I am writing the techniques based on my experience. In this globe right now below mentioned two techniques used to block the advance malicious links.
- SSL INSPECTION
- DNS sinkhole
- Use UDP connection
SSL inspection is a technique to decrypt all SSL/TLS connections in the perimeter device (Firewall, Web Security Device) and matching the inside web content like HTTP headers, HTML codes with the existing malware database.
How to check environment using SSL INSPCTION ?
- load https://google.com, then click the lock icon at the top left side of the URL bar.
2. In the SSL Certificate the organization name mentioned as “ISSUED BY”, you can ensure that SSL Inspection enabled in Firewall/WebSecurity devices.
If not, you are free to use an HTTPS connection with your Malicious link. you would not get the block.
Still the malicious link is blocking by firewall check the system DNS .
If system DNS using local IP address/ In house DNS server, replace with Global DNS servers like 126.96.36.199 or 188.8.131.52.
once changed the DNS setting flush the DNS of the system by the below mention commends on CMD.
Type “ipconfig /flushdns” and press Enter.
Mostly the Malware does not contain newly registered domain details. you use newly registered domains for exploitation purposes.
Use UDP connection
Host UDP connection /UDP tunnel service from Control and command servers to bypass the old or not upgraded security devices.
A reverse TCP connection is recommended to host a control server inside the organization.
Most of the Social Engineering tools using this technique to escape from security checks.