Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bypassing NextGen Security: Crazy C&C Channels
Search
TweekFawkes
October 10, 2017
Technology
0
580
Bypassing NextGen Security: Crazy C&C Channels
Bypassing Next-Gen Security w/ Crazy C&C Channels
TweekFawkes
October 10, 2017
Tweet
Share
More Decks by TweekFawkes
See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
41
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
150
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
4k
Level Up Your Lab Envs!
tweekfawkes
0
220
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
270
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
140
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
190
The Future?!
tweekfawkes
0
160
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.2k
Other Decks in Technology
See All in Technology
ExaDB-XSで利用されているExadata Exascaleについて
oracle4engineer
PRO
3
300
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
540
大規模アジャイルフレームワークから学ぶエンジニアマネジメントの本質
staka121
PRO
3
1.6k
Cracking the Coding Interview 6th Edition
gdplabs
14
28k
プロダクト開発者目線での Entra ID 活用
sansantech
PRO
0
120
プルリクエストレビューを終わらせるためのチーム体制 / The Team for Completing Pull Request Reviews
nekonenene
3
1.1k
マルチアカウント環境における組織ポリシーについて まとめてみる
nrinetcom
PRO
2
110
LayerXにおけるAI活用事例とその裏側(2025年2月) バクラクの目指す “業務の自動運転” の例 / layerx-ai-deim2025
yuya4
1
540
DevinでAI AWSエンジニア製造計画 序章 〜CDKを添えて〜/devin-load-to-aws-engineer
tomoki10
0
210
ディスプレイ広告(Yahoo!広告・LINE広告)におけるバックエンド開発
lycorptech_jp
PRO
0
580
MLflowはどのようにLLMOpsの課題を解決するのか
taka_aki
0
130
RaspberryPi CM4(CM5も)面白いぞ!
nonnoise
0
100
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Agile that works and the tools we love
rasmusluckow
328
21k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Faster Mobile Websites
deanohume
306
31k
It's Worth the Effort
3n
184
28k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
Site-Speed That Sticks
csswizardry
4
420
Transcript
Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels
Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!
Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud
Last-Gen
The Network Malware
The Goal Malware C2
Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back
Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443
Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com
IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com
Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com
Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
Next-Gen
Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Denied!
Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Koadic Next-Gen Firewall Bypassed! Allowed!
Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall
Empire
Empire Defaults
“not” Empire Mod
Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall
With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!
Pupy Out of the box... pupy - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! Pupy Next-Gen Firewall Bypassed!
WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! WebDavC2 Next-Gen Firewall Bypassed!
OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2
Crazy C2 #1
TwitterSphere ...
Survey Says! ...
Breakdown c2 via Twitter (so meta!)
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded
CyberChef
Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol
C2 Logic if command == “cmd=”: (execute the command)
Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)
Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe
No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile
Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive
Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall
Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)
Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware
Crazy C2 #2
Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall
Open Source GitHub: Gdog Gcat (older version, no longer maintained
)
Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors
Crazy C2 #3
TwitterSphere ...
Survey Says! ...
Espionage C2 via Instagram Allegedly Russian cyber threat actors
c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302
So Many Options
Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….
Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall
Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
The New New
C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1
Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2
IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues
Conclusion
Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices
Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)
Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?
March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud
End Bryce Kunz @TweekFawkes