Detecting Blue Team Research Through Targeted Ads

Conference:  Defcon 26



Using Google Adwords for Cybersecurity purposes
  • Google Adwords can be used to detect when someone is searching for a specific hash or file
  • Automating the process of pulling reports from Google Adwords can help with early detection of security breaches
  • Exposing information to Google and others is a risk that needs to be considered
  • Keyword matching on Google Adwords may be phased out in the next 12 months
The speaker pretended to be a malware blog about weird file hashes and used Google Adwords to show ads to people searching for those hashes. By automating the process of pulling reports from Google Adwords, they were able to detect when someone was searching for a specific hash and switch their infrastructure over to avoid detection. However, they also emphasized the risk of exposing information to Google and others.


When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they'll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail.