2019-010-Zach_Ruble-building_a_better_cheaper_C2_infra

Shout-out to Thomas…

Tried to meetup while at SEA comic-con

Patreon

Log-MD

Hacker's Health - Ms. Roddie is at TROOPERS (Ms. Berlin?)

4 podcasts?

SpecterOps Training / workshopCon - https://www.workshopcon.com/events

Zach Ruble- @sendrublez

C2 infra using Public WebApps

TARCE - Teaching Assistant RCE(?) - they run your code every week, don't check for backdoors before running it...

C2 Basics

Local HTTPd server (bashfile)

Python scrapes web server

3 components

-Servers

-Communication channels

-Malware and client

-

3 Requirements of a C2

-victim receives commands

-Vic executes

-Send results back

Web server serving a static file

Malware on machine scraping site with python requests and executing it as commands.

Crontab @reboot

State change = change the text field

https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/

https://uwbacm.com/

Long haul/short haul server

Long haul - regain persistence

Short haul - sends commands to victims

Slack as C2 - Blends in to the Env

Send and receive messages

Using Real Time Messaging API

https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html

https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24

https://glitch.com/

Https://github.com/bkup/SlackShell

Reddit as a C2

"Reddit Rising"

Glitch.com

Serverless platform

Using Google search results as

Would Google Algos see odd behavior of hundreds of hosts searching for the same thing?

Log file analysis?

How can we protect against this?

C2 News (If we go short) :

https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining

Automating OSINT

https://twitter.com/jms_dot_py

http://www.automatingosint.com/blog/

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected]

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: [email protected]

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec