Mocksum – New Module
This version includes Mocksum, a new module that provides access to mock files. In a nutshell, these are harmless files that produce the same MD5 checksum as real malicious files. With Mocksum, blue teams can simulate and plant realistic artifacts during training sessions, without the risk of handling real malware.
Multiple possibilities and goals can be accomplished with mock files, such as:
Mock files could be used as flags during training sessions, and they let the blue team know that a (simulated) malicious file has been found.
- Mastering log correlation and third party threat intelligence
Mock files have MD5 hash collisions that mimic real malware samples.
By calculating their checksums, your blue team can find real information about the mimicked malware sample in different sources.This kind of practice can allow the blue team to master event investigation, get used to using third party threat intelligence services,
or correlate in-house logs (e.g. Centralized anti-malware solution).
Check out the BT3 user guide, or the Blue Team Training Toolkit Video Series for practical examples.
You can also download the new version of the Blue Team Training Toolkit and test it for yourself!