Sandworm: C2 over HTTP Emulation

Discover how Advanced Persistent Threat (APT) Actors such as Sandworm use Web application protocols to establish command and control with victim environments.

by Matthew Lloyd Davies

Get started

What you'll learn

During the 2022 Ukraine Electric Power Attack, the Sandworm Team deployed the Neo-REGEORG web shell on an internet-facing server. Web shells provide persistent remote access, facilitate privilege escalation, enable pivoting, and allow attackers to launch further attacks. They exploit various web vulnerabilities, including the use of dangerous PHP functions, inadequate user input sanitization, and the failure to implement file type allow listing. In the course Sandworm: C2 over HTTP Emulation, you will learn how advanced persistent threats (APTs) exploit these vulnerabilities to deploy web shells and gain full control of victim systems.

About the author

Matthew Lloyd Davies

Matt has a degree in Chemical engineering and a PhD in mathematical chemistry. He is also a GIAC certified incident handler and penetration tester and has regulated cyber security in the UK civil nuclear sector for many years.

More Courses by Matthew

Sandworm: C2 over HTTP Emulation

What you'll learn

Table of contents

Sandworm: T1572: Protocol Tunneling 4m 54s

Resources 42s

About the author