2. $whoami
Justin Warner - @sixdub
■ Computer Science grad from USAF
Academy & former USAF Cyber Guy
■ Former: Red Team Lead w/ Adaptive Threat
Div
■ Current: Principal Security Engineer at
ICEBRG
■ Co-founder of PowerShell Empire and
contributor on numerous open-source
projects
■ BlackHat USA Instructor in 2015 & 2016
3. $whoami
Jon Perez (JP)
■ Army Veteran and part-time grad student
■ Former: Army Cyber Ops Specialist
■ Current: Security Research Engineer at
IronNet Cybersecurity
■ First time conference presenter (be kind)
■ True tinkerer who spends his free time
diving head first into malware and
malicious network flows
4. Disclaimer
■ We are not data scientists
■ We are not mathematicians
■ We are not all-knowing
■ We are amateurs/n00bs
■ We have not seen your networks
• Although we have seen many like it
■ We are not the first people to
research these techniques
7. Methods of Infrastructure
■Utilize paid services
• Digital ocean, AWS, Azure, etc
■Utilize bare metal
• Buy dedicated servers around the world
■Utilize previously compromised
infrastructure
• Hack people to hack other people
■Utilize 3rd parties
• Utilize techniques to bend traffic in
“legitimate” ways
8. Break… It… Down
“Accepted Risk” of allowing various services
■ Organizations are constantly fighting the battle
of risk vs reward
• Workplace culture and satisfaction
■ Do the technical controls match policy rules?
■ Some services are considered productive vs
traditional social media
Let me illustrate this for you…
9. When Did This Become Okay?
CTO
CIO
CISO
Network Security Team
10. Break… It… Down...
“3rd Party C2”
■ The use of neutral services as a means of
C2
• Uses API or programmatic interaction
■ Useful throughout the killchain
11. Put It Together
“Social media and storage services are a must
for my standard users and marketing team”
(Reward > Risk) ∴ Adversaries Abuse
Services
13. Case Study #1: APT 29 & Twitter+Github+Stego
git.io/vHegd
#viper098
exfil.ps1
14. Case Study #2: Icoscript Malware & Yahoo Mail
djiwdE@FHU
#DJwd3i2jdi3
2dm23idm3i2
Decrypts “script” from .ico file
IE COM Object
Yahoo Mail Account
Check Inbox
For
Commands
Send Email
w/Exfil
Uses Script To Command
Fake User Interaction
15. Case Study #3: CloudAtlas & CloudMe
Webdav Connection
Implant Activities
webdav.cloudme.com<Username>CloudDrive
Encrypted C2 & Exfil
Victim Folders
16. Case Study #4: Random Phish & Google Forms
System Survey w/ WMI & Environment
Win32_Processor
Win32_OperatingSystem
ENV Variables: USERNAME, COMPUTERNAME, USERDOMAIN
1
2
3
18. What is Adversary Emulation?
■A type of red teaming that focuses on
the emulation of a specific adversaries
• Utilize intel to model the adversary
• Highly realistic tools
• Attempt to behave as they have before
• Works against networks and products
■Some weaknesses to this approach
• Risk of handcuffing the red team
• Easy to study tools, hard to emulate
tactics/techniques (lack of real intel)
19. Existing Tools
■ Surprise… we are not the only ones
doing this:
• GCat - Shell over gmail
• Empire 2.0 - Able to do custom C2 modules
including 3rd party apps
• DropSmack - C2 over Dropbox sync folder
• Instegogram - C2 over Instagram with stego
■ We are using our POCs to prove a point
• Not weaponized
• More time should be spent with realistic IOAs
(known unknowns) rather than threat data feeds
20. “
You: Justin/Jon… I can stop your POCs… I
block PowerShell!
Me: Can you block all C exes? How about
legit signed C++ exes? How about .dll
files? How about py2exe? Can you do so
without impacting business? If so, we
should talk.
I know you can defeat my POCs.
28. “
“I can’t possibly capture that amount of data…”
“How will we be able to parse and process the data quick
enough?”
“I don’t even know where all of my endpoints are let alone am
I able to collect from them”
“All I end up with is a giant collection of telemetry, what is that
useful for… what do we go look for?”
“99/100 times, I spend hours looking at false positives”
I didn’t say this was easy…
29. If User Can Do It, So Can APT
I didn’t say this was easy…
31. What You Need To Find Evil
■Wide swath of data with a statistically
significant sample size
• Ongoing collection is helpful
■Collaborative data is helpful (host/net)
• Hunting is easier with a full picture
• SSL terminating might give more info but…
privacy
■Ability to rapidly ingest, parse, and
analyze data to prevent relevant
information
33. Examples of Data Sources (Not All Inclusive)
■Network
• PCAP / Span off of core switch and egress
• DNS logs or passive DNS
• Netflow
• Proxy logs
• Internal Threat Intel (Sandbox Detonation)
■Endpoint (eventing is best)
• Process listing events
• Network connection events
• DNS lookup events
• Service add/removal events
• Program install / uninstall events
34. Data Enrichment Sources
■ Data helps you draw a picture but does not turn it
into a movie
• Enriching the data makes it significantly more useful
■ Any question you would normally ask about an
indicator… someone else has probably thought of
it! (Enrich)
• REST APIs
• Free Sources of Info
• Internal Info
■ If not, try to calculate or look up the information
yourself (correlate / contextualize)
35. Indicator of Compromise (IOC) vs Attack (IOA)
IOC - Evidence or artifact on a computer
that indicates that the system/network has
been compromised [breached]
Has been focused on data aka IP address, hash, C2
domain, etc
IOA - Series of actions or events that
indicates malicious action is ongoing
Usually chains together data points into an analytic
that indicates progression in the kill chain
36. Endpoint Based: Binary Signature Heuristics w/DNS
■Signature hygiene has significantly
increased through the years
■Should unsigned code be reaching out
to the internet? Can we detect on it?
37. Network Based: Timestamp Analysis & Beaconing
■Assuming you have an analytic to
determine periodicity
■Establish a baseline for nodes in the
environment
38. Network Based: API Token & Host Pairing
■SSL termination is a risk/reward
tradeoff
• Lets just assume you do SSL termination and
collect metadata or PCAP
39. Endpoint Based: Network & Process Correlation
■Next-Gen EDR “X” usually has
eventing capability (or you can use
event logs)
• ETW is a great built-in capability for defensive
teams to collect eventing data from
environment!
Should powershell.exe be reaching out to Dropbox API?
42. Wrapping Up
■Threat actors are creative and will find
ways to use your weaknesses
■3rd party services make for quick and
easy C2 or exfiltration vectors
■Detecting the use of 3rd party services
for C2 is difficult
• Requires foundational network collection
• Attacker activity will often come in a series of
behaviors to create a pattern
• Need to look for anomalous activity
43. THANKS!
Feel free to reach out with questions
or share ideas…
justin@sixdub.net
johnny.nohandle@gmail.com
Off to the beach…
44. CREDITS
Case Study 1: https://www2.fireeye.com/rs/848-DID-242/images/rpt-
apt29-hammertoss.pdf
Case Study 2:
https://www.virusbulletin.com/virusbulletin/2014/08/icoscript-using-
webmail-control-malware
Case Study 3: https://threatpost.com/red-october-attackers-return-with-
cloudatlas-apt-campaign/109806/
Case Study 4: @JohnLaTwC (and the real authors)
Slide Template: slidecarnival.com