Time
1 hour 41 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Hey, guys, Welcome back to the Cybercult in Causton Saberi. This is under German name and today we're covering commanding control.
00:10
So we went through the cybercult chain. We did our Constance. We gathered as much information as possible. We moved on to organization where we created our payload using Amazon venom on. Then we moved on to delivery where we created a social engineering attack using a social. The social engineering took it.
00:28
And then we exploited the human weakness in our systems
00:32
and every company, every entity, every organization has
00:37
the human weakness vulnerability to exploited that. And then we moved on translation, and we installed our payload on the victim's machine. Now that the payload is on isn't sold on the victim machine, we need to start communicating with that on. That's when commanding control came in the picture.
00:57
So what we're trying to do
00:58
as we're trying to continue our target attack on communicate with the payload to get more information. So now my payload is inside the victim's machine or resume the victim machine.
01:11
You can imagine this as an extension off the victim's keyboard on the attack of sight so I can't run as a cz ah, command as a like I can scan the network. I can scan the
01:26
victims workstation, and that's the whole purpose off Commander Control. Continue my
01:30
operations.
01:32
So there's a number of ways to do that. Remote administration tool is one of them rat. There's a toco drat, and it's one of the most popular. The one we're using the Using MSF Council and interpreter is a very popular Ah.
01:48
Another popular example, however, is
01:52
and a lot of companies going through. This option is extremely difficult because they have good protection tools and good
02:00
security on their side. So hackers have to be creative. They came up with an idea to use IRS protocol on DS kind of chat with their, uh, basically pay loader that asset inside the network.
02:14
So what they're doing is they're using the political to chat with the payload and send the commands to it for the Palio Tarrant. However, not a lot of companies and organization news IRC protocols not up popular in the corporate world.
02:31
So it's a company has a good security operations center. They will easily discover something of communication going out of the environment using IRC protocol however, is there something that is not
02:46
really detected, or even if it was detected, a lot of people would assume it would be a legitimate collectivity and that a social media if a
02:57
machine within an environment is communicating with Twitter,
03:00
a lot of people would not assume that it is communicating with an adversity or an attacker.
03:07
And that's exactly what hacker did.
03:10
They created a Twitter account that would publish or tweet commands
03:15
that are then dread by the payload
03:21
on drawn within the victim's environment. That connectivity is through Twitter, so even if the payload wants to return something, it would write it. It will tweet it
03:31
on Twitter,
03:34
So this is one of the more creative ways of doing commanding controls.
03:38
But the idea here is to show you how creative
03:43
hackers and Attackers can get. So let's go back to our example.
03:49
We have our session here opened,
03:53
and what I want to do is
03:54
I want to see adoptions that I have. So, as I said, there's a lot of options
04:00
I can record. I can webcam chat list what comes if there's any hope come available,
04:06
I can run a kiss can and see what kind of things the person is writing.
04:14
Ah,
04:15
I can get a sinful and shut down the machine gun shell on the victim's side
04:21
and so on. So there's a lot of things that I can do here.
04:26
Some of them, such as hash Dump. I can get the hash dump of the contacts off the same database and then start cracking on my side, hoping to get the local admin password.
04:38
So
04:39
just to ensure collectivity, let's do this in four.
04:44
So I do have a collectivity with the understand machine, have the build information and so on.
04:49
But let's do a screenshot to ensure that I'm actually a running an actual machine and not just a
04:59
honeypot.
05:00
So we have we have the ski shop. Now
05:04
let's copy it on DDE.
05:10
Display it.
05:15
So that's ah, a screenshot of the victim's machine. And as you sure you remember, this was the last page that we went to.
05:24
Okay, so I can learn shell, and then I have
05:28
a connective ity
05:30
to the machine
05:33
shell coat so I can't on command prompt from ah, this machine on the machine on the other side.
05:42
Okay, so we're gonna get more into this in action on objectives. However,
05:47
to make sure that we covered command and control correctly, let's go through the through these post assessment questions. So what is the main purpose of the command and control face?
05:58
As I said, the Commander control phase main goal only purpose is to have connectivity to my asset inside the victim's network. This would give me,
06:09
ah, the opportunity, continue my operations and continued the attack
06:13
from my remote session.
06:16
Second question is, why do I need commanding control? Because
06:20
if I don't have commanding controls,
06:24
I would have to design design my Millward in a way that would go through everything that I want and send it back to education. I won't have the capability
06:34
to explore or extend my exploration so I can go and get one thing out and come back. And that's one thing. However, if I can get more information and as an attacker and expand my attack, that would be a lot better from the Attackers. Obviously, point of view.
06:51
Finally, direct access is a must to have a successful command and control.
06:58
As we discussed this, this is not really the case remember the Twitter account and the twitter. Ah
07:04
ah. And the tweet tweeting the command from the command and control centre to the payload inside the network. So connectivity between the payload on dhe the attacker is not necessary at all time. Hackers can get,
07:24
or hackers are more creative than just re. Ah, basically used one way of communicating with their assets inside the environment.
07:34
Okay, so in today's episode, we covered commanding control. And the next episode we move on to the last phase of the cybercult in we will cover
07:47
action on objectives.
07:49
See you then.

Up Next

Cybersecurity Kill Chain™

A practical take on Lockheed Martin Cyber Kill Chain™, The course simulates an example target attack following the 7 phases of the Cyber Kill Chain™.

Instructed By

Instructor Profile Image
Abdulrahman Alnaim
Security Operations Manager
Instructor