2. WHOAMI
● Part of “Sberbank of Russia” Red Team
● Wrote some articles for Xakep.ru and
PentestMag.com
● OSCP, SLAE
german.namestnikov@illegalbytes.com
https://t.me/r3turn0riented
2
4. WHY LEARN COMMUNICATION CHANNELS?
● We do adversary simulations and must check different techniques before
they will be used against us
● Properly chosen communication channel beats IPS/IDS
● The communication channels topic is undeservedly forgotten compared to
other areas
4
5. CLASSIC WAYS
Over Internet & Transport
Layers
Connect with C&C using
“sockets” or “raw sockets”
Examples:
● reverse_tcp
● bind_tcp
● reverse_udp
● bind_udp
Over Application Layer
Connect with C&C using
HTTPS or other Application
Layer protocols
Examples:
● reverse_http
● reverse_https
Over other well-known
protocols
Hide malicious traffic inside
DNS/ICMP/etc.
Examples:
● reverse_dns
● icmpsh
5
6. CLASSIC WAYS DISADVANTAGES
● Communications over Internet & Transport Layers
can be blocked & caught by FW & IPS
● Transfer of malicious data over Application Layer
can be detected and caught by FW, IPS and Protocol Inspection
● Hiding inside DNS/ICMP/other
usually is very noisy and may cause an investigation
6
8. ADVANTAGES
● It is always nice when someone else maintains your needs :)
● Allows to hide malicious traffic among the “white sheeps”
● Increases time between detection and successful investigation
Example
https://nakedsecurity.sophos.com/2017/01/25/potential-phantom-menace-found-on-twitter-a-
star-wars-botnet/
8
9. DISADVANTAGES
● Requires multiple pre-registered accounts *
● Have to bypass service security measures (Captcha, JS, etc.)
● If data is publicly available, this method needs implementing of stego
and/or crypto
* but not always: https://xakep.ru/2017/12/26/malware-cnc/
9
10. CLOUD AS A THIRD-
PARTY SERVICE
Software as a Communication Channel for Malicious Operations
10
12. CLOUD AS A THIRD-PARTY SERVICE
Cloud Communication Channels allow malefactors to maximize advantages
of third-party communication layers and minimize disadvantages:
● Keep traffic looking legitimate
● Hard to investigate
● No security measures against operations
● Provide “private” data storage
12
13. EXAMPLE - EXTERNAL C2
Cobalt Strike External C2
allows third-party programs to act as a communication layer between Cobalt Strike and its
Beacon payload
Description
https://www.cobaltstrike.com/downloads/externalc2spec.pdf
Amazon S3 Bucket
https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/
13
15. DISADVANTAGES
15
● Requires additional layer between beacon and third-party service and
this service and team-server
● Very small amount of examples is available
● Very, very hard to purchase if you are outside the USA or Canada
17. WHAT IS IT?
Extendable platform to build remote access shells with different cloud
services as communication layer built with C# and .NET
All code will be available here:
https://github.com/german-namestnikov/cloud-shell
17
18. C# & .NET
● A lot of APIs for different cloud services
● Allow us to implement modules support for our shell
● Make easy AV evasion
* and give us huuuuuge binaries (with ILmerge or .NETZ) :(
18
21. RESULTS
● Fully-featured remote command shell available via GoogleDrive service
● Allows file transfer in both directions
● Multiple sessions support
● PS scripts in-memory execution
21
23. CLOUD SHELL TODO LIST
● Internal encryption for Cloud Communications
● Wrappers around other Cloud Services
● Advanced usage of Cloud Services features (sharing, versioning, etc.)
23