SlideShare a Scribd company logo

Malware for Red Team

Download as PPTX, PDF
Satria Ady Pradana, profile picture
Satria Ady Pradana

The document discusses methodologies for designing malware focused on red-teaming practices, emphasizing the need for deep system knowledge and penetration skills. It outlines the importance of command and control infrastructure, modular design, and various communication methods for maintaining presence and executing commands within target networks. Various commands and dynamic configurations to enhance malware functionality and operational security standards are also detailed.

Technology
Related topics:
Cyber-Security Red Team
1 of 35
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
DESIGNING MALWARE FOR MODERN RED-TEAMING & TRADECRAFT ADVERSARY Satria Ady Pradana
WHO? Satria Ady Pradana • Cyber Security Consultant at Mitra Integrasi Informatika • Director of Curriculum at Archonlabs SSD • Penetration Tester, Red Team • Community Leader of Reversing.ID 20XX Pitch Deck 2 @xathrya xathrya xathrya_
BACKGROUND STORY
RED TEAMING • Originate from military practices. • Evaluate security posture by playing as aggressor. • Full-scope, multi-layered attack simulation designed to measure how well organization’s security controls can withstand attack from real-life adversaries.
REQUIREMENT 2021 PyCon ID (Security) 5 • Deep knowledge of systems (computer system, protocols, libraries, etc). • Ability to think outside the box. • Software development skills. • Penetration testing skills • Social engineering.
WHEN DOING RED TEAMING 2021 PyCon ID (Security) 6 • Long time engagement (1 – 3 months at minimum). • Penetrate as deep as possible, maintain persistence, pivoting, exfiltrate critical information. • It means you need a way to keep your presence in the network!
THE CYBER KILL CHAIN 2021 PyCon ID (Security) 7
WHY PYTHON? 2021 PyCon ID (Security) 8 • Simple and clean structure • Designed for rapid prototyping • Extensive library
WHERE TO START?
DESIGNING IMPLANT 2021 PyCon ID (Security) 10 • What is the purpose of the implant? • What success look like? • Which feature or capabilities we need?
DESIGNING IMPLANT 2021 PyCon ID (Security) 11 • Lightweight: can be dropped through macro-enabled office document. • Evasive: evade most common products without much adaptation • Functional: collect information about target environment to aid in further operations.
TERMS 20XX Pitch Deck 12 • Command and Control attacker-controlled infrastructure which maintain control over all agents or implants by send command and retrieve the result. Alternative name: C&C, C2 server • Implant agent, small program which executed on target. Alternative name: RAT, backdoor, beacon. • Loader specific code or executable which purpose is to load the payload (implant) or other loader.
TERMS 20XX Pitch Deck 13 • Redirectors Node or system which proxies all traffic from target network (implant) to C2 server, hiding the true location of the C2 server.
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 14 Interactive (Tier 3) • General command, enumeration, scanning, data exfiltration, etc. • Has most interaction and at greatest risk of exposure. • Ready to abandon at any time. Multiple tiers
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 15 Short Haul (Tier 2) • As a backup to reestablish interactive session. • Use covert communications that blend with target. • Slow callback times, i.e. 1 – 24 hours. Multiple tiers
ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 16 Long Haul (Tier 1) • Maintain long-term access into target’s network. • Same as short haul, but slower. Multiple tiers
2021 PyCon ID (Security) 17
MINIMUM REQUIREMENT 2021 PyCon ID (Security) 18 • Communication Channel • Modular Design • Dynamic Reconfigurable
PLANNING FOR OPERATION
MITRE ATT&CK 2021 PyCon ID (Security) 20 https://attack.mitre.org/
2021 PyCon ID (Security) 21 https://attack.mitre.org/groups/G0016/
2021 PyCon ID (Security) 22
DESIGN & IMPLEMENTATIO N
COMMUNICATION CHANNEL 2021 PyCon ID (Security) 24 • HTTP/HTTPS: masquerade as legitimate HTTP connections • DNS: • Hybrid: DNS for telemetry or callback, HTTP for data channel. • Pure DNS • SMB: chaining beacons • TCP: with proprietary protocols
CASE: HTTP 2021 PyCon ID (Security) 25 import requests url = GenerateURL() headers = GenerateHeaders() body = GenerateBody() res = requests.post(url, data=body, headers=headers) ProcessResponse(res) Message Type: • Callback • Command • Result • Dynamic URL and endpoint? • Unique ID • Payload, where? • Interval and jitter • Telemetry, health check
MODULAR DESIGN 2021 PyCon ID (Security) 26 • Adding new features/capabilities should not changes the core program. • Framework? • Implement feature as addon or plugins • Use builtin or Windows API? • Stages? Stageless?
CASE: COMMANDS 2021 PyCon ID (Security) 27 • GET • PUT • LIST • EXECUTE • LOAD • Module: credential harvesting, • CONFIGURE: key, channel, IP, port, host, endpoint
CASE: WMI COMMAND 2021 PyCon ID (Security) 28 • Windows Management Interface • Query system state (process, services, installed apps, bios, etc) • WQL (WMI Query Language) • Module: wmi • pip install wmi • Extending implant with WMI command
COMMAND: EXECUTE SHELLCODE 2021 PyCon ID (Security) 29 • Raw shellcode as payload • Why shellcode? • Run as separate thread • Allocate space on host process • Decrypt/decompress/decode shellcode to allocated space • Create new thread and start execution from allocated space • Clean up
COMMAND: DROP & EXECUTE BINARY 2021 PyCon ID (Security) 30 • Fetch executable from C2 server • Mostly tools: Rubeus, mimikatz, message relay • Store the executable temporary • What about DLL?
COMMAND: SHELL COMMAND 2021 PyCon ID (Security) 31 • Execute shell command • Atomic or session? Variations • os.command() • subprocess.run() • subprocess.Popen()
DYNAMIC RECONFIGURABLE 2021 PyCon ID (Security) 32 • Change settings/configurations at runtime. • IP address + endpoint • Message type • Profile • Should match with C2 server
PROTECTION 2021 PyCon ID (Security) 33 • Any tool deployed in target environment needs to adhere to the highest standard of operational security (opsec)
2021 PyCon ID (Security) 34
THANK YOU Satria Ady Pradana satria.pradana [at] mii.co.id @xathrya (telegram) 2021 PyCon ID (Security) 35

More Related Content

PPTX
Bypass Security Checking with Frida
Satria Ady Pradana
 
PDF
Silabus Training Reverse Engineering
Satria Ady Pradana
 
PPTX
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
PPTX
Reverse Engineering: Protecting and Breaking the Software
Satria Ady Pradana
 
PPTX
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PPTX
Path of Cyber Security
Satria Ady Pradana
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Bypass Security Checking with Frida
Satria Ady Pradana
 
Silabus Training Reverse Engineering
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software (Workshop)
Satria Ady Pradana
 
Reverse Engineering: Protecting and Breaking the Software
Satria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
External to DA, the OS X Way
Stephan Borosh
 
Path of Cyber Security
Satria Ady Pradana
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

What's hot (19)

PDF
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
PPTX
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
PPTX
Hunting on the Cheap
EndgameInc
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Pki 201 Key Management
NCC Group
 
PDF
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
PDF
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
PDF
Buffer Overflow Attacks
securityxploded
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PPTX
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
PPTX
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
PDF
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
PDF
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
PDF
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
FFRI, Inc.
 
PDF
Malware collection and analysis
Chong-Kuan Chen
 
PDF
Talk28oct14
mjos
 
PDF
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
grecsl
 
Hunting on the Cheap
EndgameInc
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Pki 201 Key Management
NCC Group
 
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
Buffer Overflow Attacks
securityxploded
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
FFRI, Inc.
 
Malware collection and analysis
Chong-Kuan Chen
 
Talk28oct14
mjos
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Ad

Similar to Malware for Red Team (20)

PDF
Pursuing evasive custom command & control - GuideM
Mark Secretario
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
DOCX
Ankit Vakil (1)
Ankit Vakil
 
PPTX
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
PPTX
Stage 1 Tradecraft
matt806068
 
PPTX
HAVOC-Workshop-Slides.pptx
seed4mexyz
 
PDF
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
PPTX
Fortinet sandboxing
Nick Straughan
 
PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
PDF
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
PDF
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
PPTX
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
PPTX
Interop 2017 - Managing Containers in Production
Brian Gracely
 
PDF
Modern Post-Exploitation Strategies - 44CON 2012
44CON
 
PDF
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
PDF
Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy
 
PPTX
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
PPTX
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
PDF
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
Minh237839
 
Pursuing evasive custom command & control - GuideM
Mark Secretario
 
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Ankit Vakil (1)
Ankit Vakil
 
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
Stage 1 Tradecraft
matt806068
 
HAVOC-Workshop-Slides.pptx
seed4mexyz
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
Fortinet sandboxing
Nick Straughan
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
Interop 2017 - Managing Containers in Production
Brian Gracely
 
Modern Post-Exploitation Strategies - 44CON 2012
44CON
 
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
Minh237839
 
Ad

More from Satria Ady Pradana (20)

PPTX
Down The Rabbit Hole, From Networker to Security Professional
Satria Ady Pradana
 
PPTX
MITM: Tales of Trust and Betrayal
Satria Ady Pradana
 
PPTX
Berkarir di Cyber Security
Satria Ady Pradana
 
PPTX
IOT Security FUN-damental
Satria Ady Pradana
 
PPTX
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
PPTX
IoT Security - Preparing for the Worst
Satria Ady Pradana
 
PPTX
Practical Security - Modern Day Software
Satria Ady Pradana
 
PPTX
Firmware Reverse Engineering
Satria Ady Pradana
 
PPTX
Reverse Engineering: The Crash Course
Satria Ady Pradana
 
PPTX
The Offensive Python: Practical Python for Penetration Testing
Satria Ady Pradana
 
PPTX
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
PPTX
Android Security: Art of Exploitation
Satria Ady Pradana
 
PPTX
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
PPTX
Memory Forensic: Investigating Memory Artefact (Workshop)
Satria Ady Pradana
 
PPTX
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
PPTX
Another Side of Hacking
Satria Ady Pradana
 
PPTX
Automatic Malware Analysis & Repository
Satria Ady Pradana
 
PPTX
Web Security Jumpstart
Satria Ady Pradana
 
PPTX
DracOs Forensic Flavor - Workshop
Satria Ady Pradana
 
PPTX
DracOs Forensic Flavor
Satria Ady Pradana
 
Down The Rabbit Hole, From Networker to Security Professional
Satria Ady Pradana
 
MITM: Tales of Trust and Betrayal
Satria Ady Pradana
 
Berkarir di Cyber Security
Satria Ady Pradana
 
IOT Security FUN-damental
Satria Ady Pradana
 
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
IoT Security - Preparing for the Worst
Satria Ady Pradana
 
Practical Security - Modern Day Software
Satria Ady Pradana
 
Firmware Reverse Engineering
Satria Ady Pradana
 
Reverse Engineering: The Crash Course
Satria Ady Pradana
 
The Offensive Python: Practical Python for Penetration Testing
Satria Ady Pradana
 
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Android Security: Art of Exploitation
Satria Ady Pradana
 
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
Memory Forensic: Investigating Memory Artefact (Workshop)
Satria Ady Pradana
 
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
Another Side of Hacking
Satria Ady Pradana
 
Automatic Malware Analysis & Repository
Satria Ady Pradana
 
Web Security Jumpstart
Satria Ady Pradana
 
DracOs Forensic Flavor - Workshop
Satria Ady Pradana
 
DracOs Forensic Flavor
Satria Ady Pradana
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Teaching material agriculture food technology
LiaRayya
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectroscopy.pptx food analysis technology
nawahassan45
 

Malware for Red Team

  • 2. WHO? Satria Ady Pradana • Cyber Security Consultant at Mitra Integrasi Informatika • Director of Curriculum at Archonlabs SSD • Penetration Tester, Red Team • Community Leader of Reversing.ID 20XX Pitch Deck 2 @xathrya xathrya xathrya_
  • 4. RED TEAMING • Originate from military practices. • Evaluate security posture by playing as aggressor. • Full-scope, multi-layered attack simulation designed to measure how well organization’s security controls can withstand attack from real-life adversaries.
  • 5. REQUIREMENT 2021 PyCon ID (Security) 5 • Deep knowledge of systems (computer system, protocols, libraries, etc). • Ability to think outside the box. • Software development skills. • Penetration testing skills • Social engineering.
  • 6. WHEN DOING RED TEAMING 2021 PyCon ID (Security) 6 • Long time engagement (1 – 3 months at minimum). • Penetrate as deep as possible, maintain persistence, pivoting, exfiltrate critical information. • It means you need a way to keep your presence in the network!
  • 7. THE CYBER KILL CHAIN 2021 PyCon ID (Security) 7
  • 8. WHY PYTHON? 2021 PyCon ID (Security) 8 • Simple and clean structure • Designed for rapid prototyping • Extensive library
  • 10. DESIGNING IMPLANT 2021 PyCon ID (Security) 10 • What is the purpose of the implant? • What success look like? • Which feature or capabilities we need?
  • 11. DESIGNING IMPLANT 2021 PyCon ID (Security) 11 • Lightweight: can be dropped through macro-enabled office document. • Evasive: evade most common products without much adaptation • Functional: collect information about target environment to aid in further operations.
  • 12. TERMS 20XX Pitch Deck 12 • Command and Control attacker-controlled infrastructure which maintain control over all agents or implants by send command and retrieve the result. Alternative name: C&C, C2 server • Implant agent, small program which executed on target. Alternative name: RAT, backdoor, beacon. • Loader specific code or executable which purpose is to load the payload (implant) or other loader.
  • 13. TERMS 20XX Pitch Deck 13 • Redirectors Node or system which proxies all traffic from target network (implant) to C2 server, hiding the true location of the C2 server.
  • 14. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 14 Interactive (Tier 3) • General command, enumeration, scanning, data exfiltration, etc. • Has most interaction and at greatest risk of exposure. • Ready to abandon at any time. Multiple tiers
  • 15. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 15 Short Haul (Tier 2) • As a backup to reestablish interactive session. • Use covert communications that blend with target. • Slow callback times, i.e. 1 – 24 hours. Multiple tiers
  • 16. ROBUST INFRASTRUCTURE 2021 PyCon ID (Security) 16 Long Haul (Tier 1) • Maintain long-term access into target’s network. • Same as short haul, but slower. Multiple tiers
  • 17. 2021 PyCon ID (Security) 17
  • 18. MINIMUM REQUIREMENT 2021 PyCon ID (Security) 18 • Communication Channel • Modular Design • Dynamic Reconfigurable
  • 20. MITRE ATT&CK 2021 PyCon ID (Security) 20 https://attack.mitre.org/
  • 21. 2021 PyCon ID (Security) 21 https://attack.mitre.org/groups/G0016/
  • 22. 2021 PyCon ID (Security) 22
  • 24. COMMUNICATION CHANNEL 2021 PyCon ID (Security) 24 • HTTP/HTTPS: masquerade as legitimate HTTP connections • DNS: • Hybrid: DNS for telemetry or callback, HTTP for data channel. • Pure DNS • SMB: chaining beacons • TCP: with proprietary protocols
  • 25. CASE: HTTP 2021 PyCon ID (Security) 25 import requests url = GenerateURL() headers = GenerateHeaders() body = GenerateBody() res = requests.post(url, data=body, headers=headers) ProcessResponse(res) Message Type: • Callback • Command • Result • Dynamic URL and endpoint? • Unique ID • Payload, where? • Interval and jitter • Telemetry, health check
  • 26. MODULAR DESIGN 2021 PyCon ID (Security) 26 • Adding new features/capabilities should not changes the core program. • Framework? • Implement feature as addon or plugins • Use builtin or Windows API? • Stages? Stageless?
  • 27. CASE: COMMANDS 2021 PyCon ID (Security) 27 • GET • PUT • LIST • EXECUTE • LOAD • Module: credential harvesting, • CONFIGURE: key, channel, IP, port, host, endpoint
  • 28. CASE: WMI COMMAND 2021 PyCon ID (Security) 28 • Windows Management Interface • Query system state (process, services, installed apps, bios, etc) • WQL (WMI Query Language) • Module: wmi • pip install wmi • Extending implant with WMI command
  • 29. COMMAND: EXECUTE SHELLCODE 2021 PyCon ID (Security) 29 • Raw shellcode as payload • Why shellcode? • Run as separate thread • Allocate space on host process • Decrypt/decompress/decode shellcode to allocated space • Create new thread and start execution from allocated space • Clean up
  • 30. COMMAND: DROP & EXECUTE BINARY 2021 PyCon ID (Security) 30 • Fetch executable from C2 server • Mostly tools: Rubeus, mimikatz, message relay • Store the executable temporary • What about DLL?
  • 31. COMMAND: SHELL COMMAND 2021 PyCon ID (Security) 31 • Execute shell command • Atomic or session? Variations • os.command() • subprocess.run() • subprocess.Popen()
  • 32. DYNAMIC RECONFIGURABLE 2021 PyCon ID (Security) 32 • Change settings/configurations at runtime. • IP address + endpoint • Message type • Profile • Should match with C2 server
  • 33. PROTECTION 2021 PyCon ID (Security) 33 • Any tool deployed in target environment needs to adhere to the highest standard of operational security (opsec)
  • 34. 2021 PyCon ID (Security) 34
  • 35. THANK YOU Satria Ady Pradana satria.pradana [at] mii.co.id @xathrya (telegram) 2021 PyCon ID (Security) 35