Cloud Chatter: Defending Against Cloud C2 by Dagmawi Mulugeta

uh thank you everyone for showing up I know it's kind of a busy season with the Christmas stuff so I appreciate everyone making the time to come to this talk uh we do have something very exciting prepared for you today so I hope everyone has a little bit they've taken away with them so that they can make their environments that much more secure now with that being said I'll I'll get started my name is dagmai muligeta I'm a threat researcher at netscope threat labs and today we're going to be talking about a specific attack technique that we refer to as Cloud CG awesome so so uh we talked like this I typically try to have an outline so that people have an idea of where we're at and what's to come um so we're going to start with introducing what cloud C2 is what do we mean with this you know crazy wacky term and we'll talk about how that's different from traditional C2 and then we'll take an offensive look into things and then we'll uh we do this by doing a deep dive into how you can simulate this in your environment and see what the controls you have in place are willing to detect and then we'll take a defensive look into things and see why um you know certain to certain detection methods might have challenge detecting this technique and then we'll move to how you can actually try to detect this using a new set of behavior signals and that'll be this takeaway section and then finally we'll conclude everything by reviewing the key takeaways from all this awesome so let's get started um so what is cloud C2 right so before we get into Cloud C2 let's talk a little bit into about what community control is right so command and control for that maybe one person that doesn't know this in here right it's a stage in the Cyber kill chain the Cyber kill chain is a set of steps an attacker uses when they compromise the target system right it typically starts with uh doing some reconnaissance though you then use this the information they've gathered from uh Recon to find a weakness that they'll use to find that they'll use to you know generate a payload against deliver that payload this payload will exploit this weakness they found during this Recon phase and then that will install a particular piece of malware that'll phone back home and pull for additional commands all right so this network communication of polling for additional commands is what we refer to as command control traditionally this has been done by mediums like https and DNS directly to the attacker controlled server and if you wanted to simulate this you could do this with Cobalt strike and Powershell Empire right so that's a quick crash course into what command and control is right so what is cloud command and control so traditionally what attackers do they'll set up uh you know their own servers their own domain their own IP addresses right their own infrastructure to pull these commands back and forth and you can see this in the top right where a compromised device is going to reach out to the attacker controlled infrastructure to pull for commands but and this has been tough to detect but I know the security Community has done a pretty good job of using threat intelligence feeds to identify uh this attacker-owned infrastructure and block communication to it so what attackers have started to do more of recently this is actually not new but we've seen a large uptick recently as they started using abusing Cloud applications as a medium for command control so they're using things like Dropbox folders Google Drive slack channels to send these commands back and forth so why would they want to do this well firstly it's a very minimal setup right same reason why most of us want to use this right it's very cost efficient most of these apps have a free tier so you can quickly get set up and get going for free and it's that much tougher to detect I mean almost everyone has a Google account where I have the Google Drive so if you want to blend into existing traffic using one of these apps makes it that much more enticing as an attacker so how often does this happen in the real world though right so this is a little bit of a noisy slide so I apologize to that but what I wanted to show are the malware samples and the cloud apps they've abused for command control and you can see uh box con Nimble Mamba and crutch of abuse Dropbox graphite and blue light have a beast one drive a clip has a view slack we've seen GitHub abuse Google Drive abuse Twitter Tumblr Blogspot Google Docs Google scripts pasteman one Hub telegram right all these apps have been abused for command and control and this is actually a very select list a much more detailed list can be found on miter's page as well and you can see that there's really no Cloud app that's immune to this it's not you know just one Cloud apps problem an attacker can use any Cloud app for command control and they have cool so that's a very quick crash course into Cloud C2 and how it's happening right so let's now take a closer look at how you can simulate this in your corporate environments and take an offensive look into things right cool so we're going to look at three tools primarily here uh Empire C3 and Covenant some of you might already know these tools um and we're gonna take a look at two apps in particular Dropbox and slack these are the apps that are generally more uh popular with attackers and uh individuals as well in corporate environments so we wanted to start look at those and then for each of these apps what we're going to do is we're going to talk about what the cloud op is meant to do and we'll talk about why an attacker might prefer This Cloud app and then we'll go over one real world example of an abuse of this Cloud app and then for the bulk of this exercise we're gonna we're gonna go through a detailed walkthrough of how you can simulate this and you're uh you know they've never read the team engagement or a penetration test assessment and then finally we'll briefly look at a behind the scenes look just under the hood of how this Cloud app is actually being abused for command control cool so the tools we used a lot of tools in this research but the three primary ones are Empire Covenant and C3 so Empire is a Powershell and Python 3 post exploitation uh free markets open source maintained by BC security it's a really cool tool it kind of get set up and get going it's a Linux based tool um Covenant on the other hand is Windows based it's a net C2 framework it's also open source and it's also a great tool to play around with and then the third tool we're going to use is custom command and control so this might not be as popular as the other ones uh but it's actually really really useful um to test Cloud Q2 specifically because it provides a vast variety of mediums to send your commands through and it integrates with Cobalt dragon covenant so it doesn't really worry about the command execution and interpretation bit it kind of also offloads that on Cobalt striking Covenant it'll just provide a vast variety of these mediums you can use it's also maintained by f-secure labs and all of these three tools are you know highly recommend them to kind of get set up and get going cool so let's start the Deep dive with Dropbox right Dropbox is a cloud storage app and like most cloud storage apps you've seen they tend to be abused by uploading downloading and deleting encrypted and encoded files this caught up actually you know provides a very flexible app development interface and just quickly you can get set up quite quick and as a bonus for the attacker it exists as both the Enterprise and personal cloud so if you're going after a company that may be an Enterprise level customer of Dropbox you know as an attacker you're that much more entice to use the this app for command control cool so uh just going over one real world example of abuse uh we mole rats this threat actor was found abusing Dropbox for command control earlier this year uh now this threat actor is known for being stealthy and they've used this technique before with using Cloud apps but what was interesting in this case was they were using multiple accounts for communication so you can see an attack flow here where a malicious Office document gets downloaded that downloads and executes uh that executes a Powershell command 9 that downloads a net backdoor right that was reaching out to the attacker via multiple Dropbox accounts right and they were uh separating responsibilities out through these accounts so they were using one for you know Community Control another for file infiltration and a different one for backup C2 and they were doing this for resilience right so if one of these accounts gets burned they have other ways of communicating to the compromise machines so how can you simulate this we're gonna you can do this using a variety of Open Source tools Dropbox C2 see-through Empire we're going to use Empire here but that's somewhat arbitrary you can really do this with any of the other tools we're going to follow a four-step process right we're going to create the account we're going to set up the Empire listener with the access token from the account we're going to generate the payload and deliver that directly to the victim now normally with this step what you'd want to do is maybe you want to simulate you want to have like a phishing campaign that compromises a that a you know victim will fall victim to right and it'll download a malicious Office document then this is the next stage payload but for the sake of brevity we're just gonna directly just compromise that machine just simulate a compromise and go from there and then once we have everything set up we're going to interact with the compromise device by uh tunnel and commands through the Dropbox account so the full attack flow will kind of look like the following where the Empire server is going to upload commands to Dropbox the malicious process or the agent on the victim is going to pull the those commands down execute them upload their results back to Dropbox and then the Empire console is going to pull that down cool so first things first we're going to create the attacker control Dropbox with the access token so we signed up for Dropbox here and we've created an app named it Empire C2 and we're going to give it full read and write permissions to this account and this is free right it took maybe like three minutes to do this and then what we're going to do is we're going to set up the Empire listener here so we've downloaded an installed Empire we've configured uh Dropbox listener here with all these configurations and we're going to pass it the API token from the previous step and if we've configured everything correctly when we type execute you can see that the Dropbox listener has successfully started and what this does actually in our account uh is the following race so it's going to go in and create this Empire folder now this is um doesn't have to be Empire you can change this we just stuck with the default name but it's gonna get go ahead and create this Empire folder and then three subfolders underneath it like result staging and taskings right so you can kind of see it's kind of laying the foundation here for that communication that's about to happen and then we're gonna go ahead and generate a payload and deliver that directly to the victim right so we're gonna on the attacker side set the listener to Dropbox download this or sorry create this Windows batch file um copy that to the victim and run it you should see this Powershell process startup and then on the attacker side you'll see an agent check-in right and this will have details like agent ID uh the language it's running as which is Powershell the IP address the username process process ID uh the delay in Jitter the last time it was seen and most importantly here the medium is communicating through which is Dropbox cool so let's see quick demo for this looks like this works okay so this is on the victim side you can see we have this batch file we're going to run it as administrator because why not and you can see this Powershell process startup and then on the attacker console you can see it just takes a few seconds to get fully set up but you can see this agent has checked in um it is a multi-stage deployment so you do need to wait a few more seconds for it to get fully set up then yeah that's why these are blank you just needs a one more second possible so you see now we have all those details we saw in the previous slide right and we're going to go ahead and interact with this and we're going to ask it uh to run two commands who am I and a list of the processes that are running uh while this uh does take a second to kind of fully propagate we can go ahead and look at the Dropbox account to see what that communication looks like you can see it's um doing it's sending these commands back and forth through these text files right and the name of these files is the name of the agent so that's kind of how it's managing its bookkeeping internally [Music] so if you go back to the attacker console it does take a while to get voice out but that kind of happened quickly so you see a list of the processes here right the process process ID the you know username Etc so if we take a look at the victim side we're going to look at this tool called Fiddler so Fiddler is a debugging proxy we've used to look at the communication going outbound if you take a look at what's happening from this Powershell process you can see it's trying to grab details around this file right and if we try to see what the contents of those file are when it tries to download it you see that you know the data is kind of gibberish right it's encrypted encoded you can't make sense of it at this stage at least in the middle cool do that again awesome so we just looked at um how this communication is happening right we saw it was through these text files that were being uploaded and downloaded we've tried to look at the content of one of these text files we can't really make sense of it and that's because it's encrypted right you can look at the routine and the code that's actually doing that as well so that's I know that was kind of quick but let's quickly summarize what we just saw for Dropbox it's a cloud storage app that's abused by uploading downloading deleting these encrypted files if you wanted to simulate this you can using Dropbox C2C through Empire and depending on maybe the certification level you're trying to model you can do a few different things right you can if you're trying to model not very sophisticated third actor you could use the default configs if you want to model a model it's the sophisticated thread actor to customize the configs or a little bit and if you want to model a very sophisticated threat you could do like what we saw in the example which is use multiple accounts to send uh commands back and forth so the responsibilities are segregated awesome so let's do one more Deep dive with Slack so slack again I think most people are familiar with it but in case you're not it's a collaboration app and it's useful for sending messages internally within an org uh and attackers tend to abuse this by creating channels sending messages or reading and writing to messages so replying to messages this also exists as an Enterprise and this is personal cloud further which further enables an attacker to want to use this right uh going over one real world example so this is uh you know malware sampling eclip was abusing slack for C2 I think a year ago now and it was targeting an airline to steal reservation data and you can see in the attack flow on the right side in what was interesting about this is they were using different channels for communication so they were using slacks features to kind of make their lives easier as well right so they're using uh one channel to send system information upon compromise a different channel for sending commands back and forth and then a third one to send the results of these commands as well as any result any files that might have been requested right so they're kind of uh really getting the most for from this uh subscription from Slack cool so if we do the same thing we did with Dropbox we can simulate this with stock or slack C2 bot or stock show we just use see-through covenants because they have very uh detailed set of steps that we could use again we're going to use a four-step process here we're going to sign up for the account create a you know set up C3 and Covenant with the um with the stock account that we set up then we're going to generate a payload and move that to the victim machine and then we're going to interact with the compromise device by commonly coming into slack right so um first things first we sign up for the stock account create a set of application credentials that we want to use then we're going to use these credentials to set up uh C3 and Covenant um and you can see C3 has this nice graphical interface that you could use we're going to go ahead and set up a slack Channel we're going to give it the the token or the credentials that we created and if we set up everything correctly you should see a graph like on the bottom right side where you have the Gateway and that's communicating out to the to through that channel one thing to note if you do this is see-through and Covenant are two different repos so we had some issues with integrating them that commit hash works the best for us we did something to make a note of if you do end up going through this exercise so what this does similar to how we saw that Empire directory being created in Dropbox is this is going to go ahead and create up a create a stock channel for us to use right so the six Eep channel gets created and we see the C3 uh bot gets uh joins that stock channel so it's kind of setting that groundwork for that communication right so what we're going to do at this point is we're going to generate this payload that has a stock token it's all auto generated we're going to download this payload that's called a relay in C3 we're going to copy that relay over to our victim machine and run it as admin cool so what this does is it's once we have fully set up you can see on the right side this is going to create that whole uh tackle where you have the Gateway it's communicating through channels to the victim machine on the right side and we have Covenant set up with the whole thing so we can run commands like who am I and get the card directory and that'll kind of flow through slack all the way to the victim get executed and then come back to the to the Gateway and show up on our console right the results will show up on our console so if we take a look at a you know quick video this we can request the processes here and you can see the request getting written out to the slack channel the victim's gonna download all that stuff and delete it and then upload the results here um and then the attacker is going to download and delete it and show it in their console so if we just take a look at that one more time that was kind of quick we ask for a list of the processes here from the attacker side and then the stock channel that request gets written out really quickly right it's encrypted encoded you can't really make sense of it here um and then the results get written back it's deleted and it shows up in the attacker console cool again that was uh very quick but just to summarize everything we talked about to collaborate stock is a collaboration app that's abused by sending commands through slack channels um if you wanted to simulate a threat actor doing this you could do this using it using uh tools like C3 and Covenant and depending on the sophistication level you want to model you could do a few different things for this as well awesome so let's talk about the fun stuff right uh defenses so what can you do to defend this but before yo