Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bypassing NextGen Security: Crazy C&C Channels
Search
TweekFawkes
October 10, 2017
Technology
0
580
Bypassing NextGen Security: Crazy C&C Channels
Bypassing Next-Gen Security w/ Crazy C&C Channels
TweekFawkes
October 10, 2017
Tweet
Share
More Decks by TweekFawkes
See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
41
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
140
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
4k
Level Up Your Lab Envs!
tweekfawkes
0
220
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
270
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
140
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
180
The Future?!
tweekfawkes
0
160
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.2k
Other Decks in Technology
See All in Technology
2025/3/1 公共交通オープンデータデイ2025
morohoshi
0
100
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.4k
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
180
AWSではじめる Web APIテスト実践ガイド / A practical guide to testing Web APIs on AWS
yokawasa
8
750
あなたが人生で成功するための5つの普遍的法則 #jawsug #jawsdays2025 / 20250301 HEROZ
yoshidashingo
2
320
Snowflakeの開発・運用コストをApache Icebergで効率化しよう!~機能と活用例のご紹介~
sagara
1
500
IAMのマニアックな話2025
nrinetcom
PRO
6
1.3k
どちらかだけじゃもったいないかも? ECSとEKSを適材適所で併用するメリット、運用課題とそれらの対応について
tk3fftk
2
220
フォーイット_エンジニア向け会社紹介資料_Forit_Company_Profile.pdf
forit_tech
1
1.7k
Visualize, Visualize, Visualize and rclone
tomoaki0705
9
83k
AWSを活用したIoTにおけるセキュリティ対策のご紹介
kwskyk
0
410
MIMEと文字コードの闇
hirachan
2
1.4k
Featured
See All Featured
Adopting Sorbet at Scale
ufuk
74
9.2k
Rails Girls Zürich Keynote
gr2m
94
13k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
Building Applications with DynamoDB
mza
93
6.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
650
KATA
mclloyd
29
14k
The Pragmatic Product Professional
lauravandoore
32
6.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Transcript
Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels
Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!
Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud
Last-Gen
The Network Malware
The Goal Malware C2
Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back
Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443
Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com
IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com
Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com
Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
Next-Gen
Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Denied!
Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Koadic Next-Gen Firewall Bypassed! Allowed!
Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall
Empire
Empire Defaults
“not” Empire Mod
Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall
With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!
Pupy Out of the box... pupy - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! Pupy Next-Gen Firewall Bypassed!
WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! WebDavC2 Next-Gen Firewall Bypassed!
OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2
Crazy C2 #1
TwitterSphere ...
Survey Says! ...
Breakdown c2 via Twitter (so meta!)
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded
CyberChef
Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol
C2 Logic if command == “cmd=”: (execute the command)
Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)
Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe
No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile
Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive
Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall
Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)
Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware
Crazy C2 #2
Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall
Open Source GitHub: Gdog Gcat (older version, no longer maintained
)
Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors
Crazy C2 #3
TwitterSphere ...
Survey Says! ...
Espionage C2 via Instagram Allegedly Russian cyber threat actors
c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302
So Many Options
Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….
Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall
Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
The New New
C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1
Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2
IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues
Conclusion
Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices
Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)
Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?
March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud
End Bryce Kunz @TweekFawkes