Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bypassing NextGen Security: Crazy C&C Channels
Search
TweekFawkes
October 10, 2017
Technology
0
530
Bypassing NextGen Security: Crazy C&C Channels
Bypassing Next-Gen Security w/ Crazy C&C Channels
TweekFawkes
October 10, 2017
Tweet
Share
More Decks by TweekFawkes
See All by TweekFawkes
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
75
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.4k
Level Up Your Lab Envs!
tweekfawkes
0
180
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
210
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
110
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
160
The Future?!
tweekfawkes
0
140
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
220
Other Decks in Technology
See All in Technology
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
60
17k
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
110
Postman v10リリース後を振り返る
nagix
0
130
オブザーバビリティの Primary Signals
onk
PRO
0
540
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
200
Databricks における 『MLOps』
databricksjapan
2
130
SREとその組織類型
tatsuo48
8
1.5k
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
430
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
Featured
See All Featured
For a Future-Friendly Web
brad_frost
171
8.9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
273
13k
Clear Off the Table
cherdarchuk
83
310k
Making Projects Easy
brettharned
108
5.5k
A Philosophy of Restraint
colly
196
16k
How to train your dragon (web standard)
notwaldorf
72
5.1k
A Tale of Four Properties
chriscoyier
150
22k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
Transcript
Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels
Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!
Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud
Last-Gen
The Network Malware
The Goal Malware C2
Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back
Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443
Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com
IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com
Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com
Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
Next-Gen
Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Denied!
Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Koadic Next-Gen Firewall Bypassed! Allowed!
Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall
Empire
Empire Defaults
“not” Empire Mod
Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall
With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!
Pupy Out of the box... pupy - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! Pupy Next-Gen Firewall Bypassed!
WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! WebDavC2 Next-Gen Firewall Bypassed!
OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2
Crazy C2 #1
TwitterSphere ...
Survey Says! ...
Breakdown c2 via Twitter (so meta!)
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded
CyberChef
Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol
C2 Logic if command == “cmd=”: (execute the command)
Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)
Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe
No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile
Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive
Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall
Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)
Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware
Crazy C2 #2
Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall
Open Source GitHub: Gdog Gcat (older version, no longer maintained
)
Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors
Crazy C2 #3
TwitterSphere ...
Survey Says! ...
Espionage C2 via Instagram Allegedly Russian cyber threat actors
c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302
So Many Options
Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….
Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall
Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
The New New
C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1
Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2
IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues
Conclusion
Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices
Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)
Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?
March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud
End Bryce Kunz @TweekFawkes