script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
script:x509_ext_c2 [2018/02/08 22:55] – veera | script:x509_ext_c2 [2018/02/08 23:46] – [The Full Text Search FTS Document] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API ====== | ====== Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API ====== | ||
- | I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// | + | I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// |
+ | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the " | ||
+ | |||
+ | Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. | ||
+ | |||
+ | ===== The Full Text Search FTS Document ===== | ||
+ | |||
+ | Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | ||
+ | |||
+ | - the **Resource** stream: | ||
+ | - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | ||
+ | |||
+ | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. | ||
+ | |||
+ | ==== Analysing the sample PCAP in Trisul ==== | ||
+ | |||
+ | The researchers have provided a [[https:// | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | Next you have to write a small LUA script that plugs into the FTS Stream. Your script will then get a chance to process each certificate //out of the fast packet path//. The Trisul LUA API provides the [[https:// | ||
+ | |||
+ | I just put together a quick [[https:// | ||
+ | |||
+ | <code lua> | ||
+ | -- WHEN CALLED : a new FTS Document (X509 Cert) is seen | ||
+ | onnewfts | ||
+ | |||
+ | local _,_,ski = fts: | ||
+ | if ski and ski:len() > 32 then | ||
+ | T.count = T.count + 1 | ||
+ | local hexski = ski: | ||
+ | local outf = io.open("/ | ||
+ | outf: | ||
+ | outf: | ||
+ | end | ||
+ | |||
+ | end, | ||
+ | </ | ||
+ | |||
+ | What the above code snippet does is | ||
+ | |||
+ | - Use a Regex to capture the bytestring in // X509v3 Subject Key// | ||
+ | - If above 32 characters then we suspect something fishy , you can also generate an alert at this point using the '' | ||
+ | - Open a tmp file the convert the hex to binary and dump the contents there. | ||
+ | |||
+ | |||
+ | If you place this script in the LUA folder ''/ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Reassembling the Mimikatz payload ==== | ||
+ | |||
+ | This is a bit of a fun task. The C2 technique uses about 70+ certificates to transfer a payload of 785KB. The big issue for us is that the certificates show up in different TCP flows. It is a lot easier to do the reassembly in Network Miner or Wireshark but in live traffic analytics like Trisul the flows can go to different CPU/threads due to load balancing and there are no hints in the packets itself to order the payloads. The best option is to dump the chunks and then manually '' | ||
+ | |||
+ | |||
+ | ===== More about the Trisul Lua API ===== | ||
+ | |||
+ | The Trisul LUA API allows you to build your own real time analytics tools on top of the Trisul platform. Note that Trisul is Free to use forever, except that if you are using the Web Interface and Database backend, then only the most recent 3 days can be reported on. | ||
+ | |||
+ | The [[https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu