Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover

Presented at Black Hat USA 2019, Aug. 7, 2019, 4 p.m. (50 minutes)

Command and Control (C2) is at the center of successful malware development. Given the importance of reliable C2 for stable malware, it is also a core focus for many defensive teams. What happens though, when malware authors take advantage of shiny new cloud services, high level layer 7 abstractions, large-scale takeover primitives, and 3rd party trust? Do domains, IPs, or servers still matter?

This talk will discuss the methodology, selection process, and challenges of modern C2. It will cover the details of recent HTTP/S advancements and tooling for new cloud service primitives such as SQS, AppSpot, S3, and CloudFront. We will demonstrate how trust can be abused for stealthy C2 techniques via internal mail servers, defensive platforms, and trusted domains. We will also cover the various options for domain takeover, and release tooling for exploiting domain takeover scenarios in Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).

What flags do you trust?


Presenters:

  • Nick Landers - Technical Lead, Silent Break Security
    Nick Landers is the Technical Lead at Silent Break Security. His work involves security consulting, red team operations, malware development, and offensive research. He has authored and presented the "Dark Side Ops" course series for over 3 years at Black Hat and other conferences. Internally, he develops tooling, evasions, and strategies for offensive operations.

Links:

Similar Presentations: