SlideShare a Scribd company logo

Build Your Own CloudShell

Download as PPTX, PDF
G
German Namestnikov

Slides from my recent talk on PHDays 2018 conference (https://www.phdays.com/en/program/reports/build-your-own-cloud-shell/).

Technology
1 of 24
BUILD YOUR OWN CLOUD SHELL German Namestnikov 1
WHOAMI ● Part of “Sberbank of Russia” Red Team ● Wrote some articles for Xakep.ru and PentestMag.com ● OSCP, SLAE german.namestnikov@illegalbytes.com https://t.me/r3turn0riented 2
MOTIVATION Approaches to build communications between malware and C&C 3
WHY LEARN COMMUNICATION CHANNELS? ● We do adversary simulations and must check different techniques before they will be used against us ● Properly chosen communication channel beats IPS/IDS ● The communication channels topic is undeservedly forgotten compared to other areas 4
CLASSIC WAYS Over Internet & Transport Layers Connect with C&C using “sockets” or “raw sockets” Examples: ● reverse_tcp ● bind_tcp ● reverse_udp ● bind_udp Over Application Layer Connect with C&C using HTTPS or other Application Layer protocols Examples: ● reverse_http ● reverse_https Over other well-known protocols Hide malicious traffic inside DNS/ICMP/etc. Examples: ● reverse_dns ● icmpsh 5
CLASSIC WAYS DISADVANTAGES ● Communications over Internet & Transport Layers can be blocked & caught by FW & IPS ● Transfer of malicious data over Application Layer can be detected and caught by FW, IPS and Protocol Inspection ● Hiding inside DNS/ICMP/other usually is very noisy and may cause an investigation 6
THIRD-PARTY SERVICES Using Twitter, Facebook and other services to build communication channel between malware and C&C 7
ADVANTAGES ● It is always nice when someone else maintains your needs :) ● Allows to hide malicious traffic among the “white sheeps” ● Increases time between detection and successful investigation Example https://nakedsecurity.sophos.com/2017/01/25/potential-phantom-menace-found-on-twitter-a- star-wars-botnet/ 8
DISADVANTAGES ● Requires multiple pre-registered accounts * ● Have to bypass service security measures (Captcha, JS, etc.) ● If data is publicly available, this method needs implementing of stego and/or crypto * but not always: https://xakep.ru/2017/12/26/malware-cnc/ 9
CLOUD AS A THIRD- PARTY SERVICE Software as a Communication Channel for Malicious Operations 10
CLOUDS… SO DIFFERENT! 11
CLOUD AS A THIRD-PARTY SERVICE Cloud Communication Channels allow malefactors to maximize advantages of third-party communication layers and minimize disadvantages: ● Keep traffic looking legitimate ● Hard to investigate ● No security measures against operations ● Provide “private” data storage 12
EXAMPLE - EXTERNAL C2 Cobalt Strike External C2 allows third-party programs to act as a communication layer between Cobalt Strike and its Beacon payload Description https://www.cobaltstrike.com/downloads/externalc2spec.pdf Amazon S3 Bucket https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ 13
EXTERNAL C2 FLOW 14
DISADVANTAGES 15 ● Requires additional layer between beacon and third-party service and this service and team-server ● Very small amount of examples is available ● Very, very hard to purchase if you are outside the USA or Canada
CLOUD SHELL Build your own cloud shell (finally!) 16
WHAT IS IT? Extendable platform to build remote access shells with different cloud services as communication layer built with C# and .NET All code will be available here: https://github.com/german-namestnikov/cloud-shell 17
C# & .NET ● A lot of APIs for different cloud services ● Allow us to implement modules support for our shell ● Make easy AV evasion * and give us huuuuuge binaries (with ILmerge or .NETZ) :( 18
BASIC ARCHITECTURE 19
GOOGLE DRIVE SHELL As an example of what you can implement with Cloud Shell 20
RESULTS ● Fully-featured remote command shell available via GoogleDrive service ● Allows file transfer in both directions ● Multiple sessions support ● PS scripts in-memory execution 21
DEMO 22
CLOUD SHELL TODO LIST ● Internal encryption for Cloud Communications ● Wrappers around other Cloud Services ● Advanced usage of Cloud Services features (sharing, versioning, etc.) 23
Thanks! Questions? https://github.com/german-namestnikov/cloud-shell german.namestnikov@illegalbytes.com 24

Recommended

Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
seL4 intro
seL4 introseL4 intro
seL4 intromicrokerneldude
 
Chrome os
Chrome osChrome os
Chrome osRhitik Kumar
 
PLC
PLCPLC
PLCdrkarthikeyan
 
Embedded system notes
Embedded system notesEmbedded system notes
Embedded system notesTARUN KUMAR
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
Alan M. Turing and the Enigma Machine
Alan M. Turing and the Enigma MachineAlan M. Turing and the Enigma Machine
Alan M. Turing and the Enigma MachineBirkbeck College
 
Programmable Logic Controller
Programmable Logic ControllerProgrammable Logic Controller
Programmable Logic ControllerJinesh Patel
 

Recommended

Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
seL4 intro
seL4 introseL4 intro
seL4 intromicrokerneldude
 
Chrome os
Chrome osChrome os
Chrome osRhitik Kumar
 
PLC
PLCPLC
PLCdrkarthikeyan
 
Embedded system notes
Embedded system notesEmbedded system notes
Embedded system notesTARUN KUMAR
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
Alan M. Turing and the Enigma Machine
Alan M. Turing and the Enigma MachineAlan M. Turing and the Enigma Machine
Alan M. Turing and the Enigma MachineBirkbeck College
 
Programmable Logic Controller
Programmable Logic ControllerProgrammable Logic Controller
Programmable Logic ControllerJinesh Patel
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Sdn dell lab report v2
Sdn dell lab report v2Sdn dell lab report v2
Sdn dell lab report v2Oded Rotter
 
Non-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksNon-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksblogzilla
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventVikalp Bhalia
 
Better Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectBetter Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectThousandEyes
 
AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardCharles Rapp
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofiIntel® Software
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofiTracy Johnson
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016AWSBulgaria
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxnull - The Open Security Community
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...AWSCOMSUM
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsn|u - The Open Security Community
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform confluent
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20RegisWilson1
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...Amazon Web Services
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in CloudsTokyo University of Science
 
6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRFDr Sandeep Kumar Poonia
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShiftTiera Fann, MBA
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

More Related Content

Similar to Build Your Own CloudShell

Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Sdn dell lab report v2
Sdn dell lab report v2Sdn dell lab report v2
Sdn dell lab report v2Oded Rotter
 
Non-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksNon-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksblogzilla
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventVikalp Bhalia
 
Better Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectBetter Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectThousandEyes
 
AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardCharles Rapp
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofiTracy Johnson
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016AWSBulgaria
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovBogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...AWSCOMSUM
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsn|u - The Open Security Community
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform confluent
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20RegisWilson1
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...Amazon Web Services
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in CloudsTokyo University of Science
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShiftTiera Fann, MBA
 

Similar to Build Your Own CloudShell (20)

Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Sdn dell lab report v2
Sdn dell lab report v2Sdn dell lab report v2
Sdn dell lab report v2
 
Non-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksNon-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacks
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
 
Better Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectBetter Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes Connect
 
AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod Ricard
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
 
6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShift
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 

Build Your Own CloudShell

  • 1. BUILD YOUR OWN CLOUD SHELL German Namestnikov 1
  • 2. WHOAMI ● Part of “Sberbank of Russia” Red Team ● Wrote some articles for Xakep.ru and PentestMag.com ● OSCP, SLAE german.namestnikov@illegalbytes.com https://t.me/r3turn0riented 2
  • 3. MOTIVATION Approaches to build communications between malware and C&C 3
  • 4. WHY LEARN COMMUNICATION CHANNELS? ● We do adversary simulations and must check different techniques before they will be used against us ● Properly chosen communication channel beats IPS/IDS ● The communication channels topic is undeservedly forgotten compared to other areas 4
  • 5. CLASSIC WAYS Over Internet & Transport Layers Connect with C&C using “sockets” or “raw sockets” Examples: ● reverse_tcp ● bind_tcp ● reverse_udp ● bind_udp Over Application Layer Connect with C&C using HTTPS or other Application Layer protocols Examples: ● reverse_http ● reverse_https Over other well-known protocols Hide malicious traffic inside DNS/ICMP/etc. Examples: ● reverse_dns ● icmpsh 5
  • 6. CLASSIC WAYS DISADVANTAGES ● Communications over Internet & Transport Layers can be blocked & caught by FW & IPS ● Transfer of malicious data over Application Layer can be detected and caught by FW, IPS and Protocol Inspection ● Hiding inside DNS/ICMP/other usually is very noisy and may cause an investigation 6
  • 7. THIRD-PARTY SERVICES Using Twitter, Facebook and other services to build communication channel between malware and C&C 7
  • 8. ADVANTAGES ● It is always nice when someone else maintains your needs :) ● Allows to hide malicious traffic among the “white sheeps” ● Increases time between detection and successful investigation Example https://nakedsecurity.sophos.com/2017/01/25/potential-phantom-menace-found-on-twitter-a- star-wars-botnet/ 8
  • 9. DISADVANTAGES ● Requires multiple pre-registered accounts * ● Have to bypass service security measures (Captcha, JS, etc.) ● If data is publicly available, this method needs implementing of stego and/or crypto * but not always: https://xakep.ru/2017/12/26/malware-cnc/ 9
  • 10. CLOUD AS A THIRD- PARTY SERVICE Software as a Communication Channel for Malicious Operations 10
  • 12. CLOUD AS A THIRD-PARTY SERVICE Cloud Communication Channels allow malefactors to maximize advantages of third-party communication layers and minimize disadvantages: ● Keep traffic looking legitimate ● Hard to investigate ● No security measures against operations ● Provide “private” data storage 12
  • 13. EXAMPLE - EXTERNAL C2 Cobalt Strike External C2 allows third-party programs to act as a communication layer between Cobalt Strike and its Beacon payload Description https://www.cobaltstrike.com/downloads/externalc2spec.pdf Amazon S3 Bucket https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ 13
  • 15. DISADVANTAGES 15 ● Requires additional layer between beacon and third-party service and this service and team-server ● Very small amount of examples is available ● Very, very hard to purchase if you are outside the USA or Canada
  • 16. CLOUD SHELL Build your own cloud shell (finally!) 16
  • 17. WHAT IS IT? Extendable platform to build remote access shells with different cloud services as communication layer built with C# and .NET All code will be available here: https://github.com/german-namestnikov/cloud-shell 17
  • 18. C# & .NET ● A lot of APIs for different cloud services ● Allow us to implement modules support for our shell ● Make easy AV evasion * and give us huuuuuge binaries (with ILmerge or .NETZ) :( 18
  • 20. GOOGLE DRIVE SHELL As an example of what you can implement with Cloud Shell 20
  • 21. RESULTS ● Fully-featured remote command shell available via GoogleDrive service ● Allows file transfer in both directions ● Multiple sessions support ● PS scripts in-memory execution 21
  • 23. CLOUD SHELL TODO LIST ● Internal encryption for Cloud Communications ● Wrappers around other Cloud Services ● Advanced usage of Cloud Services features (sharing, versioning, etc.) 23