SlideShare a Scribd company logo

Build Your Own CloudShell

Download as PPTX, PDF
G
German Namestnikov

Slides from my recent talk on PHDays 2018 conference (https://www.phdays.com/en/program/reports/build-your-own-cloud-shell/).

Technology
1 of 24
BUILD YOUR OWN CLOUD SHELL German Namestnikov 1
WHOAMI ● Part of “Sberbank of Russia” Red Team ● Wrote some articles for Xakep.ru and PentestMag.com ● OSCP, SLAE german.namestnikov@illegalbytes.com https://t.me/r3turn0riented 2
MOTIVATION Approaches to build communications between malware and C&C 3
WHY LEARN COMMUNICATION CHANNELS? ● We do adversary simulations and must check different techniques before they will be used against us ● Properly chosen communication channel beats IPS/IDS ● The communication channels topic is undeservedly forgotten compared to other areas 4
CLASSIC WAYS Over Internet & Transport Layers Connect with C&C using “sockets” or “raw sockets” Examples: ● reverse_tcp ● bind_tcp ● reverse_udp ● bind_udp Over Application Layer Connect with C&C using HTTPS or other Application Layer protocols Examples: ● reverse_http ● reverse_https Over other well-known protocols Hide malicious traffic inside DNS/ICMP/etc. Examples: ● reverse_dns ● icmpsh 5
CLASSIC WAYS DISADVANTAGES ● Communications over Internet & Transport Layers can be blocked & caught by FW & IPS ● Transfer of malicious data over Application Layer can be detected and caught by FW, IPS and Protocol Inspection ● Hiding inside DNS/ICMP/other usually is very noisy and may cause an investigation 6
THIRD-PARTY SERVICES Using Twitter, Facebook and other services to build communication channel between malware and C&C 7
ADVANTAGES ● It is always nice when someone else maintains your needs :) ● Allows to hide malicious traffic among the “white sheeps” ● Increases time between detection and successful investigation Example https://nakedsecurity.sophos.com/2017/01/25/potential-phantom-menace-found-on-twitter-a- star-wars-botnet/ 8
DISADVANTAGES ● Requires multiple pre-registered accounts * ● Have to bypass service security measures (Captcha, JS, etc.) ● If data is publicly available, this method needs implementing of stego and/or crypto * but not always: https://xakep.ru/2017/12/26/malware-cnc/ 9
CLOUD AS A THIRD- PARTY SERVICE Software as a Communication Channel for Malicious Operations 10
CLOUDS… SO DIFFERENT! 11
CLOUD AS A THIRD-PARTY SERVICE Cloud Communication Channels allow malefactors to maximize advantages of third-party communication layers and minimize disadvantages: ● Keep traffic looking legitimate ● Hard to investigate ● No security measures against operations ● Provide “private” data storage 12
EXAMPLE - EXTERNAL C2 Cobalt Strike External C2 allows third-party programs to act as a communication layer between Cobalt Strike and its Beacon payload Description https://www.cobaltstrike.com/downloads/externalc2spec.pdf Amazon S3 Bucket https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ 13
EXTERNAL C2 FLOW 14
DISADVANTAGES 15 ● Requires additional layer between beacon and third-party service and this service and team-server ● Very small amount of examples is available ● Very, very hard to purchase if you are outside the USA or Canada
CLOUD SHELL Build your own cloud shell (finally!) 16
WHAT IS IT? Extendable platform to build remote access shells with different cloud services as communication layer built with C# and .NET All code will be available here: https://github.com/german-namestnikov/cloud-shell 17
C# & .NET ● A lot of APIs for different cloud services ● Allow us to implement modules support for our shell ● Make easy AV evasion * and give us huuuuuge binaries (with ILmerge or .NETZ) :( 18
BASIC ARCHITECTURE 19
GOOGLE DRIVE SHELL As an example of what you can implement with Cloud Shell 20
RESULTS ● Fully-featured remote command shell available via GoogleDrive service ● Allows file transfer in both directions ● Multiple sessions support ● PS scripts in-memory execution 21
DEMO 22
CLOUD SHELL TODO LIST ● Internal encryption for Cloud Communications ● Wrappers around other Cloud Services ● Advanced usage of Cloud Services features (sharing, versioning, etc.) 23
Thanks! Questions? https://github.com/german-namestnikov/cloud-shell german.namestnikov@illegalbytes.com 24

Recommended

Ecg made easy
Ecg made easyEcg made easy
Ecg made easy
ALAA AWN
 
ECG-cases.pptx
ECG-cases.pptxECG-cases.pptx
ECG-cases.pptx
EmadZaha
 
ECG PART 7
ECG PART 7ECG PART 7
ECG PART 7
Ramzan Ali
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
Mark Secretario
 
Sdn dell lab report v2
Sdn dell lab report v2Sdn dell lab report v2
Sdn dell lab report v2
Oded Rotter
 
Non-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksNon-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacks
blogzilla
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
Vikalp Bhalia
 
Better Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectBetter Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes Connect
ThousandEyes
 

Recommended

Ecg made easy
Ecg made easyEcg made easy
Ecg made easy
ALAA AWN
 
ECG-cases.pptx
ECG-cases.pptxECG-cases.pptx
ECG-cases.pptx
EmadZaha
 
ECG PART 7
ECG PART 7ECG PART 7
ECG PART 7
Ramzan Ali
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
Mark Secretario
 
Sdn dell lab report v2
Sdn dell lab report v2Sdn dell lab report v2
Sdn dell lab report v2
Oded Rotter
 
Non-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacksNon-standard protocols as a vector for DDoS attacks
Non-standard protocols as a vector for DDoS attacks
blogzilla
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
Vikalp Bhalia
 
Better Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes ConnectBetter Than Best Effort at Bloomberg from ThousandEyes Connect
Better Than Best Effort at Bloomberg from ThousandEyes Connect
ThousandEyes
 
AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod Ricard
Charles Rapp
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
Tracy Johnson
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
Intel® Software
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016
AWSBulgaria
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
Bogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
carlosralli
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
null - The Open Security Community
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...
AWSCOMSUM
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
n|u - The Open Security Community
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform
confluent
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20
RegisWilson1
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
Amazon Web Services
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
Tokyo University of Science
 
6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF
Dr Sandeep Kumar Poonia
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShift
Tiera Fann, MBA
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
DaoliCloud Ltd
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
Adam Crain
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 final
Howard Glynn
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 

More Related Content

Similar to Build Your Own CloudShell

AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod Ricard
Charles Rapp
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
Tracy Johnson
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
Intel® Software
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016
AWSBulgaria
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
Bogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
carlosralli
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
null - The Open Security Community
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...
AWSCOMSUM
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
n|u - The Open Security Community
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform
confluent
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20
RegisWilson1
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
Amazon Web Services
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
Tokyo University of Science
 
6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF
Dr Sandeep Kumar Poonia
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShift
Tiera Fann, MBA
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
DaoliCloud Ltd
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
Adam Crain
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 final
Howard Glynn
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 

Similar to Build Your Own CloudShell (20)

AWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod RicardAWS Meetup Paris - Short URL project by Pernod Ricard
AWS Meetup Paris - Short URL project by Pernod Ricard
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
 
Intel the-latest-on-ofi
Intel the-latest-on-ofiIntel the-latest-on-ofi
Intel the-latest-on-ofi
 
Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016Amazon VPC Best Practices 2016
Amazon VPC Best Practices 2016
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
 
Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...Experiences with serverless for high throughput low usage applications | ryan...
Experiences with serverless for high throughput low usage applications | ryan...
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
 
End-End Security with Confluent Platform
End-End Security with Confluent Platform End-End Security with Confluent Platform
End-End Security with Confluent Platform
 
Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20Cloud Native Patterns Meetup 2019-11-20
Cloud Native Patterns Meetup 2019-11-20
 
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
 
6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF6. The grid-COMPUTING OGSA and WSRF
6. The grid-COMPUTING OGSA and WSRF
 
Developer Intro to OpenShift
Developer Intro to OpenShiftDeveloper Intro to OpenShift
Developer Intro to OpenShift
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
A Novel Use of Openflow and Its Applications in Connecting Docker and Dummify...
 
Legacy of Void*
Legacy of Void*Legacy of Void*
Legacy of Void*
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 final
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
 

Recently uploaded

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 

Recently uploaded (20)

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 

Build Your Own CloudShell

  • 1. BUILD YOUR OWN CLOUD SHELL German Namestnikov 1
  • 2. WHOAMI ● Part of “Sberbank of Russia” Red Team ● Wrote some articles for Xakep.ru and PentestMag.com ● OSCP, SLAE german.namestnikov@illegalbytes.com https://t.me/r3turn0riented 2
  • 3. MOTIVATION Approaches to build communications between malware and C&C 3
  • 4. WHY LEARN COMMUNICATION CHANNELS? ● We do adversary simulations and must check different techniques before they will be used against us ● Properly chosen communication channel beats IPS/IDS ● The communication channels topic is undeservedly forgotten compared to other areas 4
  • 5. CLASSIC WAYS Over Internet & Transport Layers Connect with C&C using “sockets” or “raw sockets” Examples: ● reverse_tcp ● bind_tcp ● reverse_udp ● bind_udp Over Application Layer Connect with C&C using HTTPS or other Application Layer protocols Examples: ● reverse_http ● reverse_https Over other well-known protocols Hide malicious traffic inside DNS/ICMP/etc. Examples: ● reverse_dns ● icmpsh 5
  • 6. CLASSIC WAYS DISADVANTAGES ● Communications over Internet & Transport Layers can be blocked & caught by FW & IPS ● Transfer of malicious data over Application Layer can be detected and caught by FW, IPS and Protocol Inspection ● Hiding inside DNS/ICMP/other usually is very noisy and may cause an investigation 6
  • 7. THIRD-PARTY SERVICES Using Twitter, Facebook and other services to build communication channel between malware and C&C 7
  • 8. ADVANTAGES ● It is always nice when someone else maintains your needs :) ● Allows to hide malicious traffic among the “white sheeps” ● Increases time between detection and successful investigation Example https://nakedsecurity.sophos.com/2017/01/25/potential-phantom-menace-found-on-twitter-a- star-wars-botnet/ 8
  • 9. DISADVANTAGES ● Requires multiple pre-registered accounts * ● Have to bypass service security measures (Captcha, JS, etc.) ● If data is publicly available, this method needs implementing of stego and/or crypto * but not always: https://xakep.ru/2017/12/26/malware-cnc/ 9
  • 10. CLOUD AS A THIRD- PARTY SERVICE Software as a Communication Channel for Malicious Operations 10
  • 12. CLOUD AS A THIRD-PARTY SERVICE Cloud Communication Channels allow malefactors to maximize advantages of third-party communication layers and minimize disadvantages: ● Keep traffic looking legitimate ● Hard to investigate ● No security measures against operations ● Provide “private” data storage 12
  • 13. EXAMPLE - EXTERNAL C2 Cobalt Strike External C2 allows third-party programs to act as a communication layer between Cobalt Strike and its Beacon payload Description https://www.cobaltstrike.com/downloads/externalc2spec.pdf Amazon S3 Bucket https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/ 13
  • 15. DISADVANTAGES 15 ● Requires additional layer between beacon and third-party service and this service and team-server ● Very small amount of examples is available ● Very, very hard to purchase if you are outside the USA or Canada
  • 16. CLOUD SHELL Build your own cloud shell (finally!) 16
  • 17. WHAT IS IT? Extendable platform to build remote access shells with different cloud services as communication layer built with C# and .NET All code will be available here: https://github.com/german-namestnikov/cloud-shell 17
  • 18. C# & .NET ● A lot of APIs for different cloud services ● Allow us to implement modules support for our shell ● Make easy AV evasion * and give us huuuuuge binaries (with ILmerge or .NETZ) :( 18
  • 20. GOOGLE DRIVE SHELL As an example of what you can implement with Cloud Shell 20
  • 21. RESULTS ● Fully-featured remote command shell available via GoogleDrive service ● Allows file transfer in both directions ● Multiple sessions support ● PS scripts in-memory execution 21
  • 23. CLOUD SHELL TODO LIST ● Internal encryption for Cloud Communications ● Wrappers around other Cloud Services ● Advanced usage of Cloud Services features (sharing, versioning, etc.) 23