Evading C2 Detection with Asymmetry

all right welcome back everybody hope you guys got a nice lunch and we have Andrew and Anthony here to talk about c2 evasion and let's see well without further ado please give a nice warm round of applause for anzo and and Joe and Anthony alright let's take this off

hi guys thanks for coming I'm really glad at the turnout because I figured after lunch people would like go and take naps or answer emails or something so glad see y'all calm thank you today we're gonna be talking a bit about evading situ detection with asymmetry my name is Andrew Johnston my name is Anthony Morrow and uh yes oh yeah yeah well pass back and forth so during the day I work as a proactive cyber security consultant for mandiant so basically I break into a bunch of different networks I also am a lead researcher at Fordham University where I'm looking at using AI to fight terrorism online and I am also a student at Fordham University

undergraduate about to graduate whoo I'm currently sleep-deprived and I also do the research that he just mentioned so I I sort of managed this sort of AI development at the lab he sort of the brains operation I'm kind of maybe the Brawn I don't really know what I'd be but he tells me what to do when I do it and it's a relationship that works out pretty well so before we begin we have to give the the standard disclaimers so if you want to use this information to commit crimes that's on you we're not advocating for that and anything we say up here that's that's our opinion please don't hold for Dumber mandiant or anyone

else against to it and I'm not gonna read that long blurb because there are way too many words but essentially anything we talk about today it's not we're not telling stories from a specific client and this is more the amalgamation of our experience rather than a specific reference so if you're a client of mandiant or if if you're interested in becoming one we're not calling anyone out this is just what we've seen all right so why are we here well your malware is bad and you should feel bad no I'm kidding but basically I mean we're going to go over to sort of what's currently out there type of thing and what we have right now is you know your basic

beginning malware that is convenient to use but it's you know it's very noisy and so you're probably familiar with the standard techniques if you're if you're setting up a c2 server you probably register a nice-sounding domain name you probably go to one of the categories and try to get it in there but this is really a cat and mouse this is not a game we want to be playing because for everything that we do is red teamers the blue teamers are are quick to pick up on it and to come up with countermeasures so wouldn't it be a lot nicer if we can make a malware that just looks like normal activity sure so the

first kind of shells right the early c2 servers it's stuff like you see in Metasploit it's fine shells it's reversed shells we call these synchronous right it's one long session and they're nice because everything's really fast if you send out a command you get the results as soon as it's done and it's really easy to set up there's a bunch of different support for them across different frameworks but they're they're far from perfect for starters you have this domain categorization problem and you have to do a lot to make it look normal but that becomes really hard because you would add the longer these sessions last the more they're gonna raise some eyebrows on the blue team right if you uh you

know if there's some workstation that's had a connection to a host for 27 hours that's going to make someone say hmm you know why is that and that's that's not a place where we want to be and you know the next step you can go from there is what we you know you'd call asynchronous shells like Empire and COBOL strike you know they're less frequent connections over HTTP you can sort of like put them on to the host and you know you can have them send stuff back to you at a certain set amount of time you know be that what five seconds maybe an hour maybe a day it's slower but you know that the pros of that is

that it ends up being less noisy there's a lot less net for traffic for one and you can also do things ever things like limit the network traffic tee times and which is actual business going on you know you don't want something sending something back at like 3:00 yeah like who's working at 3:00 a.m. it's it seems pretty suspicious yeah and you know these uh beacons are still they're not they're not perfect they are a lot better than than what Metasploit will give you out of the box but even if you have a good domain and it's categorized it's still new or at least new ish and if you're if you're a defender if you're

really monitoring your network and trying to look for anomalous traffic and all of a sudden you see a website that you've never seen before and there's 50 people who are all connecting to it almost six thousand times a day which is about eight hours at you know checking in every five seconds that that's still very strange that doesn't look quite like what a what a regular person is doing and it leaves a lot of artifacts on the network and it gives blue teamers a real head start in terms of figuring out what's going on so the question becomes what can we do better you know synchronous shells these asynchronous products this is kind of what's out there and you really have to

choose between the two and so far there hasn't been a lot of discussion as to alternatives to these two models when it comes to building out a situ so until now that is so we thought you know this asynchrony that we just talked about why don't we just replace that with what we like to call asymmetry and we're going to explain that right now so like we just said you know the basic framework that we've been talking about I mean we just said it but you know again Beacon asks you know can I get a command from the c2 server CT service says yeah here you go man here's how here's command and the the beacon take that those results

and sends it back to the same c2 server and we see that as a sort of symmetrical setup you know the beacon we check in with the attackers you provide the commented on you've seen the data off on the same source yeah so this creates a problem because you have to use this one channel so much you have to jump through a lot of hue hoops just to make the network traffic look normal and make it blend in with the other the day-to-day business activities and if a blue team er does decide to check out your c2 website you've kind of lost at that point these websites don't look normal they don't have any of the affectations

that a real legit site that a lot of people were using would have so it's kind of game over the second some websites to look into your server

okay so we thought if there's three different aspects of C to communication why don't we split those three things up we could use different websites and different services to kind of disperse our traffic and make it look a lot more normal and we call this asymmetry because it's no longer going back and forth across a bunch of different places and if we're going to do this why not target the thing

most users are going to be using Windows PCs if not all of them in abusing with this so wouldn't it be cool if we could just use PowerShell to do already built into all the machines and firm for me it's you know I am mostly a software in your background you know being able to use something that can even access things like the c-sharp library for whatever you want to use you know it's pretty powerful and we're gonna get into that a little bit later so Before we jump into the next part we just have to say that we we were asked not to mention specific services or websites that you could do this with but instead we're

just going to talk about general categories of websites and also give you some some metrics in a framework for identifying new websites that we might not have thought of that can do these same things for you so we're gonna ask you to use your imagination a little bit just that way we don't have to drop any brand names so the first part of the C 2 cycle is obtaining commands this is by far the easiest to do in a asymmetric a something that people are really doing anyway right it should be able to blend in with what an average person might do over the course of a workday so what kind of things fit this fit this profile

social media of course jumps to mind almost every site nowadays allows you to have a public profile and you can put just about whatever on it and it would be perfectly consistent with the normal user behavior just to have a malware that goes and checks one of these social media sites and pulls down a post and uses that to as its next command and also thinking from a business environment once again you know a lot of these businesses use you know standard communication tools I am to you know communicate with colleagues and bosses and stuff like that and that's also another factor that we can use for this type of implementation you were even talking about the fact that it doesn't

even need to be within just one business you know some some communication software's can actually be federated yeah so a lot of IM clients nowadays are federated so although people see them as still internal messaging tools you can actually connect them to the external world and if you can send arbitrary messages to arbitrary people then it makes for a great C to channel and one of the other things we thought about is that it doesn't need to necessarily be social media a lot of sites nowadays are encouraging user interaction and have common sections or they have dedicated forums that you can utilize and just use to make public posts that the the c2 and then or the victim can

then grab yeah it's pretty flexible so a bit more challenging is the beaconing and returning data side because you need a way to submit data to a website and that's not too hard if you can use something like an API or a cookie but the problem with that is it doesn't really scale well most of those things have rate limits and if you start installing your malware across a dozen or more machines you're gonna bump into that really quickly and so you need to kind of look for sites where you can submit data without necessarily having to log in first and one of the ideas we have it's not exactly ideal but what you could use is you can use a unique string

for instance and put that into a post and if you can go through each post and identify that string you know that that's your post it's it you can remove the rest of the noise that's within that website yeah and so if in terms of identity identifying good sites and services to use for beaconing or to exfiltrate data just think about things that are already on the machine things that the user is probably pre authenticated to for you so you could leverage those just to access already because you don't have to deal with managing a session so in terms of sites and services paced sites right I'm sure we're all familiar with different sites where you can throw a little piece of

code or something you get a unique URL and then you can send it to all of your friends well oftentimes these sites let you search it too and so if you're putting in a unique string write something that really only you and the victims should know you should be able to search through the new posts and pick out which ones are are your data then again we already mentioned the mean or the business-oriented IM applications that are used by nearly everybody in you know environments so you're probably wondering is all this hard to do right we're talk about all these really cool ideas but is it a is it something that's actually possible and you probably think

too that it would be possible if we could put a whole bunch of software and tools on a system but that's really noisy right nobody wants to leave stuff on an endpoint and so we're telling you that idea is wrong and I have to admit I actually just put this slide in the presentation because I loved that gift and I was looking for an opportunity to use it so yeah I just I really can't get enough of it means really elevate the experience we feel oh absolutely okay so you know here's an OPS X implementation like I said before PowerShell is already on pretty much every modern Windows installation and it is our friend Thank You Microsoft for

instance commandlets called invoke web request is basically the equivalent to curl and it's not exactly the same but you can you know make it get and post requests with it and the cool thing is is that it will return you an HTML object that you can parse through so whatever website that you want to ping with that thing when you get it back you can go through the HTML and find what you need pretty quickly if you know what this how the second structure yeah you don't have to use a awful regex not at least not too much you're the really cool command light that we noticed is send mail message I think it's an incredibly

powerful tool because you don't have to authenticate to it and you can even attach files from the command line so you can all in one command you cannot only send an email with a body to any old person but you can also just point out files on the on the hard drive and it'll just automatically be attached so that would be a lot more difficult without a tool like that but PowerShell just makes it really easy and it really opens up email as a vector for data exfiltration and also it's not much in here but if you needed a little bit more power unintended you could like I said you can hook into the c-sharp library

and get crazy if you want to you can use your imagination there's plenty of other things that we haven't mentioned on this slide that you could try using you know go crazy yeah so so why PowerShell and we really make the argument for PowerShell from an ops back perspective right PowerShell is powerful but so are many other things but the nice thing about PowerShell is that you can really go file this with it and you've probably seen some techniques between using the WMI and using registry that you don't actually have to drop anything on to the system and you can also set up events so that way you're really only operating in business hours and that just it makes things nicer

because you don't have to plant additional software in order to handle those kind of aspects of it and make sure you stay stay clean so I mean if you wrap all these things together what exactly the we end up with well we think you end up something that's pretty nasty you have file as malware that uses built-in Windows tools that's across all sort of business machines that you may be targeting it uses standard protocols and only communicates during business hours so there's nothing fishy going on there you know past office hours and things getting sent and it uses common white was this common whitelist web sites that are also not going to look suspicious like it's not gonna say this

is a legitimate website comm slash are you it's gonna be something that you know I mean this sounds a little bit different from your standard malware I'd say yeah there's there's no files there's no there's almost all of the indicators and almost all the things that a defender would commonly think of when they think of identifying malware or identifying a inactive breach a lot of those are missing and that's why we think that this is a really awesome technique so the question becomes what can defenders do in order to counter something like that and the answer is nothing Red Team is officially one we can all go home and we're all just we're done for

and Nelson's laughing at you but for real the first thing that really has to be done is if the business isn't doing it already they really need to start decrypting SSL and I know this is impossible in all circumstances and HSTs is just gonna make that even harder but it's a it's still incredibly useful and the more attackers start to leverage these non-conventional ways of getting commands in or X relating data back these aren't going to be on encrypted channels so if you don't have a if you don't have any ability to decrypt SSL then you're not going to be able to see a lot of what's going on and it's gonna make it really hard to identify

and another thing you can do if you're an administrator please please disable PowerShell I mean she has more experience than I do but I mean the stories he's told me of the type of people who actually have access to PowerShell I don't think a graphic designer is gonna need PowerShell running on their computer I mean if they do I mean you know walk with god I don't know how you even do that but I mean it also we realized this is much easier said than done our shell can rear its ugly head in so many different ways but even just making the attempt you're trying to lock it down goes a really long way yeah I think

I rather deal with the the IT tickets of people demanding that any powershell attends just leave it open for everybody and be open to these kinds of texts so in terms of like coming up with a really good solution to counter things like this you kind of have to break at the stats textbook and start looking at anomalies from that perspective you know over machine learning exactly those words so if you look at the network traffic over a typical day or a month or a year at your organization you'll be able to get a pretty good understanding of what websites are visited and how often so say a popular social media site is visited by at least once a day by 15%

of your quarter user base this is something you can monitor and track over time and if all of a sudden there's a tremendous spike in usage of this one site that's something that could trigger an investigation and that's kind of the way that defenders are gonna have to think in order to counter these these new channels that aren't using there or rather they're using common websites and you know we given you the attackers perspectives and the defenders perspective and what you end up with as always is the cat-and-mouse game you know attackers are always going to try to refine this implementation that we've just talked about and we listed a few ways right here for instance you know

you could if you have encrypted traffic you can you try using English words as in place of those letters I mean it'll look weird but it won't get picked up immediately as something that's well it be make it pick up essentially at least immediately it won't look something that's entirely suspicious yeah you know as as red teamers we can continue to look for new sites and services that we can use and abuse in these ways and so it's a it's not just a matter of blocking a particular website this is a much more systemic issue that's going to require a more concerted defense effort and you know defenders unfortunately they're definitely on the harder side of this battle they don't

really have an option but to really just constantly be aware of what's going on in their network and to really become a purple team member threat hunting is the new standard and defenders need to be looking at these different things in exploring these different kinds of metrics in order to identify what threats their network might be posed likewise I feel like defenders kind of have to accept that breaches will happen no matter how good you are and what really makes the difference between a very successful breach or a very damaging breach and one that has minimal losses is a good I our plan so you might not be able to counter every one of these threats but if you have a process

in place for who you call and how you handle these things you can really minimize the loss from anyone from any one attack and yes I mean just to wrap it up what are the key takeaways here so I mean this this the standard definition of a situ right now is a bit rigorous and we feel like that if you do something like any symmetry you can sort of break up this definition to be a lot less detectable by sort of changing what it means to have like you know a situ server and like we already mentioned there's plenty of websites and services that you can use for this implementation and not even just just websites in

general like we said pre installed applications are sometimes the very common across computers and these can be used in place of the old situ channels that were used to yeah and we just want to say that we're not advocating for an abandonment of the old ways obviously still a lot of attacks happen with a standard C to model and things like domain whitelisting are gonna be useful for for many years to come so we're not saying abandon the old techniques but rather that just if they're insufficient for for new malware and for the ways that attackers are going to be moving as we as we go on so defenders we can't emphasize this enough they really need to be become

threat hunters and become part of the purple team and really before there's a breach doing active inspections of what kind of activities people are doing and what normal looks like because of course that's very hard for a large organization but you need to have some sort of baseline to be able to understand these new attacks and be able to recognize when something goes wrong and it's a lot harder said than done or a lot other way around to actually very easy to say and hopefully coming soon to a good hub near you he ran to speed up with this talk we were going to show you the nitty-gritty of our implementation for something like this but unfortunately we

weren't able to do that hmmm well why are you looking at me yeah yeah it turns out my boss is not okay with me just releasing a whole bunch of malware without without getting permission first so we're working on it we're saying please stay in touch because we do we have a lot of cool things we want to share and we think it's useful both to red teamers for future engagements as well as for blue teamers just to kind of play around at their environment and to see what works but unfortunately we can't talk about it today but please follow us and yeah here's our you know some information on how to contact us first first sorry god it's got a plug

the branch man so I work for mandiant which is the consulting arm of fire I and it really is a great company to work for and just like pretty much everyone in this space we're growing by leaps and bounds every single quarter so if you're interested in being a hacker and being a proactive consultant or doing Incident Response or even working on some of our products like the the fire I helix line we're definitely hiring and I'd be more than happy to talk to you either now or afterwards I should be around for the better part of today and if you have any questions too about the kind of stuff you would need to know or just what life

is like we know we'd be happy to answer that or also you know we're both Fordham alums so we are alumni and we would love to talk to you a bit about your for demand and the cyber security masters there okay here's our contacted me so questions comments complaints while the fro sandwiches at us from lunch yeah thank you good question here so I I saw him one of the last slides there was mention of c2 list malware so you have any ideas of what kind of things you're thinking in that regard because I would assume that effectively everything has to communicate outbound in some capacity at some point for it to be worth it other than short of deleting

data short so what we were talking about there in terms of c2 list is the idea of the the stereotypical c2 right a box spun up on a cloud hosting provider with a white listed domain name that idea of a c2 isn't necessarily a given if you're using these asymmetric kind of channels so yes there will be if you're looking at it from a framework perspective there will always be something that's acting in places to see to that's receiving data that's sending commands but it might not just be one server and it might not be something that the attacker necessarily controls any other questions so Walker monitor and VOC web requests and does that completely stop this or do

you have a way around that to so invoke web request is just one way that PowerShell can can communicate with a host it makes it very easy because it has a great interface but there's a couple different ways that you could connect to a web server with PowerShell also I tend to hazard against suggesting blocking any one command lit because oftentimes there's a there's another way to invoke those are the same commands like take for example the IEX right invoke and execute that is often like the the first stage of malware being being executed it's easy to block that one but as soon as defenders started doing that attackers just found different ways to call the same command

line your questions I just want to ask you I saw a beacon list on there and maybe it's kind of what you were referring to can you get a little more detail about when you say beacon listen I know you kind of you did touch on it but when I think of beacon less right like you you think of like a client calling out you know asking for something to do right mmm-hmm okay so yeah well we were seeing beacon to something right that uh you're gonna you're gonna do every couple of seconds I have a jitter applied to them and you're you're just walking you know you're you are you're logging into some website and

you're looking for something and that's not necessarily what's gonna happen right especially if one of the things that we've been thinking about is a really limiting our malware to the point of really just being a toehold most of the time so it doesn't actually need to go get any additional commands because it has everything that we want it to do already built into it and that's oftentimes much more effective than having to put on a much more encompassing malware that has more features and might accidentally you know use some software hooks that could then get picked up by different endpoint solutions okay so you talk about like kind of pre packaging it so you have a

very specific goal in mind you infect a host internally and then there's no more real communication between you and them they just kind of know what they're doing and they send the information outbound absolutely yeah one of the things that that we were working on was the idea of using these in conjunction with a toehold malware so it's just on there is what we see a lot of red teamers do is every computer they're interested in they just put a beacon on it and that becomes very noisy so combining something that's more of like a toehold and you can just you can get whatever data whether it be me me cats or something like that off of the system

and then you have something on there should you want to escalate up to something like a like a full beacon session but it's not necessarily doing anything in the meanwhile it's just waiting to be activated so beacon listen that sense okay so I'm just rounding it back out so say you did want to escalator or you know do more on there or turn it into a full-blown beacon how would you if it's not communicating out then how would you then kind of get that how would you enable that or get that sure I'm working so it could be as simple as assuming that you still had code execution within the environment you can use WMI remotely right you could

change a system parameter or something which could then invoke the rest of the malware to to go and download like a full beacon from a different place so I guess if you want it to be very precise you could consider a beacon to be something in colonel to his system right checking a system setting or checking a registry key but so the we always see beacons is something that's going across the network so that that's a that's an assumption that defenders really can't make we feel okay any other questions guys are you seeing a lot of malware in the wild that's using these techniques so the the closest thing we've seen is a yeah there's actually a paper on it by

fire I it's called hammer toss it was attributed I believe to Russian actors and it used social media as a situ and that was kind of the impetus for this as we thought wow you know what how can we extend something like that what are what's the future right if we know that attackers already looking at these third-party services as ways to deliver malware or to stage things what's going to be next and we thought that this kind of asymmetric model is what we're seeing a shift to but yeah this is still very much early and we haven't seen a lot of examples of this yet other questions guys so I'm just wondering what if any

thoughts you had on like the strengths and advantages of this approach versus maybe something like domain fronting or something for communication sure so yeah domain fronting is definitely a hot topic now and I've used it with a with some Mis mixed success but ultimately it oftentimes it can be defeated by SSL decryption right because you're gonna look at something you know being connected to a host and there's a different host header it's definitely harder to do and maybe not practical in all circumstances but I feel like it is recognizable not to mention I feel like a lot of common targets that people use when they're doing domain fronting from my understanding they don't particularly like being used in this way and they're

certainly looking to to kind of stop that so not to mention there's also problems I've seen with like caching and even if you turn a caching caching off on these different fronting sometimes bad things still happen and it's not a very consistent channel and just add to that because it I'm kind of familiar this area Palo Alto one of their new OS releases does have the if you do SSL TLS put in decryption it does have the ability to detect you know domain fronting yeah so I imagine you're testing these techniques in live and you're but you're also testing the statistical approaches for detecting them give us a sense of what levels of success you are you're

getting on the detection side I'm sorry I can you repeat that so you you mentioned that you're working on some machine learning AI based approaches to detecting this you give us a sense of what levels of success you're seeing in detecting these these sorts of this sort of situ traffic so we we definitely both love making models and we're exploring a lot of things in this area but we don't really have anything yet especially in terms of a final product or a final model so yeah this is uh although I anticipate because we've our research is in a similar area in terms of machine learning so I imagine that you are gonna have a real problem anytime you really

you're doing anomaly detection with machine learning it becomes a real class and balance problem so yeah this is we're not we're far from suggesting that a solution like that is easy but we just saw the basic anomaly detection using a normal distribution some p-values is something that is possible if you have a good sim some good locks thank you I know questions guys no all right everybody please give Anthony and Andrew

and then house you guys