创意指挥与控制：它能读它能写它能C2s.pdf

1、It reads,it writes,it C2sCreative C2 channels.whoami Ignatius Michael Proactive security lead at DeepCovecybersecurity(by day)OWASP Toronto co-organizer Part-time lecturer at Seneca College Hobbyist LLM prompter(by night)BackgroundEasier way to mask C2 traffic during an operationTurla APTs Britney S

2、pears Instagram Comment SectionTurla hackers(RUSSIA)creatively used Instagram comments for Command and Control(C2)operationsThe malware used a Firefox extension to monitor Instagram comments for hidden C2 instructionsAPT-29(CozyBear)-RedditT1583.006:ACQUIREINFRASTRUCTURE:WEBSERVICESMITRE AT&CK:“THIS

3、 TECHNIQUE CANNOT BE EASILYMITIGATED WITH PREVENTIVE CONTROLS SINCE IT ISBASED ON BEHAVIORS PERFORMED OUTSIDE OF THESCOPE OF ENTERPRISE DEFENSES AND CONTROLS.”Refreshers C2Command and Control-Refers to a system used by attackers to remotely control compromised devices or networks.Refreshers C2Common

4、 C2 frameworks:HAVOC SLIVER EmpireCommunication usually through well-known protocols or use custom ports.Refreshers-Domain frontingA technique used to disguise the true destination of internet traffic by routing it through a front domain,typically hosted by a content delivery network(CDN),making it

5、appear as if the traffic is intended for a legitimate site while covertly connecting to a different server.Refreshers-Domain frontingStep 1:DNS Resolution1Step 2:Connection2Step 3:HTTP Request3Step 4:CDN Handling4Step 5:C2 Server Responds5ObservationsDomain trusting is not effectiveGap in currently

6、offered solutionsEasy implementationCreative Command and Control channels What is it?Leveraging legitimate services with good domain reputation to mask your C2 activities How to pick the right channels to front your activity Can it read?Can it write?Does it have pre-built API integrations or librari