I'm a Hacker Get Me Out of Here! Breaking Network Segregation Using Esoteric Command & Control Channels

The talk explores the use of esoteric internal command and control channels for lateral movement and breaking out of heavily segregated environments. The speaker demonstrates novel techniques for C2 using VMs through vCenter and Guest Additions, arbitrary network printers and print jobs, Remote Desktop mapped drives and file shares, and LDAP attributes. The talk is aimed at both red and blue teamers, with the former learning how to identify and exploit these channels and the latter being challenged to reconsider their assumptions about network boundaries and the technologies that may offer a means for actors to progress unimpeded into sensitive network zones.

• Esoteric internal command and control channels can be weaponized for lateral movement and breaking out of heavily segregated environments
• Novel techniques for C2 include using VMs through vCenter and Guest Additions, arbitrary network printers and print jobs, Remote Desktop mapped drives and file shares, and LDAP attributes
• Red teamers can learn how to identify and exploit these channels, while blue teamers are challenged to reconsider their assumptions about network boundaries and the technologies that may offer a means for actors to progress unimpeded into sensitive network zones

The speaker introduces a lab environment with two workstations within a single domain, virtualized assets on an ESXi server managed by vCenter, and a C3 command control framework. The lab environment is used to demonstrate the techniques for breaking network segregation using esoteric command and control channels. The speaker explains how the channels can be used for command and control if one can read, write, and delete to an arbitrary service. The speaker also highlights the limitations of the techniques, such as the need for valid credentials and guest operations privileges within vCenter to interact with the guest OS, and the need for the target VM to have VMware tools installed.

This talk will explore the weaponization of esoteric internal command and control (C2) channels and their use for lateral movement. James, an attack simulation consultant with F-Secure Consulting, will demonstrate some novel and reimagined techniques for breaking out of heavily segregated environments. In particular, the following will be explored, along with the tools that James has developed to make these usable operationally:- C2 into VMs through vCenter and Guest Additions- C2 using arbitrary network printers and print jobs- C2 over Remote Desktop mapped drives and file shares - C2 using LDAP attributes For the red teamers, James will share how to identify and exploit these channels, and the OpSec considerations behind each. He will also share the tools that he's developed to interface with popular C2 frameworks such as Cobalt Strike and C3, providing operators with a seamless C2 experience.For the blue teamers, James will explore the detection artifacts created when using these tools, and will present use cases to consider implementing. He will also challenge defenders' assumptions about how sophisticated actors may operate within segregated environments, and how commonly accepted boundary systems and technologies may offer a means for actors to progress unimpeded into organizations' most sensitive network zones.