Not my server C2: Using trusted sources for C2

okay hey thanks everybody so this talk is not my c2 or not my server c2 using trusted sources for c2 um so what that really means is over the course of the last 15 years we've all built our own rats our own payloads we've all had our own infrastructure our own c2 architecture and it kind of evolves because at the end of the day it's that cat and mouse game of the attacker versus the defender so this talk is just more on focusing around how me and my team have evolved and how we've started using sas as our primary target for c2 um and then it also goes through how we talk about different types of payloads that we use

for our engagements uh so with that my name is brandon helms i'm currently a engineering manager of security for a company called remitly uh i'm ex-navy some three-letter agencies uh prior exploit developer and then first and foremost i am a gymnastics dad uh got an awesome daughter who loves gymnastics so i don't get to spend 18 hours on a computer anymore uh that being said if you ever want to follow me on my github or on my wordpress uh go for it i have a twitter handle as well my partner who could be here right now his name is daniel gordon uh he contributes a lot to the open source community he's an air force master sergeant and

him and his family uh they're trying to be the next partridge family um so what are we talking about today uh so we're gonna talk about the c2 evolution i think everybody pretty much knows it so we're just gonna kind of hit on some of the highlights the pros and cons how we evolve um and then we're gonna go straight into the stages of payloads i think a common misconception is that you have to load the first stage and then it always has to load the second stage and i think uh in practice when you get into more of the advanced scenarios there's a time and place for each stage and understanding what's in that stage and why you shoot

that stage is really critical because at the end of the day if you end up writing your own uh if you end up writing your own uh we'll say c2 malware payloads you don't want them to get burnt because then you spend more time trying to figure out what signatures got baked in so you can remove them um afterwards we're going to go to uh what is actually needed to build a c2 so we're going to go over the basics um and then we're going to move into the y attack sas and i think it makes sense for most people but we're gonna talk more granular about um the reasons we chose to and why it's

becoming easier and easier for us to pivot through that um and then we're gonna shift into that mindset of okay we're no longer hackers but we're defenders so how do we actually defend against these networks uh when an attacker comes in and then we'll throw a pretty demo in there of a prototype tool that we wrote um so c2 evolution basically command and control is what this means so anytime you shoot a rat a remote administrator tool um to a target this could be meterpreter i think that's what most people are familiar with this could be beacon this could be some of those irc rats this could even go back to being like poison ivy right there's a common

there's a common principle of a server client relationship um and we want to be the server because we don't want to have to log into each client to be able to interact with them we want to be able to have the client run some application and then it directed its communications back to us and then for us to be able to task it through our our server interface so when we start talking about the history we're going to skip a bunch of spots this history has evolved a lot but i want to talk about some of the big ones the first one is irc so internet relay chat um why was this so awesome because you

didn't really have to worry about the comms mechanism you also didn't have to worry about the server uh piece of it because you just logged into fnet or downnet or ryzen or some of the other ones out there that were commonly used and then you just built your rat to be able to speak directly to irc so the pros were the protocol was already there the server was already ready to go so you didn't have to worry about standing up your own infrastructure the cons um uh revolved around like irc in the early days was fully unencrypted so people could clearly see what you were doing um and most companies don't use irc so it's really easy to create network

signatures in there to say hey check for a report six six six six through six six six nine check for these uh domains right and so black lists were easy to configure so that way it stopped a lot of this i'm not gonna say it stopped at all and i can't believe that i'm still saying this but i still see irc traffic uh uh across a few networks that i've investigated over the years um then we move into cots so commercial off the shelf um i think this is what we're most confident with right now because this really opened up our eyes to full capabilities so we started talking about like meterpreter poison ivy beacon we start

talking about empire right the commonality with all of these is they're highly configurable um and while they don't have a a gui such as irc they do come with their own frameworks that you can operate in so from that standpoint they're already built you just have to take and deploy um the benefits here right you don't have to know how to code these are very easy to set up they're highly configurable you can go out tcp 443 or any port you care about right it just depends that as long as your server is listening and the client can connect you're good to go the cons most of these are heavy right if you look at a lot of the

a lot of the c2s that are being set up right now are being deployed right now they want to come with every feature in the house this means that they become easier signature so that being said we want to kind of find that sweet spot which is how do i get the capabilities of some of these cops uh tools but how do i get them in a way that aren't that's not going to be signatureable as easy um we're going to talk about sas in a minute but before that one thing i want to bring in is the social media aspect i would say this is probably a big initiative about six seven years ago to

where we said hey let's go let's try to route see through traffic through facebook twitter um pick a social media thing out there and i think there was a lot of uh uh a lot of interest but it never really took off and i think a lot of the reasons it never really took off in like a first class fashion um focused around uh the fact that corporations at that time or companies at that time they already blocked social media for the most part i know now in 2020 it seems to be a common standard but it's still a very it's a very easy mechanism for them to detect if they decide they want to detect it

so that takes us to the sas piece so when we start talking about sas we're talking about services right so this is where somebody else has a service i i subscribe to it and they give me access to it my favorite ones here are slack and microsoft teams o365 suite the adolesian suite if you use jira or confluence um and then github um the benefits about uh creating see-through c2s through these environments is they already have trusted networking paths and we'll talk more about that so that makes it harder to tech right but that being said the cons are there's still not a lot of tools out there right now like you can create um uh uh profiles

and beacon that can mimic it but there's really nothing out there that says hey use slack and it works you use discord and it works i know we're going to talk about one or two that's out there but overall it still seems to be limited so we got a lot of when we started building this uh myself and daniel we had this we had this great mind a great thought process of hey how do i get through this environment that we're working in and one of the environments that we were working in was a macbook environment they blocked everything other than business applications but one business application that everybody ran was slack so that being said we said how

can we get stuff out and from my side of the house um we ended up building a basic c2 it was in python it interacted with some of the apis for slack and then it gave us exactly what we needed and provided a lot of value to the client to show that hey there are multiple ways we can get out of your network once we finished that we decided to put this presentation together and as we started doing our research we found out that uh that coal fire has an application called slacker it's a go application that's that runs on top of slack as well so that being said if you want to see a

full fledge out of the box works great slacker is a great one another one that i haven't really invested too much in but i've heard about recent is the daac2 and it seems to have the same capabilities so before we start talking more about sas i want to go through our stage of the payloads because this is one of the areas that i feel that as an exploit developer or as an attacker that we kind of skim over we just assume stage to stageless and we assume that there's no there's no intermediate zones right um so when we start talking about stage let's go straight to stage zero this is an environment where i have no

situational awareness of what the environment has such as i'm fishing and i'm throwing at a company i don't know what endpoint security they have what network-based security they have all i know is i just want them to execute and i hope they have windows or mac or whatever my my payload's built for so in these scenarios you want to throw something as lightweight as possible because if it gets caught it's going to get shipped up to the cloud it's going to be processed and then you don't want to have to go rewriting these complex algorithms to be able to do something more complex stuff so when i look for a stage 0 what i'm really

looking for is can i get something that i can run commands on that typically can interact with the operating system this would be my directory listings my ip configurations um delete files uh it'd be great if i could upload or download files and then we'll talk about a little bit more like secret sauce that we might want to bake into this but with all our stage zeros we should expect that avs will ingest these that they will get signatured and that we might have to rewrite them so as long as you're okay that you might have to rebuild a stage zero everything's fine this moves us into the stage one realm the main difference between a stage one

and stage zero is a stage one typically works really well with that stage two so that stage one is something that you should be able to deploy on a target where you have high confidence of what it is but you're not quite certain that that's definitely it um it's probably going to reside on disk um so it's going to get sucked up to the cloud most stage ones the the end result is to get the stage two up there but that being said you don't always need to go in there if the stage one has a capability to run commands that should be good enough and then you don't have to risk your super cool

expensive tool that you just built this takes us to the stage two right this is our heavy hitter this is the one that has the key loggers baked in the screen recording the mini cats the capture traffic the traffic shaping like all those really awesome things that you wanted to build that should be in your stage two uh thumb rules here the stage two should never touch disc right you should try to keep it in memory where possible um you should never put it on a target that you haven't already vetted to say that hey this isn't gonna get caught right so essentially how it would work from an engagement is i throw my stage one i've gained access

to the target that stage one has a capability to load um the stage two directly in its current memory space and whenever i feel like i'm in a safe environment and i've done my surveys i made sure that i know what edr solution i made sure that nothing's gonna flag or pop it then i'll load that stage two in that process space and now i have my full tool suite in the event that i've done my recon and i and i can't load that stage two then my goal is to figure out how can i disable whatever that edr or av solution is so that my stage two would run so once again the big part stage zero

expect to get caught stage one if it gets caught that sucks but my main goal would be to survey to be able to upload my stage two and then the stage two should never get caught so this takes us to what is actually needed to build a c2 so when we think about it it kind of breaks down to a few things and if you talk to anybody who's built any kind of rap they'll tell you they'll say hey first i gotta choose a language and then it always typically goes to their preference a lot of this has to do with hey do i want this to work on multiple operating systems hey do i want super easy

functionality is this just a prototype um the next piece is how do i want the network piece to be handled a lot of times they just say hey let me implement just regular sockets and then we'll exchange data that way but we're starting to get more uh more sophisticated with our different um malleable c2 profiles with stuff like beacon or moving towards the sas or the social media route and posting to trusted sites right the next piece is the ability to execute tasking what i mean by that is the ability just to run commands and be able to grab files and then be able to make a educated decision of what next steps should be

right and then we want to be able to interact with that data or play with that data so we want to be able to send it back to us we want to be able to send data to it right the last thing i want to say is optionally if you build a c2 if you build a stage zero stage one please please please bake in the ability to load a higher stage directly in memory or load anything directly in memory that way it just it minimizes the risk and when it comes to looking at uh memory based uh security there's been very few products out there that i've seen that will do a good enough job that it it scares

us to continue forward so considerations around the programming language right we uh i see a lot of applications these days using powershell c-sharp and net these are great they're easy to learn they're easy to work with um the problem here is microsoft over the last few years has done a really great job of putting great mitigations in place i don't know if you've tried to do like a a invoke web request or powershell now on a script that could potentially be malicious it just stops you it's like you can't even disable me i'm just gonna pull it right and they're taking more and more uh approaches to be able to audit but at the same time

from a reverser standpoint these scripts are and these scripts and this uh and c-sharp files are easy to decompile and so therefore you can see the source code so therefore all that hard work you put in a lot of it just gets thrown out the door so the next one's golang i'm seeing golang jump up pretty high these days mainly because it's cross-compatible and people seem to be very uh very well adapted to being able to use go language right it's easier to learn it seems to be the new hotness um the problem with this is for the cross compatibility it has to bake all its stuff inside of itself so you're seeing these files blow up

um this isn't a problem for the most part um but if you're an environment that doesn't have any go applications it's really easy to see what application was uh was built based off go and then just put flags in there on around that um and then the last one before we get into ours is scripting right i see scripting more for um uh the prototypes and i know powershell is still a scripting language but like this is more like the python pearls um these typically aren't used to gain the initial access these are used when you got onto a machine through some unique access and now you're just trying to get that shell this now takes us to old glory or

the cc plus plus style of the house right these tend to be the hardest to code but they're also the hardest to reverse but at the same time they're also the hardest to detect because most applications that are running on windows environments at least are going to be cc plus compiled um also we can get really small with our file size the next consideration we should think about is that network protocol so we talked about this a little high level um but for our our kind of situation we wanted to make something that would um that would bypass security in general when i say bypass not so much that it will bypass their defenses um but it will buy it'll bypass their

