Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bypassing NextGen Security: Crazy C&C Channels
Search
TweekFawkes
October 10, 2017
Technology
0
620
Bypassing NextGen Security: Crazy C&C Channels
Bypassing Next-Gen Security w/ Crazy C&C Channels
TweekFawkes
October 10, 2017
Tweet
Share
More Decks by TweekFawkes
See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
88
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
180
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
4.2k
Level Up Your Lab Envs!
tweekfawkes
0
250
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
310
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
170
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
210
The Future?!
tweekfawkes
0
190
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.3k
Other Decks in Technology
See All in Technology
Amazon Athena で JSON・Parquet・Iceberg のデータを検索し、性能を比較してみた
shigeruoda
1
160
ざっくり学ぶ 『エンジニアリングリーダー 技術組織を育てるリーダーシップと セルフマネジメント』 / 50 minute Engineering Leader
iwashi86
4
2.3k
AI時代の開発を加速する組織づくり - ブログでは書けなかったリアル
hiro8ma
2
340
AI機能プロジェクト炎上の 3つのしくじりと学び
nakawai
0
130
OPENLOGI Company Profile for engineer
hr01
1
46k
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
150
serverless team topology
_kensh
3
240
CREが作る自己解決サイクルSlackワークフローに組み込んだAIによる社内ヘルプデスク改革 #cre_meetup
bengo4com
0
360
GPUをつかってベクトル検索を扱う手法のお話し~NVIDIA cuVSとCAGRA~
fshuhe
0
160
激動の時代を爆速リチーミングで乗り越えろ
sansantech
PRO
1
150
From Natural Language to K8s Operations: The MCP Architecture and Practice of kubectl-ai
appleboy
0
320
dbtとAIエージェントを組み合わせて見えたデータ調査の新しい形
10xinc
6
1.3k
Featured
See All Featured
Become a Pro
speakerdeck
PRO
29
5.6k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
What's in a price? How to price your products and services
michaelherold
246
12k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Site-Speed That Sticks
csswizardry
13
930
What’s in a name? Adding method to the madness
productmarketing
PRO
24
3.7k
How to Think Like a Performance Engineer
csswizardry
27
2.1k
Building a Modern Day E-commerce SEO Strategy
aleyda
44
7.8k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Fireside Chat
paigeccino
41
3.7k
Transcript
Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels
Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!
Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud
Last-Gen
The Network Malware
The Goal Malware C2
Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back
Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443
Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com
IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com
Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com
Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
Next-Gen
Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall
MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Koadic w/ RegSvr Stager Denied!
Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Koadic Next-Gen Firewall Bypassed! Allowed!
Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall
Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall
Empire
Empire Defaults
“not” Empire Mod
Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall
With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!
Pupy Out of the box... pupy - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! Pupy Next-Gen Firewall Bypassed!
WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect
Back Windows Target Next-Gen Firewall
Allowed! WebDavC2 Next-Gen Firewall Bypassed!
OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2
Crazy C2 #1
TwitterSphere ...
Survey Says! ...
Breakdown c2 via Twitter (so meta!)
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=
Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded
CyberChef
Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol
C2 Logic if command == “cmd=”: (execute the command)
Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)
Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)
Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe
No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile
Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive
Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz
Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall
Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)
Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware
Crazy C2 #2
Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall
Open Source GitHub: Gdog Gcat (older version, no longer maintained
)
Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors
Crazy C2 #3
TwitterSphere ...
Survey Says! ...
Espionage C2 via Instagram Allegedly Russian cyber threat actors
c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302
So Many Options
Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….
Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall
Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall
Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com
The New New
C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1
Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2
IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues
Conclusion
Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices
Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)
Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?
March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud
End Bryce Kunz @TweekFawkes