This is an old revision of the document!

Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API

I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in Abusing X.509 Certificates for Covert Data Exchange ¹⁾ and the original link on the Fidelis Blog Whats missing is in front of us ²⁾

¹⁾

Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114

²⁾

https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities) and also on the Network Miner blog Examining a X.509 Covert Channel (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities