Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace:
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veerascript:x509_ext_c2 [2018/02/08 23:53] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veera
Line 3: Line 3:
 I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114))  and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]] I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114))  and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]]
  
-In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears from the researchers that the network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! +In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! 
  
 Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken.
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu