detection as claimed in claim 1, wherein the updated on-line time information is obtained by the controlled terminal updating on-line time information.
5. A github-based apparatus for evading C & C detection, applied to a github platform, the apparatus comprising:
the first receiving unit is used for receiving request information sent by the control end;
a creating unit configured to create a first file according to the request information;
the encryption unit is used for encrypting the first file to obtain an encrypted first file;
the first processing unit is used for sending the encrypted first file to a controlled terminal so that the controlled terminal decrypts the encrypted first file to obtain the first file, executes the request information in the first file to obtain an execution result, and encrypts the execution result;
the second processing unit is used for receiving the encrypted execution result sent by the controlled terminal, creating a second file according to the encrypted execution result, so that the control terminal decrypts the encrypted second file and checks the execution result of the second file;
the second file includes a prefix name, the apparatus further comprising:
the second receiving unit is used for receiving the updated online time information sent by the controlled terminal;
a third processing unit, configured to store the updated online time information in the encrypted second file, so that the control end searches for an encrypted prefix-name file from the encrypted second file, and if the encrypted prefix-name file is found, decrypt the encrypted prefix-name file to obtain a prefix-name file, thereby obtaining the updated online time information in the prefix-name file.
6. The apparatus of github-based evasive C & C detection as claimed in claim 5, wherein the request information includes control command information, the first file includes a first suffix name, the first processing unit includes:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted first suffix name file from the encrypted first file, if the encrypted first suffix name file is found, decrypting the encrypted first suffix name file to obtain a first suffix name file, executing the control command information in the first suffix name file to obtain the execution result, and encrypting the execution result.
7. The github-based escape C & C detection apparatus of claim 5, wherein the request information comprises screen shot command information, the first file comprises a second suffix name, the first processing unit comprises:
sending the encrypted first file to a controlled terminal to enable the controlled terminal to search the encrypted second suffix name file from the encrypted first file, if the encrypted second suffix name file is found, decrypting the encrypted second suffix name file to obtain a second suffix name file, executing the screenshot command information in the second suffix name file to obtain picture content information, and encrypting the picture content information.
8. The apparatus of claim 5, wherein the updated time-on-line information is obtained by the controlled terminal updating time-on-line information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477077.2A CN109587137B (en) | 2018-12-04 | 2018-12-04 | Method and device for escape C & C detection based on github |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477077.2A CN109587137B (en) | 2018-12-04 | 2018-12-04 | Method and device for escape C & C detection based on github |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109587137A CN109587137A (en) | 2019-04-05 |
| CN109587137B true CN109587137B (en) | 2021-06-29 |
Family
ID=65926168
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811477077.2A Active CN109587137B (en) | 2018-12-04 | 2018-12-04 | Method and device for escape C & C detection based on github |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109587137B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678993A (en) * | 2013-11-26 | 2014-03-26 | 小米科技有限责任公司 | Method and device controlling terminal |
| CN104486321A (en) * | 2014-12-11 | 2015-04-01 | 上海斐讯数据通信技术有限公司 | Web data interaction method and system and corresponding Web server |
| CN104811444A (en) * | 2015-04-02 | 2015-07-29 | 谢杰涛 | Secure cloud control method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7634263B2 (en) * | 2006-01-30 | 2009-12-15 | Apple Inc. | Remote control of electronic devices |
-
2018
- 2018-12-04 CN CN201811477077.2A patent/CN109587137B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678993A (en) * | 2013-11-26 | 2014-03-26 | 小米科技有限责任公司 | Method and device controlling terminal |
| CN104486321A (en) * | 2014-12-11 | 2015-04-01 | 上海斐讯数据通信技术有限公司 | Web data interaction method and system and corresponding Web server |
| CN104811444A (en) * | 2015-04-02 | 2015-07-29 | 谢杰涛 | Secure cloud control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109587137A (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8837734B2 (en) | Managing encrypted data and encryption keys | |
| US10574686B2 (en) | Security verification by message interception and modification | |
| US7836121B2 (en) | Dynamic executable | |
| US9867051B2 (en) | System and method of verifying integrity of software | |
| US9973481B1 (en) | Envelope-based encryption method | |
| US20200380170A1 (en) | Systems, methods, and devices for privacy-protecting data logging | |
| US10033703B1 (en) | Pluggable cipher suite negotiation | |
| KR100621420B1 (en) | Network connection system | |
| JP4219965B2 (en) | One-time ID authentication | |
| CN106790156B (en) | Intelligent device binding method and device | |
| JP2002175010A (en) | Home page falsification preventing system | |
| CN110704863A (en) | Configuration information processing method and device, computer equipment and storage medium | |
| CN111538977B (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| CN112261012A (en) | Browser, server and webpage access method | |
| US20150271170A1 (en) | Information processing apparatus, information processing system, information processing method, and recording medium | |
| CN110958239B (en) | Method and device for verifying access request, storage medium and electronic device | |
| CN110036615B (en) | Method, system and computer readable medium for communicating account authentication information via parameters | |
| CN109587137B (en) | Method and device for escape C & C detection based on github | |
| CN113703911A (en) | Virtual machine migration method, device, equipment and storage medium | |
| US11082222B2 (en) | Secure data management | |
| CN112953720A (en) | Network request processing method, device, equipment and storage medium | |
| CN110881015B (en) | System and method for processing user information | |
| KR100877593B1 (en) | The Security Method for Authentication which using of Random Password | |
| CN113922974A (en) | Information processing method and system, front end, server and storage medium | |
| KR20190114505A (en) | Single sign on service authentication method and system using token management demon |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |