EXECUTIVE SUMMARY:
Researchers have uncovered open-source offensive security tools, such as Pyramid, significantly expanded the landscape for defenders. Pyramid, a Python-based post-exploitation framework, provides attackers with the ability to deploy command-and-control (C2) infrastructure with minimal detection risk. Its features allow it to blend into legitimate Python activity, making it a powerful tool for post-exploitation operations. While designed for penetration testing, Pyramid’s capabilities also make it an attractive option for malicious actors to conduct stealthy attacks, including remote access and lateral movement.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Researchers have uncovered open-source offensive security tools, such as Pyramid, significantly expanded the landscape for defenders. Pyramid, a Python-based post-exploitation framework, provides attackers with the ability to deploy command-and-control (C2) infrastructure with minimal detection risk. Its features allow it to blend into legitimate Python activity, making it a powerful tool for post-exploitation operations. While designed for penetration testing, Pyramid’s capabilities also make it an attractive option for malicious actors to conduct stealthy attacks, including remote access and lateral movement.[emaillocker id="1283"]
Pyramid uses a Python-based HTTPS server to facilitate post-exploitation activities by acting as a C2 server. Its server can deliver encrypted payloads and load well-known tools, such as BloodHound and LaZagne, directly into memory. This enables attackers to perform actions under the guise of legitimate processes, evading detection. The Pyramid server communicates with clients using Basic HTTP authentication over HTTPS, with response patterns that reveal key indicators for detection. These patterns include HTTP 401 Unauthorized responses, specific server headers such as Python 3 and BaseHTTP, and JSON response bodies. Using these indicators, defenders can develop robust network detection signatures to identify Pyramid-based infrastructure in the wild. Preliminary scans have already uncovered several IP addresses linked to potential Pyramid servers, with some showing connections to previous malicious campaigns.
By understanding the distinctive network traffic patterns of Pyramid, defenders can create precise detection signatures that increase the chances of identifying related infrastructure early. These signatures, which focus on HTTP response headers, authentication challenges, and error messages, provide a proactive approach to combating threats that leverage open-source offensive tools. While such tools continue to evolve and increase in popularity among adversaries, careful monitoring of network traffic and continuously adapting detection strategies.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Reconnaissance | T1592 | Gather Victim Host Information |
| Resource Development | T1583 | Acquire Infrastructure |
| Initial Access | T1566 | Phishing |
| Execution | T1059 | Command and Scripting Interpreter |
| T1053 | Scheduled Task/Job | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1036 | Masquerading |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1016 | System Network Configuration Discovery |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| T1573 | Encrypted Channel | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-using-pyramid-pentesting-tool/