Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bypassing NextGen Security: Crazy C&C Channels
Search
TweekFawkes
October 10, 2017
Technology
0
620
Bypassing NextGen Security: Crazy C&C Channels
Bypassing Next-Gen Security w/ Crazy C&C Channels
TweekFawkes
October 10, 2017
Tweet
Share
More Decks by TweekFawkes
See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
87
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
180
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
4.2k
Level Up Your Lab Envs!
tweekfawkes
0
250
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
310
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
170
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
200
The Future?!
tweekfawkes
0
180
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.3k
Other Decks in Technology
See All in Technology
DataOpsNight#8_Terragruntを用いたスケーラブルなSnowflakeインフラ管理
roki18d
1
330
バイブコーディングと継続的デプロイメント
nwiizo
2
410
BirdCLEF+2025 Noir 5位解法紹介
myso
0
190
成長自己責任時代のあるきかた/How to navigate the era of personal responsibility for growth
kwappa
3
260
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
120
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
shift_evolve
PRO
3
300
Green Tea Garbage Collector の今
zchee
PRO
2
390
生成AIで「お客様の声」を ストーリーに変える 新潮流「Generative ETL」
ishikawa_satoru
1
300
「Verify with Wallet API」を アプリに導入するために
hinakko
1
230
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
flatt_security
0
350
KAGのLT会 #8 - 東京リージョンでGAしたAmazon Q in QuickSightを使って、報告用の資料を作ってみた
0air
0
200
GopherCon Tour 概略
logica0419
2
180
Featured
See All Featured
A better future with KSS
kneath
239
17k
Statistics for Hackers
jakevdp
799
220k
4 Signs Your Business is Dying
shpigford
185
22k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Why Our Code Smells
bkeepers
PRO
339
57k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
54
3k
Mobile First: as difficult as doing things right
swwweet
224
10k
Context Engineering - Making Every Token Count
addyosmani
5
180
Become a Pro
speakerdeck
PRO
29
5.5k
Done Done
chrislema
185
16k
Transcript
Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels
Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!
Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud
Last-Gen
The Network Malware
The Goal Malware C2
Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back
Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443
Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com
IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com
Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com
Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
Next-Gen
Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Denied!
Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Koadic Next-Gen Firewall Bypassed! Allowed!
Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall
Empire
Empire Defaults
“not” Empire Mod
Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall
With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!
Pupy Out of the box... pupy - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! Pupy Next-Gen Firewall Bypassed!
WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! WebDavC2 Next-Gen Firewall Bypassed!
OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2
Crazy C2 #1
TwitterSphere ...
Survey Says! ...
Breakdown c2 via Twitter (so meta!)
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded
CyberChef
Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol
C2 Logic if command == “cmd=”: (execute the command)
Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)
Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe
No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile
Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive
Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall
Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)
Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware
Crazy C2 #2
Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall
Open Source GitHub: Gdog Gcat (older version, no longer maintained
)
Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors
Crazy C2 #3
TwitterSphere ...
Survey Says! ...
Espionage C2 via Instagram Allegedly Russian cyber threat actors
c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302
So Many Options
Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….
Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall
Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
The New New
C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1
Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2
IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues
Conclusion
Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices
Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)
Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?
March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud
End Bryce Kunz @TweekFawkes