Over the past few years, I have been organizing, participating in, and frequently writing software for CCDC red teams. This year, as I’ve been starting to dust off the code, spin up VM’s and test things to see if they still work, it seems my last-ditch covert channel for control and data exfiltration is no longer working. This method was one of my favorites, and to my knowledge was never found by the blue teams…
More advanced solutions, rather than establishing a connection in or out, use a legitimate third party service you can both send data to and read data from as a dead drop site. Dead drop style C2 is more complex, since you must encode and encapsulate your data to fit the medium; there is normally no inherent direction of data flow, just posted or not. Data blobs will almost certainly be read multiple times, out of order, and by every client that is using this C2 method. As a result, you must largely implement your own addressing, sequencing and tagging, and de-duplication for this to be more than a toy proof of concept. Continue reading How I used dead drop C2 to hide malicious traffic→