Red teams often struggle with interactive C2 in monitored networks. Low-and-slow channels are stealthy but insufficient for high-bandwidth tasks like SOCKS proxying, pivoting, or hidden VNC. Our research solves this by using real-time collaboration protocols—specifically, whitelisted media servers from services like Zoom—to create short-term, high-speed C2 channels that blend into normal enterprise traffic.
We introduce TURNt, an open-source tool that automates covert traffic routing via commonly trusted TURN servers. Since many enterprises whitelist these conferencing IPs and exempt them from TLS inspection, TURNt sessions look just like a legitimate Zoom meeting. Operators can maintain a persistent, stealthy channel while periodically activating higher-bandwidth interactivity for time-sensitive operations.
This talk will show how to set up these “ghost calls,” discuss the trade-offs and detection challenges, and explore defensive countermeasures. Attendees will learn how to integrate short-term, real-time C2 into existing red team workflows—and how to identify and mitigate this emerging threat.
unc1739
inesmontani
techseoconnect
codingconduct
paigeccino
427marketing
rasagy
lara
bethany
emna__ayadi
nonsquared
andyhume
ks91
