Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypassing NextGen Security: Crazy C&C Channels

Avatar for TweekFawkes TweekFawkes
October 10, 2017
Technology
0
600

Bypassing NextGen Security: Crazy C&C Channels

Bypassing Next-Gen Security w/ Crazy C&C Channels
Avatar for TweekFawkes

TweekFawkes

October 10, 2017
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
Avatar for TweekFawkes tweekfawkes
0
75
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
Avatar for TweekFawkes tweekfawkes
0
170
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
Avatar for TweekFawkes tweekfawkes
0
4.1k
Level Up Your Lab Envs!
Avatar for TweekFawkes tweekfawkes
0
240
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
Avatar for TweekFawkes tweekfawkes
0
300
Mining Cloud Resources for Initial Access via Serverless Services
Avatar for TweekFawkes tweekfawkes
0
160
Serverless and Dys-FUNctional Cloud Red Teaming
Avatar for TweekFawkes tweekfawkes
1
200
The Future?!
Avatar for TweekFawkes tweekfawkes
0
180
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
Avatar for TweekFawkes tweekfawkes
1
1.3k

Other Decks in Technology

See All in Technology
CDK Vibe Coding Fes
Avatar for tomoki10 tomoki10
1
630
「現場で活躍するAIエージェント」を実現するチームと開発プロセス
Avatar for takuya kikuchi tkikuchi1002
4
460
マルチプロダクト環境におけるSREの役割 / SRE NEXT 2025 lunch session
Avatar for sugamasao sugamasao
1
740
ABEMAの本番環境負荷試験への挑戦
Avatar for Miyazaki Taiga mk2taiga
5
1.3k
TLSから見るSREの未来
Avatar for atpons atpons
2
330
SRE不在の開発チームが障害対応と 向き合った100日間 / 100 days dealing with issues without SREs
Avatar for katsukamaru shin1988
2
2.1k
全部AI、全員Cursor、ドキュメント駆動開発 〜DevinやGeminiも添えて〜
Avatar for Masaya Hayashi rinchsan
10
5.1k
VS CodeとGitHub Copilotで爆速開発!アップデートの波に乗るおさらい会 / Rapid Development with VS Code and GitHub Copilot: Catch the Latest Wave
Avatar for Yusuke Yamada yamachu
3
460
QuickSight SPICE の効果的な運用戦略~S3 + Athena 構成での実践ノウハウ~/quicksight-spice-s3-athena-best-practices
Avatar for emi emiki
0
290
AI Ready API ─ AI時代に求められるAPI設計とは?/ AI-Ready API - Designing MCP and APIs in the AI Era
Avatar for Yoichi Kawasaki yokawasa
12
3.2k
LIXIL基幹システム刷新に立ち向かう技術的アプローチについて
Avatar for karacoro / からころ tsukuha
1
390
サービスを止めるな! DDoS攻撃へのスマートな備えと最前線の事例
Avatar for coconala_engineer coconala_engineer
1
190

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
184
22k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.6k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
282
13k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.4k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.7k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k

Transcript

  1. Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels

  2. Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!

  3. Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,

    DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud

  4. Last-Gen

  5. The Network Malware

  6. The Goal Malware C2

  7. Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -

    Execute Commands Malware Firewall Connect Back

  8. Layers Any IoT Web Service: - Serverless Services - AWS

    Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443

  9. Web Proxy Blocks: - Domain Names - BlackList - Reputation

    Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy

  10. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com

  11. IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad

    “root#” - Execute Commands Connect Back Malware IPS

  12. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com

  13. Malware Analysis Blocks: - Files (in Transit) - Runs Files

    in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP

  14. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com

  15. Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation

    of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS

  16. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

  17. TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability

    to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy

  18. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

  19. Next-Gen

  20. Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing

    bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall

  21. MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands

    Connect Back Windows Target Next-Gen Firewall

  22. MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute

    Commands Connect Back Windows Target Next-Gen Firewall

  23. Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

  24. Koadic w/ RegSvr Stager Denied!

  25. Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target

    Next-Gen Firewall

  26. Koadic Next-Gen Firewall Bypassed! Allowed!

  27. Empire Empire v2.1 - Execute Commands Connect Back Windows Target

    Next-Gen Firewall

  28. Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows

    Target Next-Gen Firewall

  29. Empire

  30. Empire Defaults

  31. “not” Empire Mod

  32. Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute

    Commands Connect Back Windows Target Next-Gen Firewall

  33. With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!

  34. Pupy Out of the box... pupy - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

  35. Allowed! Pupy Next-Gen Firewall Bypassed!

  36. WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

  37. Allowed! WebDavC2 Next-Gen Firewall Bypassed!

  38. OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy

    50% ? WebDav2

  39. Crazy C2 #1

  40. TwitterSphere ...

  41. Survey Says! ...

  42. Breakdown c2 via Twitter (so meta!)

  43. Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=

  44. Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded

  45. CyberChef

  46. Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host

    looooooolz

  47. Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=

    -> c2 protocol

  48. C2 Logic if command == “cmd=”: (execute the command)

  49. Multiple Commands if command == “cmd=”: (execute the command) elif

    command == “download=”: (download a file)

  50. Sleep if command == “cmd=”: (execute the command) elif command

    == “download=”: (download a file) else: (sleep...)

  51. Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell

    -> exe

  52. No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -nop -> no profile

  53. Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -noni -> non interactive

  54. Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -w 1 -> non interactive

  55. Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -c Write-Host looooooolz

  56. Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -c Write-Host looooooolz

  57. Design c2 via Twitter (so meta!) Twitter Operations 3) Execute

    Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall

  58. Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)

  59. Espionage Equivalent C2 via the Plurk Social Network (Chinese Version

    of Twitter?) “Elirks” Malware

  60. Crazy C2 #2

  61. Design c2 via Gmail Gmail Gdog - Execute Commands 2)

    Read Em ail 1) Post Email Gdog Next-Gen Firewall

  62. Open Source GitHub: Gdog Gcat (older version, no longer maintained

    )

  63. Espionage C2 via the Gmail Gcat (Older version) used by

    allegedly Russian cyber threat actors

  64. Crazy C2 #3

  65. TwitterSphere ...

  66. Survey Says! ...

  67. Espionage C2 via Instagram Allegedly Russian cyber threat actors

  68. c2 via Instagram Design Instagram Operator - Execute Commands Read

    Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302

  69. So Many Options

  70. Very Well Known Options So Bored! - TCP -> Back

    Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….

  71. Matrix Of The Known Interesting Any IoT Web Service: -

    Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall

  72. Trends: APIs/REST Anything Web with an API/REST: - Slack ->

    “SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

  73. Trends: Web* Anything Web with a Twist: - WebDav ->

    “WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

  74. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

  75. The New New

  76. C2 Over... - AWS Lambda, Google Cloud Functions, etc… -

    Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1

  77. Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash

    Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2

  78. IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…

    - Blend in with Comms to Web Services & Message Queues

  79. Conclusion

  80. Conclusion Trusted Web Services… - are currently being (ab)used for

    c2 - And will increasingly be (ab)used for c2 to bypass security devices

  81. Conclusion We need next-gen network technologies that will…. - Parse

    and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)

  82. Conclusion Once parsed and logged, we need systems to... -

    Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?

  83. March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA

    Cloud

  84. End Bryce Kunz @TweekFawkes