Attacking Microsoft Exchange: Fusing LightNeuron with Cobalt Strike - Leon Jacobs | BSides Cape Town

okay good afternoon I hope your lunch was great this is the last little stretch before you're going to fall asleep so hopefully this doesn't aggravate that um yeah thank you welcome to besides welcome to my talk I'm grateful you decided to listen to me go on about stuff I like uh hopefully I can show you how much I like this stuff uh so let's dive into it title my talk going to be attacking Microsoft Exchange uh fusing light neon with clobal strike all three of those things sound unfamiliar to you hopefully at the end of this talk you'll know what all three of them are in in painful detail um so I'll start off with a

little bit of detail uh a little bit about me going to say the word detail a lot my name is Leon Jacobs currently uh CTO for the sense post team at Orange cyber defense and I like hacking things and tools and security research and a whole bunch of stuff like that so I'm generally interested the moment things are breaking some of the talks I saw this morning already has me a little giddy uh that's that's the space I'm curious about so today uh I'm going to cover sort of three three main things but I'm going to do a lot of detailed in that there's the word detailed again uh I want to give some context first what

what is this all about why why are you here why am I telling you this then we're going to dive into a little bit of malware uh in a Thing Called light neuron don't worry if you don't know what that is yet I'm going to tell you uh and then thirdly a little bit of extra work that I did to extend that to include Cobalt strike in into light neuron and the way I'm going to do that primarily is with a diagram in fact there there going to be a lot of diagrams and I'm going to repeat itself a little bit cuz there's quite a few moving parts to this thing uh so if you

haven't seen a diagram yet don't worry there'll be there'll be many so we'll start off a little bit with uh with sort of this idea of of miter something you may have heard of before purple teams and finally the concept of a thread actor called turler now miter I guess in this community probably most known for the attack framework something you probably have heard of or continuously hear about uh you know your vendor or a tester or a blue team or attack attack everything but I don't know how many of you know it's actually a 9,000 person cor organization and they do a lot of things like a surprising amount of stuff in many different industries that that

we might not be familiar with but one of the things M does is this this thing that they do yearly called an attack evaluation uh and simply put they sort of go hey vendors we want to play play be a bad guy uh do you want to come and install your tooling on our playpl environments uh and see how well can detect these bad guys um they are known bad guys we we know how they work because we ask the threat intelligence Community before we do this hey what can you tell us about these bad guys right uh so the this call for threat intelligence initially is sort of a way to set them up to go let's do an attack

evaluation round and what you might see coming out of this are a bunch of tweets that vendors put out saying they've got 100% coverage and it becomes this measuring contest but in reality it's not that it's actually a little bit of a buyers guide if you're in the market for a security product a security tool you can go onto the attack evaluations results website and go and look at literally the dashboard what did the thing look like that they used to detect some sort of technique or something like that it's actually pretty cool once you don't look at Twitter anymore and dig into the detail this year they decided to go with a third actor called turla Russian based

you know I'm going to use all of these words but uh you know put all the buzzword in there they they fit the profile pretty well uh and and one part of tur what they did was they used a piece of Mal called light neuron and that's what we're going to focus on a little bit today so to summarize all of that this work comes from mit's Attack evaluations they did turer this year um and and part of the work that we do you know we like to do purple teaming so for us to emulate this red actor the the stuff that they've done we would engage with a with a client or a vendor in this case and we

would perform similar sort of attacks with uh with that client now the really important part is specific to turla like the light neuron malware there's no get clone light neuron and you now have access to the malware some of those thread actor uh some of the pieces of code that they use is like not not public knowledge you know you don't you don't download it from the internet so sometimes we have to innovate to try and emulate what some of those tdps would be this is going to be some of that work emulating that exchange specific back door which we're going to talk about now now one really important thing in knowing how these things work is we rely

on really smart people that we do research on those things they find this malware out in the wild they reverse engineer it they disassemble it sort of gives a really good idea on how these things function end to end sometimes uh for this talk this work for the AET security uh research team is genuinely amazing uh it tells you a ton of stuff around how turla operated and puts that into context with light neuron the thing that I'm going to tell you about today some of the things now I don't think you should spend 20 minutes reading the report I'm going to tell you some of the cool stuff uh a little bit about Tura

you know there after defense organizations government organizations defense contractors I highlighted 2014 there with ruag a Swiss defense company Aerospace defense company specifically uh but those are the sort of people that they were after in fact TLA in general is interested after secret information or sort of doing Espionage kind of kind of stuff uh which which is really interesting you know in terms of these people it's high-profile attacks it's not you know things that we can trug off it's actually quite quite impactful continue reading this report if my clicker works there we go um you also start learning a little bit that you know while they're they're sort of still around they've actually been around for a really long time there's

theories that sort of a Proto tur has existed only as the '90s some compromises that happened US US Agencies the second part that's really interesting is the use of light neuron which is is back door we're going to talk about today there's some evidence that suggests it exists from 2014 now think about it it's almost 10 10 years ago now it doesn't feel like 10 years ago but when you think about it next year that's been a while uh now today I'm going to do a lot of Microsoft Exchange specific things uh I'm not talking about the Unix version of this uh there's no proof that it exists however those that have reverse engineered the malware I found plenty of

references to other mtas that exist in uni systems going to show you Microsoft related one today but just keep it in the back of your head that this is not isolated to just Microsoft Exchange it's been targeting other potentially targeting other other male transports as well okay so that's a whole bunch of things about to and that's probably going to be the end of it the part we want to talk about is light neuron so what is light neuron is a little bit of a 101 it's a back door uh in this case something that's implemented via a Microsoft Exchange transport agent I'll show you what a transport agent is shortly but that's sort of the guts of

this thing uh its abilities again you know considering what TOA is after they can spy on male they can modify male influence male flow uh and and like really do some crafty things with uh with that and the second part that it sort of can do is to execute commands sounds rudimentary uh but it's really interesting to think you've got a command execution via an email coming in we'll unpack that a little bit one last important thing to keep in mind this is a back door so if you're thinking about a much larger attack chain this is not the beginning of it it's sort of towards the end of this actions on objective phase like by now a ton of things have

gone wrong I'm sorry to say but they've managed to infect exchange and install this door like that's that's a bad time but from a defense perspective you need to keep in mind there's probably a ton of things that have and could have gone off by this time by the time we get here so what you need to keep in mind is at this point someone's got significant access into a network they've managed to infect an exchange server and at this point they're now using the stealthy back door which which I'll show you now if you wanted to read a little bit more there two references from from M's website but okay to understand how this

back door works you won't be surprised when you to start with a user uh that user of course is how any security Story Goes will send an email uh and that email depending on where it goes it maybe goes to a large corporate will end up flowing through an exchange server and at its most basic function that email will get delivered to a mailbox right little bit of an email 101 now if it's my boss mailing me I probably never get a reply but sometimes people reply and the email will go the other way going back if you're in a bad uh if you're having a bad time there's light near on as part of the

conversation some bad people may have come along and actually infected your exchange server with the malware that we're going to talk about today and that changes the picture just slightly now like a user an attacker of course uh we'll also send an email but this time around instead of the mail potentially going directly to the mailbox it now goes to this transport agent which will unpack a little bit and now sort of two one of two choices can happen either the mail will get delivered directly into the mailbox or there's some other post processing that would occur there might be some instruction that needs to be executed because of this special email that the attacker sent at that point

optionally an email can go back to the attacker with some information console output from a command a file they may have downloaded or whatever the story might be and the bit you should start seeing Happening Here is all of this is just email up and down antp conversation happening to trans get these things going around so like I've said before we're going to focus specifically on this light neurons uh component I don't know a lot about exchange you might not think that but I really don't know uh but I've played around with transport agents a little bit and that's what I want to show you okay so what's a transport agent we're going to do a

little bit of a oneone on how transport agents fit into into the exchange world and its most simplistic way I can describe it it's sort of like a pluggable mechanism for you to extend Microsoft Exchange Believe It or Not security products could use transport agents if you have an anti- spam product that you install if you had on Prem exchange they could install a transport agent which now becomes part of the mail flow to prevent that email from entering a mailbox because it's spamming it applies for anti- maware those very annoying subjects that say external email don't click these links or physically modifying the body to say warning you know someone's probably trying to get your credit card info if

you reply to this thing if you were to install an exchange server and not do a lot of configuration and you ran the Powershell command L get transport agent it would return a list that would look something like this these would an example of default transport agents that exist by Design in Microsoft Exchange you'll see DLP related things anti- malware you know whatever the story might be so the key thing is like transport agents are a core and necessary feature of Microsoft exchange this it's not an optional thing that you that you that you can Implement it's a key design choice that Microsoft uses themselves all right so how does a transport agent work as far as mail flow

goes while we remember the user they'll send an incoming message when message comes in at some point with in Microsoft Exchange transport agents get invoked and there are three types of transport agents that can be invoked we get SMTP agents rooting agents and delivery agents the SMTP related agent as you potentially could imagine is at SMTP time a TCP connection occurs a male body needs to be downloaded from the mail server uh and at that point the sntp transport agent has done its job it then moves over to rooting agents where do I root Within exchange organization this message and finally that email needs to be delivered into a mailbox so it's not as simple as the mail insance exchange

and it just delivers there's a ton of processing that needs to happen in the middle that's not the end of it though uh we're going to focus as an SMTP receive agent specifically but with these agents there are events that you can listen on and this is almost the end of the hard part the events in sntp um agents the sntp receive agents uh are the ones that are really interesting if you wanted to implement your own own agent you with code can listen on some events and decide to make some choices on something based on these events there are many we're not going to go through the list of them but the one we're

really interested in over here is the on end of data event quite literally it means the SMTP conversation is now done the entire message has now been received by Microsoft Exchange I've got the headers I've got the body the attachment the entire thing the event fires on the end of all of that data so you have 100% guarantee that at this point within the Microsoft Exchange stack I've got a full message that I can work with Okay that's all you need to know about a transport agents believe it or not I was at this point myself where I realized cool I'm ready for this thing what's the best thing I can do next is Google some

documentation and I was hoping I'm going to find the three easy steps to build a transport agent the Microsoft documentation isn't great if you didn't catch the humor over there uh in fact uh I'll show you exactly what they show you they show you a little bit of context on what I just described little bit more verbose and probably technically more correct uh but the point is the same the part I want to know was the code I want to implement this transport agent so helpfully the documentation starts with import some libraries okay that's very simple there's a 20 minute story on how it's not the second step is cool just implement this thing called an SMTP

receive agent Factory uh and you need to resolve for create agent all right not sure what all these things are yet but we'll do that the third step which is in their words the easiest part is to now just implement it you know you have this on end of data event pass along some form of Handler and and we're done here uh and I must admit I was not happy at this point like this is not how did light neuron work if this is where they started uh and my attempt at asking chat GPT to draw an ow it sort of gave me a a double step one version of the how to draw an Al meme uh we're saying cool

here's the start here's the circle it's a little bit of code that you need to know and the rest of the I'll just just just draw it and the Microsoft documentation was exactly that for me you know I know now nothing is literally the state I'm M um there is a part to say how much I asked J GPT actually to do this but we'll leave that for later anyways get up code search later I started learning some actual information about how this works and we need to focus on that bit that the Microsoft documentation actually points us to believe it or not just without a lot of without a lot of real hints um the on

end of data you need pass it a class to know how to handle that thing the that's sorry not a class of function that function takes two arguments there's some sort of Event Source which you don't need to care about uh but then there's one property there the end of data event arguments which give you access to the mail body now you can ignore all of that code and just realize that in software over here we have a strongly typed uh structure that is an entire email message I can access the body the to the from headers if I so wish they attach M the whole thing and this is one of the key components of

implementing that transport agent in software if you're a developer when you get to this point you can kind of do what you want now you can add that annoying this sub this message is from outside you can add a yellow Banner you know do what you need to do um at this point okay I'm going to change gears now specifically why is this interesting for for a light neuron uh and when you read the thread intelligence report from from ID we sort of learned about two key components about light neuron the first this concept of the transport agent which we've had a light introduction to now and the second one is another one called the companion D it looks very

evil because it is uh but it's you know it's just called this companion um and and to understand how these two things believe it or not I'm going to show you another diagram they invokes at different places you know we're going to learn how male flow works again but because we now know how transport agents are involved uh we might be able to understand how these two components play together so believe it or not we've got an incoming message an email Emil that enters exchange uh and it might Traverse through one of these legitimate transport agents maybe it's a DLP thing so someone doesn't steal your data eventually the transport agent that we would have built I'm going to show you

that we've built uh might get triggered and some choices need to be made now a really really sneaky thing considering that turla like likes to steal data they've got their own homegrown rules engine that they've implemented this is not your outlook rules that you go messages from my boss is not important for today it's actually a backend transport agent rule uh rule engine that can do other things to the message and it's a programmatic access that they have to that which is pretty amazing the version I implemented uh it just sort of steals mail so there's a rule that goes is the from someone that I'm interested in yes or no if it is include my email

address to get a copy of that message if not just continue with the rest of the uh the rest of the mail flow don't don't do anything the second last part before we invoke companion DL here goes is there's some trigger in this message that needs me to know that this message shouldn't actually be delivered it mustn't go to an intended recipient or not uh you must go do something else uh if it shouldn't it'll just deliver normally as if nothing happened mail will flow normally here if there's nothing weird or something that should trigger the malware at all if it's not the case uh it will process some attachment which could be PDFs or JBS uh

and we're going to dive into the PDFs for a second because those are interesting uh and if it's a PDF that it knows what to do with it's going to load a dll off disk once the dll is loaded we'll dive into this it's going to process some form of instruction what you need to take away from this is there's quite a few steps and things that can happen before we get to the point where this companion DL is involved to give you a very quick snippet of what some of those male rules might look like uh this is from the the S thread intelligence report it's similarly how we implemented it uh there's a ton of crafty conditions you

can do here does the message have this body content is it something secret that I'm interested in automatically add me as a as a recipient are there links I want to swap out you know you could almost anything you can imagine and how I want to manipulate mail that you might trust initially uh can can happen with this rule engine and this is something that's remotely configurable okay I'm going to move on to the companion D because really that's where the meat of the stuff is now the companion DL effectively receives instructions from something externally uh and the instruction from the outside is something that's delivered via email now the way an instruction comes comes

in is not a message that has a subject line that says please run this command and send me the output uh they're trying to be a little bit sneaky about it uh and the way that happens if I wanted to run a command is it first obviously encrypts the command but then the second part it does it uses a steganography technique to embed that encrypted payload inside of a PDF or in a JPEG and a legitimate one one that you can view in an image viewer or your PDF viewer like you would uh so it would look something like that that combined effectively turns into this malicious PDF something that you can read it's not

an obviously bad message but there's a payload embedded that's also encrypted inside of it that is the attachment that needs to enter into exchange to then be read the payload extracted and the companion D does something with it but the inverse is true as well any responses that need to come back also get encrypted and embedded in a sort of image or a PDF on his way out back to the attacker to now see what's occurred in this case now if we take all of the stuff you know into context we take a step back a little bit the the mechanism and the little bits that we need to get this going is lo and behold we write a

little patent C2 of course it's really just something that can build those PDFs for you really fast uh and can send email up and down you send mail into an affected Exchange Server and one that has this transport agent running knows how to interpret those messages or not now for no lack of diagrams I'll do one last one uh which tries to emphasize a little bit of some of the root back you have an operat Ator there's an infected Exchange Server we've got transport agents that need to be processed but finally the infected transport agent is invoked that transport agent has some decisions it needs to make is the rules engine applicable yes or no and then do

what I need to do and is the companion DL involved yes or no the companion D is involved if the PDF has got an encrypted payload that's got a St using a stogy technique inside of it repeat myself often uh if needed uh and it needs to invoke companion D it would disc that mail so it's not obvious that mail flowed for someone which actually has an interesting side effect the email only needs to enter exchange it doesn't have to go to Leon at organization it can go to this is not a legitimate email uh but it'll get discarded before a bounce message or anything like that gets generated which is quite interesting okay if it must the companion DL is

