Command and Control (C2) is at the center of successful malware development. Given the importance of reliable C2 for stable malware, it is also a core focus for many defensive teams. What happens though, when malware authors take advantage of shiny new cloud services, high level layer 7 abstractions, large-scale takeover primitives, and 3rd party trust? Do domains, IPs, or servers still matter?
This talk will discuss the methodology, selection process, and challenges of modern C2. It will cover the details of recent HTTP/S advancements and tooling for new cloud service primitives such as SQS, AppSpot, S3, and CloudFront. We will demonstrate how trust can be abused for stealthy C2 techniques via internal mail servers, defensive platforms, and trusted domains. We will also cover the various options for domain takeover, and release tooling for exploiting domain takeover scenarios in Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).
What flags do you trust?