In this integration, create and configure a Slack App that uses Slack’s APIs to deploy workflow actions, install the Slack App in your Slack workspace, and setup the Slack Web API connector. These sleep times can help our C2 fly under the radar, but will also impact the ability of the attack operator to execute rapidly depending on how aggressively the timeouts are configured.We’ve updated our integration with Slack to use the Slack Web API connector in Workspace ONE Intelligence workflows. In our PoC, we also configure a random sleep between 1m and 5m to further obfuscate our activity. Future versions may add additional encryption on top of SSL. Detecting this type of activity requires sophisticated network analysis capabilities, such as the ability to intercept and decrypt SSL messages. Our proof of concept (PoC) blends in with normal business activities such as user-to-user or user-to-group communications. In this post, we use this same technique to demonstrate how Slack can be used as a malicious C2 channel. Detecting or blocking this content is difficult since it is encrypted and transmitted over SSL to a legitimate website. In 2013, I wrote a blog post about using Twitter for Command and Control (C2) built for the Northeast Cyber Collegiate Defense Competition (CCDC). As network-based detection and prevention has advanced it has become easier to mitigate IRC as a malicious command and control (C2) vector. The issue with IRC is that its primary port ran on 6667/TCP often without any type of encryption. In the old days, it was common to see denial of service bots controlled and managed by Internet Relay Chat (IRC). MITRE ATT&CK™ includes a Web Services (T1102) technique that has been used by many different threat groups, including Carbanak and APT 37. It’s a popular method to ensure constant communications between different internal groups within the organization.Īttackers have started to take advantage of assumptions that administrators make about the security of these web services. Many organizations have also embraced cloud-based chat services like Slack, including our team at Praetorian.
Bots provide a powerful method to execute and handle tasks quickly in different environments.
Many organizations have shifted their operations to utilizing chat and bot software to improve the effectiveness of their DevOps teams.
0 kommentar(er)