loaded the PDF is unpacked to get the payload and if a reply needs to go back this is something I learned about exchange uh a well form. message file can be dropped in a folder and this is what uh turlo was doing in this case as well an exchange would just pick that message up and and and forward it along you know process the message for that matter if it needs to go out it will leave if it goes to an internal recipient it would so this is a lot of a Unix like thing okay someone suggest that I do Demos in PowerPoint so this is going to be fun uh but I want to show you two

videos uh the one's going to be what does the command execution look like uh and the second one is how can we steal email using uh this malware okay if it doesn't just play it doesn't just play now we do uh the bit we're going to look at over here just for some quick context I've got a lab of course on my laptop this is a exchange installation um I'm going to show you a little bit on how we can to install Light neuron and then we're going to send that email to get some code execution running so this is an example if we run that initial get transport agent command that um lists default

transport agents that exist with an exchange I haven't done anything yet here truthfully this is a snapshot shot that I kept reverting to uh I then run a small partial script this is something a thread actor would have done in some shape or form they're now infecting an exchange server having this transport Agent form part of it and we'll finally see light neuron pop up in our list of Transport agents now it can have a priority I obviously made it number one there but uh maybe a more sty seal implementation could be different I then run a small uh Python program that connects to an attacker controlled mailbox this mailbox is just really what I'm using to get mail in and out uh and

knows how to build those PDF documents finally there's a shell command option within the this little C2 that I can invoke a shell command which will embedd it within a PDF that the transport agent knows how to unpack and run here I'm logged into my attacker mailbox there'll be a draft message I'm going to be too slow to read this but you would see that it's just a normal well font message with an attachment that leaves uh and the reply comes back and it could look something like this it's a response message with a PDF that you can read I'm using the Outlook web access PD built-in PDF reader over here but when you go

back to our commander control the response for that command that we've written got extracted out of that PDF and at this point I have some command execution and that is again a legitimate SMTP conversation that occurred that had this PDF was this encrypted payload inside of it you get the gist of it okay now the second part which admittedly is probably more interesting uh is the male rules engine so um is this it no that's not it video is in PowerPoints uh we're going to look at the C2 over here uh and what we'll do is you know it's my implementation of this rules engine um you can remotely configure the rules and how they must

look uh that bar is madly annoying don't do this if you do a presentation there we go uh I can add a rule that says hey any mail that gets sent to Alice in this case I think forward her mail to Tucker uh to the attacker mailbox uh what will happen in this case that PDF transport mechanism sends a message to transport agent it goes hey cool I'll add a new rule so any mail in the future that needs to be changed now gets manipulated any responses um sorry and it would respond back with doing that the command I'm doing over here is just to confirm that the remote transport agent now has that rule applied it now knows that that

what must happen I'll Now log in using Outlook web access to just send an email uh as you would expect they um nothing different here the content of your mail might be different this is not a very secret message but nonetheless and I'm going to send that to Leon uh so nothing really weird here off you go and if I just double check in the send messages Leon is still the only recipient now what you'll see over here it behaves a lot like a BCC uh except except that's not what you've done the next thing I might do is if I log into the recipient mailbox I now just double checked I receed that message none of this is

weird this is still how exchange behaves it's very normal I see them message come in it's still only for Leon uh at least based on the guy uh but just to double check I'll look at the message headers I don't know why it renders awfully in exchange weback says but there you go uh and I'll just double check that is there any references to the attacker over here and again it's a lot like a BCC would behave you know you won't won't necessarily see the stuff except it's not so at this point we confirm cool the attacker is not part of this this message I didn't send it to attacker I sent it to Leon but the really cool

thing here is if I do log in as the attacker uh at that Point assuming I can just type faster we should see a copy of that message that I received and it still looks exactly the same way that Alice sent to Leon there's no modification it's exactly the same thing and that's because the transport agent triggered that rule going cool mail from Alice I would like a copy of it now you can imagine you know having an auto BCC that's not in your outlook Rules and Things gets a little complicated over here okay cool I'll save us a second on that demo now the no there you didn't get the second after all um okay so the detection stuff

here is actually really interesting honestly the answers here aren't great uh apart from the fact that I'm quite happy to hear exchange over time will probably just not be a thing anymore like maybe that is the answer over here don't don't care about this because it's maybe not that important anyways uh but I still think academically this is interesting um the first one is the you know when I look at how you know I've added myself as a recipient the demo that you just saw like what opportunities do I have to know that this has happened um a colleague of mine smarter than me told me about this PO shell command lit oh my goodness don't do videos in PowerPoint

um saying hey you can run this command get message tracking log for a message ID to get a trace of how a message flowed through exchange right the message ID I grabb from the test message that I sent and it would look something like this and that is a lot to read but if you dive into the detail a little bit you'll notice okay there's this one line entry that specifically talks about an agent that did something to a message uh and I infer that it's not clear to me I infer it by the fact that the recipients have now changed not I have added a recipient and the hint over here is you know that line of code you see at the

top is actually the implementation I'm adding a new two uh recipient to the message not a BCC a two now you know the hard question here is is the expectation then for for detecting this that I need to pull it message tracking log for every message and then infer yeah I don't really know what to what to tell you from that perspective so so that's really that's really tricky the second part and maybe more relevant to how Tura operated is what if I wanted to change how this message work uh the content of the message and maybe I just wanted to tamper with the subject uh because I can do that in code I can go

mail. message. subject equals something else I can run my get message tracking log command partial command L again and see what the results might be and and when we inspect the detail over here he sort of sits in this situation where there's no clear line that says an agent change the the um the subject uh in fact it's roughly around the SMTP component which I'm not too sure what that means that uh that tells you based on the message subject field changing that it's been changed but the body you know what if the body was changed what do you see there I don't know uh and I think this is a this is quite a tricky one parts of

why this kind of malware is probably not not a lot of fun to deal with anyways so as far as the full the full spectrum here goes from the purple teing context and how TOA operated this is sort of like enough for us to implement and get a sense of you know when we do these kinds of attacks what opportunities for detection exist or which existing ones can be strengthened to to improve some of that detection but for me that wasn't enough uh Cobble strike is maybe now notorious C2 for many many reasons uh I I like gluing it to things and I thought to myself how can I glue Cobble strike into this into this

conversation is there is there something we can do over here to have it work via this back door and that's exactly what I uh what I set out to do now the way that's work that works going to do a quick command and control 101 it'll be very quick but um you need to understand that to know how light would fit in now very basic command and control setup would be there'll be some sort of controlling server in this case Cobalt strike and there'll be some sort of implant or a beacon or whatever and those to communicate over a C2 path very commonly in HTTP request I make a request to a server it tells me I must

do something I do it and I send the request back again uh but coob strike has a feature called external C2 which sort of gives you control over that C2 part so that you now introduce this new concept of a client and a controller and those are Parts you can write outside of cobalt strike it's sort of a framework where you can interact programmatically with Cobalt strike but also interact with a beac beacon programmatically and when I thought about this a little a little bit the part that I really want to change is that C2 pass should turn now into email right this light neuron thing that I already have is already you know it's part of it I just need to glue

this in in fact then when I think even further I already have all the bits I need I've written a C2 part which replaces the controller and I've already got the transport agent which is the CLI to the beacon it's really just a little bit of Plumbing to connect these two together so that they can relay frames between each other uh but to get that Beacon running at first uh I'm going to show you how that staging process work as a way to sort of visualize how these males will flow and where some of my problems might come in so to understand how a beacon would stage let's let's have a look at this at a high level uh

and this is a little bit of an unveiling when you read the external C2 documentation like how does this work this this diagram should hopefully help the first bit you need to do is you need to make a TCP connection to the cobal strike server the external C2 listener that you would have started once you're connected you'll ask for some Shell Code which is a defined protocol and how that works works and it will reply with that Shell Code back and this is some Shell Code I now have in my C2 and I'll plunk that into a PDF I email it off to my Victim and the transport agent knows that this PDF and the way this frame

