Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace: Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
script:x509_ext_c2 [2024/06/05 10:40] – old revision restored (2018/02/09 00:01) thiyaguscript:x509_ext_c2 [2024/10/08 12:59] (current) thiyagu
Line 1: Line 1:
 ====== Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API ====== ====== Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API ======
  
-I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114))  and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]]+I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114))  and the original link on the Fidelis Blog Whats missing is in front of us and also on the Network Miner blog Examining a X.509 Covert Channel I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]]
  
 In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !  In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! 
Line 18: Line 18:
 ==== Analysing the sample PCAP in Trisul ==== ==== Analysing the sample PCAP in Trisul ====
  
-The researchers have provided a [[https://github.com/fideliscyber/x509|sample PCAP file containing a POC]] of the channel  GitHub page of POC https://github.com/fideliscyber/x509)). If you import the PCAP file into Trisul using ''trisulctl_probe importpcap mimikatz_sent.pcap'' and navigate to SSL Certs FTS and then search for Key" you can see the certificates in full text format. This is shown below.+If you import the PCAP file into Trisul using ''trisulctl_probe importpcap mimikatz_sent.pcap'' and navigate to SSL Certs FTS and then search for Key" you can see the certificates in full text format. This is shown below.
  
  
script/x509_ext_c2.1717564258.txt.gz · Last modified: 2024/06/05 10:40 by thiyagu