Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover

Conference:  BlackHat USA 2019



The presentation discusses offensive structure in cybersecurity, specifically focusing on cloud abuse and takeover. The speaker highlights the challenges of trust boundaries and dynamic assets in cloud environments.
  • Offensive structure is a discipline that includes asset collection, traffic redirection, and stage segmentation.
  • Understanding offensive structure is crucial for effective cybersecurity in cloud environments.
  • Cloud environments present challenges with trust boundaries and dynamic assets.
  • The speaker provides resources for further learning, including blogs and wikis.
  • The speaker also discusses a tool for tracking sample uploads and metadata extraction.
  • Cloud abuse and takeover is a major issue in cybersecurity, with trust boundary problems and challenges with TLS scaling.
  • Popular cloud domains include Amazon AWS, Akamai Dannette, and CloudFront.
  • The speaker emphasizes the need for better protocols and systems to handle the complexities of cloud environments.
The speaker describes a tool that packs data into a sample and uploads it, waiting for analysis to finish before pulling back the data. This technique is more for fun than legitimate use, but it demonstrates the challenges of dynamic assets in cloud environments.


Command and Control (C2) is at the center of successful malware development. Given the importance of reliable C2 for stable malware, it is also a core focus for many defensive teams. What happens though, when malware authors take advantage of shiny new cloud services, high level layer 7 abstractions, large-scale takeover primitives, and 3rd party trust? Do domains, IPs, or servers still matter?This talk will discuss the methodology, selection process, and challenges of modern C2. It will cover the details of recent HTTP/S advancements and tooling for new cloud service primitives such as SQS, AppSpot, S3, and CloudFront. We will demonstrate how trust can be abused for stealthy C2 techniques via internal mail servers, defensive platforms, and trusted domains. We will also cover the various options for domain takeover, and release tooling for exploiting domain takeover scenarios in Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).What flags do you trust?