looks is something it contains a curbal strike Beacon and I need to need to spawn that for the defenders in the room you'll probably get excited over here there's a lot of opportunity uh in this step but finally that transmit agent will spawn this Beacon which will now come up and at that point we'll have a Windows name pipe open that we can connect to and interact with that beon right and at this point we have this and this is my favorite slide this opportunity to have this Frame relaying happening between Cobalt strike and the beacon you know there's a lot of complexity in the middle but the way this protocol works is I have a frame

from Cobalt strike I need to relay it doesn't matter how I'm using external C2 as a feature to get it to the other side send it into the beacon or whatever the response is I do the same mechanism to get it back it's genuinely really cool thing to to play with uh but unfortunately for me as cool as it is it definitely didn't work and I lost about 4 days of my life uh thinking I'm smarter than I than I actually am uh and to understand this problem I sort of uh got we need to take a little bit of a closer look at those frames the the specification tells that you just need to throw the frames around between the

C2 and the beacon you don't really need to know what's inside for the most part that's true uh but there's some detail in that now if we had to look at that staging process again what uh what would happen at a um at a socket level you would ask for Shell Code cobal strike will reply with a what I'm going to call a frame from here every time I mean a a frame it's going to be this communication between Cobble strike and a beacon a frame will come back from Cobble strike saying this is the length and this is the data and the very first frame as you can imagine if you asked for Shell Code as a Shell Code frame

contains that full body that Shell Code gets shipped all the way back to an exchange server or it could be another server you can remotely connect to a name pipe um and it gets staged and then what the the protocol tells you what the specification says once that Beacon is up you connect to the name pipe and you read a metadata frame off it that first frame that comes off is a metadata frame and that response is a very small 132 bytes that 132 bytes using this very short email circuit gets sent back to Cobalt strike that's the staging process complete at this point once we're staged we now start pinging and ponging between each other and if there's no instruction

ready for us to do anything with both sides will just reply with a one bite up and down that's it ping pong all day long uh that rhymed unexpectedly the uh more importantly this is not something that needs to happen in an interval you control the C2 Channel you can control how fast that happens if it's once a day once a month once a week legitimately true for for some operations then uh that's something that you can control which is quite exciting okay now imagine all of that worked and you've used cobal strike before you sort of get this Beacon that checks in now roughly at this point you do a cartwheel and you ring a shell Bell in the office

cuz clearly code execution just occurred uh and it's a bit of a Euphoria uh and then depending on how long you've been doing this your first instinct would be to right click that Beacon and interact and you just hit Alis or some command you know you just want some output for the thing that you've done which obviously exactly what I did in my lab environment uh but the problem is and we're looking at the frames a little bit I would send that LS which now results in not a one bite frame going to the beacon but a 48 by frame cuz it's got an instruction for the beacon to do uh and it would reply with a one bite

response now I don't know how big your whatever directory is but one bite's not enough to know what's going on uh I realized I don't have enough time but this was uh 4 days of pure pain Chad GPT Is Not Great the uh yeah the only thing that worked over here was uh was turning into reading some more documentation and knowing what happened I'm resisting emotionally responding to the 4 days that I had trying to figure this out uh maybe not so well but anyways this is one line in there that talks about the third party client controller and it says when a new session is desired the third party controller connects to the external C2

server cool the little python thing we have we connect to the external C2 server but then there's this line that if you don't read it properly you'll spend four days wasting your time says each connection to the external C2 server Services one session okay the connection from the CT server Services one session now when you implement this in a very short period of time you're like cool I got my session I'm ready what you don't realize is they're also talking about the beacon in this case if you disconnect there's a new session and to help explain what I mean by this I'm going to introduce what I'm calling the single session problem I made this up um you've seen this uh PDF

that's got this gobbly go inside of it that the transport agent knows how to do um and when an email comes in believe it or not there's a transport agent process that as a new child will finally kick off your transport agent so mail comes in there's this transport agent process it realizes there's this list of Transport agents I need to invoke light neuron is one of them and light neuron will at some stage run a Constructor it's C code there's a class that needs to be initialized a Constructor is run then there's some logic it says cool this is a PDF it's got a nasty payload in it I know someone who knows who can

do something about that uh and it will invoke the companion and the compan gets initialized now there sort of this tree that builds uh and the companion knows oh this is a cobal strike frame it's pretty cool I've already got one up and going there's this name pipe that I'm aware of so I'm just going to connect to the name pipe the frame I got from Cobalt strike I'm going to write on the pipe back into the beacon when I'm done with the writing I'm going to read whatever the response is dump that new PDF of mine in the spool folder and then a cleanup process starts companion DL starts destructing and finally the transport agent that I have starts

destructing and the Nuance here is that means my connection to my name pipe just got destroyed every time I come back a new message enters the system this process repeats itself the C2 specification says when you connect you need to read the metadata frame or first not write whatever you have and read whatever you got it's why when 48 bytes come in one B comes out it's time for the pong there's nothing to do over here wow 4 days okay anyways the um what this meant there's a ton of ways I thought how can I solve this um uh and one of the ways that I figured I would do that is of course an excuse for

another proxy so I built this project called Beacon pipe frame proxy it's a toy proxy the idea being I needed something to stay connected to that Beacon the transport agent keeps dying now that I know that uh the beacon uh my proxy doesn't need to die but I need a mechanism to keep a client connected to the beacon while while allowing things that can come and go on the other end which is what this proxy tries to do so the tldr of this proxy is obviously more code than this but it starts a TCP socket listener it connects with a name pipe down to the beacon and has this very simple while loop that says a new TCP connection comes in using

the existing name pipeline this is the most important thing to take from that write whatever you got and read whatever you got back at this point that session stays alive like the spec told us in the first place uh and we can now continue normally which means the way this whole thing is put together now actually introduces yet another step uh where we insert the frame proxy right in the middle over there the beacon is long lived the proxy is long lived we're not talking upset considerations here that's up to you but um you know at this point the transport agent can come and go and distruct it's fine the communication will stay alive which means now when

that 48 byte Alice comes in I don't get a one bite lie uh I get a 676 byte response that I can actually do something with so I'm going to show you a demo of that uh which is again in PowerPoint good luck to me uh we'll look at the C2 over here there's going to be a few things going we're going to connect to Cobalt strike we're going to spawn the beacon um so I'm going to talk you through that in this case over here I'm going to play you're looking at the C2 praying that that little bar goes away go away little bar uh we'll connect the the first commod issue here is the Cs connect

which is just going to connect my little C2 controller to Cobalt strike and this is using that external C2 protocol uh I'm making sure I have an external C2 listener which is what I have over here and I'll go ahead and issue that that connect uh instruction once that's ready uh with it connected I can now request uh some Shell Code so silly command just to get something for a specific architecture uh which is 64-bit in this case and I'm going to use a create remote thread technique to Spa notepad and just inject a cob strike Beacon inside of that thread what happens at this point is the Cod the Shell Code got requested the PDF got built and it got

shipped off to exchange in quite a quite a s quick succession if we look at exchange itself I need to look closer you'll see the the transport agent uh has a child process that spawns which is going to be that notepad at some stage the proxy will come up as well which is what I'm looking at over there uh the left was just some debug logging of the frames and moment all of that stuff is up that initial metadata frame will come all the way back into Cobalt strike and we have that initial Beacon uh and this is now the cartwheel uh

[Applause] scenario uh with the proxy in place I now interact uh when I issue an LS for the contents of the C drive the response is not nothing which definitely hurt my soul uh it's uh a much larger response this just to show some of the the Ping pongs that go up uh and finally we have that 600 plus byte response uh and something visually showing that it works if the video does its two second thing and there we go an interactive cobal strike Beacon over exchange

[Applause] okay so in summary to fuse light neuron and Cobalt strike you just need 10 quick things cobal strike a python C2 a dodgy email actually an attachment onto an email entering exchange that will spawn a transport agent that would load the companion DL that would read that PDF to see what's going on inside of it connect to my dodgy proxy and finally relay the frame back into Cobalt strike and four days and 4 days absolutely that's what I wanted to show you thank you so much for for listening [Applause]