implicit trust and uh implicit trust i mean like when people get sass in their environment they they typically say hey there's great security around this application uh we'll have some auditing but what they typically do is to minimize business friction they'll whitelist these applications because the last thing you want to do is if the company uses slack or microsoft teams or github in their environment you don't want your security rules to accidentally stop any of that traffic because now you get a business outage or you get friction with your developers and so typically what will happen is they'll just white list that traffic and say oh yeah anything that goes to slack.com is just good um so what we do

as attackers is we piggyback off that logic um so when you're thinking about the network protocols just keep that in mind if you decide that you want to go with hdp or some other protocol then just keep in mind do you want to go do you want to blend in with the traffic or do you want to try to hide so basically if i hide in plain sight i'm going to try to use common protocols that are already environment the dns works great the http if you say hey i just want to be sophisticated then you might use custom encryption or something that doesn't blend in to bypass the protocol analyzers for the executing tasks right a lot of

avs i'm seeing are starting to monitor uh whenever we hook directly into the command prompt a lot of a lot of edr's out there will be able to say like hey i detected a cmd slash c and some command um so when you're doing executing tasking try to get as granular as you need like if you need to do a directory listing can you find a native command in that programming language that will list the contents of the directory without you having to touch command prompt or powershell um the next one is downloading and uploading files same kind of concept and then the ability to delete and modify files right so when we're executing uh tasking

typically if you get on a windows machine um you're not going to have just in a command prompt you're not gonna have the ability to download or upload unless you're in like something like powershell so you might have to get fancy in this realm and maybe you have to configure your client to be able to do that um and then when it comes to being able to run the os native cam commands such as ipconfigs typically every programming language that i've worked with has some native function to it this brings into the next question of should i use uh should i bake my code in or should i reference the libraries that are already on the system this is really

up to you if you want to make your uh if you want to make your application smaller in size then try to reference anything that the application or that the operating system already has that being said this is going to make cross compatibility a pain in the butt so it's up to you how big do you want your initial application to be the bigger it is typically the easier it is to signature the smaller it is typically the more you're gonna have to reach out to the operating system libraries and that was one of the decisions that we actually had to make when we made ours um so the final page uh final thing to

consider is loading that higher stage for ours we ended up using something called srdi or shell code reflected dll injection and so basically what that means is we have one special function that could be signature um but from our assessment it's going to be hard to package basically we said we want the ability to be able to load a file um or a dll into my current memory space pass it um an ordinary export and just have it execute in the current context um and then we chose srdi we got this from silent break security they have great write-ups we'll share it afterwards um but by having that functionality it now means that when you go to try to

detect our application you you now have to fight with other applications that are making those same exact calls and that was our goal so now back to sas right so software as a service is a software licensing delivery model in which software license on subscriptions basis and is centrally hosted all that means is opp other people's property that you're you're renting or you're subletting from them such as office 365 salesforce github jira slack you probably have hundreds more in your environments maybe not hundreds but at least a lot more in your environments the only reason i picked out these is because each of these had ways that we found we could interact with their ap

or their apis to be able to create the same functionality we did with our slackbot so while our prototype is in slack the concept of this is you can do it with anything as long as you find the right apis and as long as it's natively baked in and that should create a a great flow that's hard to detect we already talked about this but basically if you're already going through a trusted flow that means basically the network security is thrown out the door meaning that now you're only fighting with the host-based security um so our favorite part is if you already have ways out of your network to stuff like microsoft teams then if i piggyback off of it i no

longer have to worry about did my traffic get out also uh their certificates will also be valid they'll already have encrypted sessions so you're just riding over all of that making your life super easy also what i'm loving now is developers love when you bake stuff into their application so what they try to do is they now document their apis extremely well they love giving examples they love going to stack overflow giving you references so by doing this other developers integrate their apps with uh that sas product and then as an attackers we integrate our application with their product it's glorious so i i put some links up here um and we didn't want to post all of these because

once again this is all about prototypes and we didn't want to create like four different uh rats out there but salesforce has a great documented api if you use their live agent rest monitor chat you could essentially um grab messages out of a chat log send messages to that chat log upload files to that chat log and download files to that chat log so if i can do that then i can just re-factor my my client on my machine to be able to take that same logic and be able to download execute and task the next one's github right have you ever thought about just taking a pr right or taking a comment on an issue

and be able to do the same type of communications especially if it's in a private repo because then nobody else is going to know um slack we just go to api.slack.com slack you did a great job of documenting your api love it love it love it um and then one of the lesser knowns that people don't really investigate too much into is atlasian or the jiren confluence and i like going after this because i go to a lot of environments where they have uh atlasian cloud or they have jira server on their on-prem or their confluence on-prem so our traffic seems just to blend in really well um but i chose all these because all of

these had some kind of chat feature or some kind of comment feature and if you have that chat feature that means you have client client server relations going back and forth and if you have an api to be able to scrape that then you can make a c2 riding over those comps too so this moves into the defensive side because you never want to give a problem without some kind of solution and unfortunately i'm not going to give a great solution but i'm going to talk about things that we could try but it's high friction to an environment so from a networking standpoint right you're already blending in this is more of a culture change that needs to happen

which is we don't need to implicitly trust our sas applications out there i don't need to put whitelist that says hey anything that goes to microsoft teams it's just good to go i'm not going to monitor it there's an audit log if i ever need to go to it if you ever go to those audit logs those audit logs don't get down to the granular um comps between users for somebody else's server um typically the best you can get is the logs for your current server so that being said let's not let's let's create a little bit of friction and a little bit more uh put on our plate from a networking perspective and let's just

try to analyze it um if you want to get really fancy you can do the ssl stripping in the middle then you could try to break apart each packet you could try to say hey this is going to our channel this is going to somebody else's i think if we go down that route theoretically it would work but i think from an implementation standpoint it would be an epic failure um but that being said we could reach out to some of these vendors and say hey how can you protect us from x and then this is where they could say hey let's look for short-lived slack channels or short-lived um slacks uh groups um and other monitoring places to put in

place long story short from a networking perspective it's tough and it's taxing this basically means that i'm not i'm not fighting the network i'm only fighting the host so if we focus with our application on making system calls that most calls make and be able to control encrypted encryption from the host to whatever our server is it's gonna really make it hard to be detected also with the ability now for everybody to just compile their own application you're going to be getting different hashes so you're going to really be at the whim of how well your antivirus products going to be able to do at uh heuristics so and then just a rule of thumb the

lighter lighter weight the payload theoretically the harder it is a signature so let's introduce yet another slack c2 bot so when we went to the design table for this we said hey what do we want we want lightweight we said we wanted it to be 80k um yeah we felt on that one by the way really hard uh turns out just json implementation took us up to like 200k um but we did say let's make it as small as possible then we said hey let's minimize functionality so that it blends in with the system and then we said hey can we go one step further and can we add the ability that if we're safe can we load something else

into our process space such as another dll and then finally when we got all that done we said hey can we make sure that um that our rat speaks southern so we'll see more of that in a minute um so let me try to kick to the demo right now we're going to go live because we had to refactor code very last minute

cool so what you see here is my top screen is my is my windows workstation and then my bottom screen is a slack channel i set up if you've ever tried to set up slack it's super easy you go to slack.com and it's like enter your workspace and you can go create me a new workspace it's like cool what do you want it to be called tell me your favorite things and then create you a slack workspace and then next thing you know within a matter of minutes you have a slack workspace then what you need to do is you need to go in and build an app i know this sounds daunting but it's really easy all

you have to do is either give it web hooks or you can give it um i can't i i'm drawing a mind blank on what they call it um oh you give it an oauth session and then by giving the law session you assign permissions to it so for this one we need a read write of chat history we need the ability to create channels and then we needed the ability to upload and download files so we gave it those permissions we said attach it to this um this slack work group or workspace and then within five minutes we had a c2 up and up and running with a 99.999 sla because slack loves that so now all i have to do is

worry about infecting people so in this scenario uh we got on a box through rdp or something um we have our our dll here right now it's called cpp.dll so all we did was we said hey let's just run dll this so we're run dll 32 and then we're just gonna call export one oops when we run it we instantly see we get a notification into our slack c2 what we did was we said hey we wanted to create a unique identifier and then we said well do we want that unique identifier to be the same every time we go to a computer and we said no we might have multiple sessions we want to be able to identify them

different so if i run it again you should see i get another unique id um what you're seeing is a heartbeat so we have this in our debug mode because it just lets us know that we haven't died and we can interact with it so the next thing i want to do is i want to be able to speak southern to it because i'm from south georgia and my friend daniel is from southern mississippi um and we don't speak proper english for the most part so we say hey and whatever our our id is and then we put a comma because that's grammatically correct and i could be like who am i oop if i spill that correctly i love live

demos if i do it correctly it should respond back and it's like cool i'm desktop blah blah brandon blah blah blah um then i could say let me pull up my list of commands that we have uh i can say talk every one minute because you're being really loud

and they should grab that and then it shouldn't talk to me for another minute the last piece of this is i can keep running commands all day long i can tell it to shut down i could be i can then say hey y'all i want to say we get it like this and then i can say uh i can run that same who am i again and then everybody to respond back

oh i love it the demo fell let me uh kill this payload real quick we have gtfo if it wants to leave so it's like hey i'm out of here that will be like a little pig and play a banjo that will be whenever you it elevates the system so uh we're using the standard library for most of this um we basically we tried to statically bake everything into it and then it just got i think it was up to like 700 800k and so we made the design decision to um try to use the native windows system calls in there and so by doing that we had to import those libraries but it took us down to about 215k um

so the last piece i want to show is right it's really hard to signature this because right now we're doing nothing outside of what most systems do right uh or most applications do they'll do a directory listing sure not a problem they'll do an ipconfig they'll talk to their server in this case we're talking to slack yes uh one of the arguments here is well i can just i just can implement a white listing thing that says only this application can talk to slack if you ever try to implement whitelisting or blacklisting from a network perspective or even from an application perspective in an enterprise environment it doesn't work out too well um it tends to be somebody's sole job

and then next thing you know two years later you have like 80 000 blocks that you just don't even recognize um so the last piece i'm gonna do on here is show you that we can now load um other stuff in here so let me kill this one we're gonna start from scratch cool we're gonna launch it again this time i use the silent brakes uh srdi uh implementation on their github once again i'll share the link to our github but we'll also um uh if you read the readme you'll see all this but what we're going to do essentially is we're going to say hey let's load this let's then take another dll which is going to just be the same

library and then load it inside of our cells without touching disk in our current process space so it's running right now um before this i was able to upload a file uh let me scroll up oh here it is you can see i have a file here called cp uh cpp.bmp so daniel said hey let's make sure that when we upload it into our process space that it looks like something and let's make it look like a bitmap image um and the best part about this is if you look at the uh the struct for a bitmap it's basically have like these five characters and then everything else is dynamic because it's changed over time

um nice but that being said so what we do is we take any payload we upload and slack so here you see cpp.bmp and then we just say hey run this um with the id and then the next time it calls back it will grab that file it will upload it to its current process space and then execute and then from a memory forensic standpoint if they try to scrape that area then hopefully they see that it that the uh the magic header comes back as a bmp and then they just brush us aside so let's try this right now so if i get this right grab and execute i should be able to say

and live demos are going to be glorious because now i get to figure out if we have any bugs in this right now oh well i love this uh i didn't have the right permissions set up um so this is telling me i have a missing scope which is i need files read so uh do i have time yep i still have 24 minutes so let me show you how easy it is to fix your application love live demos

oh and i love felt sights

okay so we can go in here so we were nice enough to add debug stuff in here so you can just go in here and see what we're missing so we can go into where is it

add oh there we go

we can now go into our our permission here so we can say i believe it's this one

nope permissions there it is you go into permissions it said i need a file read so i can just go down here and say add oauth file read if everything works then reinstall app we're gonna go in here c2 testing everything's working so i should be able to run that same exact command again and that's also another good feature here is you can just say hey everybody just do this over and over awesome it was nice enough to be like yeah i can do that and as you can see we now have a new id here showing that it loaded itself into its current process space cool i ran through that really fast uh let me kick it to questions for anybody

hey brandon there's a couple questions for you in the uh in the question windows and if you can see those i can read them out to you if you like uh yeah can you please read them out uh i'm running into screen real estate issues definitely uh so the first one for you is uh so everything you you've done so far can it apply to on-prem and cloud solutions as well uh yes so we wrote it for cloud solutions i was trying to find a place that had slack enterprise turns out it costs a lot of money just to validate it but based off the api it sounds like it would work my one hesitation here is if you decide

to go after enterprise base um a solution with slack in particular um would be that you might want to already be internally to inside their network already one of the big caveats here was the fact that you already knew that the traffic could get out also things got a couple more here for you uh this one's about the upgrading from from stage zero to stage one and if you actually get the sas app to leverage it so uh would you simply just steal credentials for the sas would i still no so no uh so what we did with all our sas stuff right is if i go to slack and i stand up my own slack workspace

it's still going to use api.slack.com to do all the communications um and so the legitimate company's workspace is also going to go through slack.com so from that standpoint i don't have to use their workspace i can stand up my own and from a network side of the house it's all going through the same endpoints um it's the actual data inside the packet that has to be validated to see which way to route it does that help

i'll wait for grayson to reply with that he actually had another question as well it's uh how do you get them to run this spot from the start would you use a fish uh so yeah so this goes back to our stage zero side of the house which is absolutely uh we built this because first off if you signature this at least from our initial uh assessment you're going to be blocking a lot of legitimate apps especially if you have a lot of developers in your environment that interact with slack um so yes my initial thing would be i would shoot it through um a fish of some sort but at the end of the day when we started talking about

attacking a computer from a remote connection like you have two pieces you have the actual exploit and then the payload so the exploit is going to be whatever you takes to get you on the box this would just be the payload piece which executes once you get that uh get on that box and for this one i do believe we have it where it requires export one i think if you load it outside of a run dll you can call dll main or it just it can run through dll main all right we got a couple for you in the discord as well uh what i got here for you is how difficult would this to be

implement on teams or four teams yeah so we have one going right now um and i don't want to share right now uh but it will be probably in the next month and a half uh because microsoft was nice enough to release their beta api for it um and so we're working through that right now awesome yeah for you fred like please i'll share the github link in here and then um i think we cut a release uh which has one that works to this channel but if not we'll put a release up there just for people that don't feel like compiling awesome i thought your smile there when you started swinging start answering that question so good stuff

you're sneaky the grayson came back with another one and with everything that's going on with covid and working from home uh you have you submitted this to see the c2 matrix or how are you going to proceed with this uh the setup you got going on uh so once again this was just a prototype uh we've written a few other prototypes uh but none of them with documentation i'm a really bad developer when it comes to documenting and so is my partner daniel so um the only reason we released this is to help get the creative wills rolling to people um because i want them to understand you don't have to use slack right there's so many sas products out

there it's all about that creatives thinking of how can you get past that environment um so um but that being said we have taken this and given it to the slack engineers or at least one of my friends who was a slack engineer and so they have a sample of this and they said that they're working on mitigations for it as well

sweet thank you i don't see any other questions coming through on discord or anything here just anybody else i have any questions i'll give you a couple minutes to type them in um if you have any closing remarks or anything brandon go ahead while i wait for one yeah um absolutely so this this uh this talk was supposed to be a little bit different um to the point that we were able to go a little bit more technical and especially with the microsoft teams because i'm a big fan of going after teams but what we ended up doing here was keeping it high level and i really just wanted people to get the critical thinking piece out of it because i don't

want to see another slack c2 i want to see the next sas c2 that nobody's thinking about now how can i get out through salesforce right because every company seems to have salesforce or every company seems to have developers that contribute to github and so those are what interests me more and i think it's going to be even harder to stop those um let's see i think um are the devs coming for i so i don't want to speak for daniel because i don't want to put actually i want to put a lot of work on his plate so uh what i will tell you is um we have a private branch uh that has

a a higher version than what we released today um and what happened was we're breaking out a module so when you write this you'll be able to supplement your comms so you'll be able to say hey whatever switch to jira or hey whatever switch to um linkedin or hey whatever switch to github uh right now it's in rough beta and right now we're just trying to get a bounce between teams and slack and the reason we did that was you don't you don't necessarily know when you're shooting a stage zero what they have on their environment but it would be great if you shot slack and then you realize they're using teams and you just be like

hey use teams and it pulls the team's configuration for your server and then it migrates at the same time from a counter detection perspective it would be great that if the network couldn't reach out to your slack thing then it automatically tried the second or third one um so yeah i will say that daniel has that on his to-do plate and has been beating his head against the wall but we are making slow progress c2 via gmail twitter yeah so i i stay away from the social medias primarily because most companies uh i think we're getting closer to them just being like cool you can do social media but a lot of companies especially dod they block a

lot of these sites uh that are social media related but the one thing they can't block is what their business is using to get their business functions accomplished yes absolutely there has been a lot of challenges due through teams and o365 api just in general so we're making slower than average progress but we are making progress we just need to get it stable more reliable but so the benefit here i would like to go i see the os 365 logs so the way we have it is you would stand up your own oh 365 instance not somebody else's so their logs wouldn't show any of your traffic but you would still be hitting that microsoft endpoint

uh docker hub i haven't thought about docker hub oh that would be sick uh yeah fred no no that would be awesome please um we have it open and once we get that next module in we're trying to make it yaml configurable it'd be great to see some pr's for that

and if those are following there's people typing in the discord chat so we're just letting them type questions yeah so suzanne susanna just said like so using your own instance as an invisible go-to for an endpoint for o365 that's the angle yes and you can get trials you can get quick stand ups so it's extremely low cost and then they handle everything from the availability to uh uh to the server piece of it as well and then once again that security uh engineer can't can't really view those logs because it's not theirs see cactus is typing

uh cactus said the on box user that you are hit will have already signed on to teams uh yeah uh but it kind of goes back cactus to the fact that we we don't want to use their team's instance or their github instance because their security team can use it or can can put monitoring around it we want to use our own instance but what benefits us is because of how the apis work with microsoft and slack um primarily slack um and github is they go to api.slack.com and then the actual routing of the information is all handled in the actual uh packet in the data section of the post so therefore i can route it to yours i

can route it to mine but if i route it to mine i control everything if i route it to yours now i'm gonna be at the whim of first off i have to have access to your instance secondly you can now have an audit trail does that clarify

you have another question in the in the questions for the regular chat and that one's about again getting the first foothold into the sas product and how you obtain that first foothold yeah so what i would do is uh the sas product in general would be more once i got on the box surveying what sas products that companies are already talking to um so i don't need their sas product i just need to know what sas product they're talking to and then i stand up my own instance of that sas product such as if you go to atlasian you can stand up an instance pretty cheap i think it's free now for like up to 10 users if you go to

github you can stand up your own github for free and if you know that that company's talking to their github then you can talk to your github in your own instance and so they've already probably whitelisted github so you just route your traffic through github you would have your your client interact with github's api and then you would just log in to wherever it's at and start tasking commands to it which would typically if i was if i was gonna build a github one which we are it's gonna be through issues and comments of the issues um well cactus uh i have you can always hit me on my twitter uh i will also get daniel's twitter out

here as well um and then anybody who wants to have follow-on conversations on this uh i will hit the uh i don't know how much time we have left for the conference in general but i'll hit the breakout room for a little bit um and then at the same time if you have any questions comments if you want to dig through our code and ask us why we chose to do what we did we'll we'll explain you'll see that some of the stuff we wrote ourselves and some of we referenced the calls and it was all based off size

trade-offs

you