Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abusing 3rd-Party Services For Command And Control

Published byBethany Burns Modified over 6 years ago

Similar presentations

Presentation on theme: "Abusing 3rd-Party Services For Command And Control"— Presentation transcript:

1 Abusing 3rd-Party Services For Command And Control
Vince Trune

2 Vince Trune - @Truneski
whoami Vince Trune Electronics Engineer from Jomo Kenyatta University of Agriculture and technology . Red-Teamer and Freelance Penetration Tester. First time AfricaHackon conference presenter (be nice) More into Threat, Emulation and Replication.

3 About This talk about how attackers can abuse trusted 3rd party services and file sharing services to your detriment and profit.

4 Intro 3rd party services include social media sites like Twitter and Facebook File sharing sites like DropBox and Google docs.

5 3rd Party Advantages Social media services are now a necessity for any marketing team, PR team and by extension the technical teams. File Sharing sites are free, easy to use, extremely fast and can be used in conjunction with social media sites. Almost whitelisted and unmonitored traffic in most organizations.

6 Why Do This Talk Already being used by Advanced Persistent Threats (APTs) in the wild. Give a technical edge to our Red-Team OPs. (Offense fuels Defense) More fun and a tremendous learning experience.

7 Advanced Persistent Threats

8 Attacker Infrastructure
Paid Cloud Services Digital ocean, AWS, Azure, etc.. Utilize previously compromised infrastructure Hack people to hack other people Utilize 3rd party services and file sharing sites Utilize techniques to bend traffic in “legitimate” ways

9 Real World Case Studies

10 Dropbox: Operation BugDrop
Targeted Ukraine on a Grand Scale. Prime Motivation for early release of Invoke-DBC2. DropBox for Data Exfiltration and Storing C2 Plugins.

11 Github: WINNT GANG Github for Command & Control . Financially motivated and engaged in active Cyber-Espionage. Mostly uses Plug-X RAT for its attacks.

12 Twitter: APT 29 Uses Twitter to control their malware (Hammertoss) Stego over Github for data Exfiltration. Russian State Sponsored Probably.

13 Current Tools GCat - Shell over gmail
Empire Able to do custom C2 modules including 3rd party apps DropSmack - C2 over Dropbox sync folder Instegogram - C2 over Instagram with stego DropBoxC2 - C2 Over Dropbox Invoke-DBC2 – C2 over Powershell and DropBox

14 Threat Emulation & Replication: My Approach
Adversary Emulation Features Uses API for all interaction with the C2 services. AES-128 For Encryption of Communications. PowerShell for client-side(victim) code: Runs in memory, Powerful and Wide Scalability.

15 Limitations Hard to model and truly emulate the adversarial tactics and techniques Requires considerable skill for a small Red Team Our Proof Of Concepts are easily defeated.

16 Demos

17 Defend The Land Invest in your Security Team Endpoint Based: Binary Signature Heuristics(AV) Network Baseline: Timestamp Analysis & Beaconing Establish a Baseline for nodes in the environment Network & Process Correlation & EventLogging Should Powershell be calling out to Twitter’s API

18 Data Sources to Consider
Network PCAP / Span off of core switch and egress DNS logs or passive DNS Netflow Proxy logs Internal Threat Intel (Sandbox Detonation) Endpoint (eventing is best) Process listing events Network connection events DNS lookup events Service add/removal events Program install / uninstall events

19 APTs are creative and will find ways to use your weaknesses
Conclusion APTs are creative and will find ways to use your weaknesses 3rd party services make for quick and easy C2 or exfiltration vectors Detecting the use of 3rd party services for C2 is difficult Requires foundational network collection Attacker activity will often come in a series of behaviors to create a pattern Need to look for anomalous activity

20

21 References

22 Questions

Download ppt "Abusing 3rd-Party Services For Command And Control"

Similar presentations

1 © Copyright, Risk Masters, Inc. 2014. All rights reserved.Draft for Discussion Purposes Only RMI Risk Masters, Inc. Emerging Trends in Cyber-Security.

1 © Copyright, Risk Masters, Inc All rights reserved.Draft for Discussion Purposes Only RMI Risk Masters, Inc. Emerging Trends in Cyber-Security.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat Intelligence with Open Source tools Cornerstones of

Threat Intelligence with Open Source tools Cornerstones of
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
© 2015 iboss, Inc. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. Senior Network Architect.

© 2015 iboss, Inc. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. Senior Network Architect.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Jcow Ramiyus N. Wood By.

Jcow Ramiyus N. Wood By.
PowerShell Shenanigans Lateral Movement with PowerShell

PowerShell Shenanigans Lateral Movement with PowerShell
Cyber vulnerabilities and the threat of attack: Making things better:

Cyber vulnerabilities and the threat of attack: Making things better:
IIM Intro What is IIM? An information delivery and management solution. IIM App iPad Client Integration IIM Services Email Interface IIM Web Account Payment.

IIM Intro What is IIM? An information delivery and management solution. IIM App iPad Client Integration IIM Services Interface IIM Web Account Payment.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.

Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
HUSKY CONSULTANTS FRANKLIN VALENCIA WIOLETA MILCZAREK ANTHONY GAGLIARDI JR. BRIAN CONNERY.

HUSKY CONSULTANTS FRANKLIN VALENCIA WIOLETA MILCZAREK ANTHONY GAGLIARDI JR. BRIAN CONNERY.
1 Tactics and Penetration Testing. Overview Tactics: A procedure or set of maneuvers engaged in to achieve an end, an aim, or a goal. Tactics Penetration.

1 Tactics and Penetration Testing. Overview Tactics: A procedure or set of maneuvers engaged in to achieve an end, an aim, or a goal. Tactics Penetration.

Similar presentations

Ads by Google