Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Feb. 13, 2025, 10:12 a.m.

Description

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network signatures for detection, and highlights recently identified servers. The infrastructure exhibits distinctive HTTP response patterns, allowing for structured detection queries. Nine IP addresses across different ports were identified matching the criteria. Three of these IPs were previously associated with RansomHub activities. The post emphasizes the importance of proactive detection strategies to counter evolving tactics by adversaries using open-source offensive security tools.

External References

https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers
https://otx.alienvault.com/pulse/67adb578e5a854366958749c
Tags
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid

Date

  • Created: Feb. 13, 2025, 9:03 a.m.
  • Published: Feb. 13, 2025, 9:03 a.m.
  • Modified: Feb. 13, 2025, 10:12 a.m.

Attack Patterns

  • SpicyOmelette
  • Terra Loader
  • SKID
  • More_eggs - S0284
  • TA4557
  • T1021
  • T1573
  • T1105
  • T1071
  • T1102
  • T1219
  • T1132
  • T1190
  • T1133
  • T1090

Additional Informations

  • Poland