DeepSec 2023 Talk: Introducing CS2BR – Teaching Badgers New Tricks – Moritz Thomas & Patrick Eisenschmidt
Staying under the radar and remaining undetected is one of our priorities during Red Teaming assessments. After all, we’re simulating real threat actors and want to reach our objectives without raising any suspicion. This becomes a more and more challenging task as new defences are implemented, requiring us to add new tools and techniques to our tool belt. Occasionally, though, there is a new technique that brings a broad set of features and doesn’t leave countless traces. This talk is about one such technique: beacon object files (BOFs)!
BOFs aren’t exactly the new hot stuff, as a matter of fact, they’ve been around for more than two years now. In those two years, a de-facto BOF standard has been adapted by many C2 frameworks out there. But what happens when your C2 doesn’t support it? Will you need to fall back to other, potentially less safe, alternative techniques?
That’s a problem we faced and decided to solve when we worked with Brute Ratel C4, which doesn’t support Cobalt Strike’s de-facto BOF standard API. In this talk, we’ll dig deep into the COFF format, show how the Cobalt-Strike de-facto standard is incompatible with Brute Ratel’s and how we established full compatibility between the two. A tool that automates this task and a blog post series about it will be released, accompanying the talk.
We asked Moritz and Patrick a few more questions about their talk.
Please tell us the top 5 facts about your talk.
I’d like to start by saying that we structure the talk in a way so that everyone interested in cybersecurity will be able to follow along – we’ll cover some basics about offensive command & control (C2) infrastructure and drill-down into specifics later down the road. This way, the talk is accessible to not only experts in the field but also to newbies. Then we also briefly discuss the evolution of offensive tooling and how we ended up at the complex state of C2 infrastructure as we know it today. It’s not going to be a history lesson but it will provide some insights into the need for today’s tools’ complexity and challenges. You’ll also get to know some C2 infrastructure solutions over the course of this talk. Namely, we’re comparing some aspects of the popular Cobalt Strike and Brute Ratel C4 software solutions. That’s not all there is to the talk though: we are also going to get knees-deep into some rather low-level aspects of beacon object files (BOFs) and how they are loaded & executed at runtime. As you can see, this talk is going to be a fair mix of high and low-level topics. Of course we’ll also introduce & demo the name-sake of our talk, CS2BR, which allows us to port Cobalt Strike BOFs so they’re compatible with Brute Ratel C4.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I think there are two answers to this question. Firstly, there’s how to work on the tool, CS2BR, which came about in the first place sometime earlier this year when Patrick told me he was considering using Brute Ratel C4 on an assessment but realised he couldn’t run his standard arsenal of BOFs. He asked me if I could look into the issue – and thus my journey down the rabbit hole began. Over the course of a couple of weeks I worked on this for some days here and there, studying the documentation of both Cobalt Strike and Brute Ratel C4, compiling and testing BOFs, identifying various issues in the way each of them handles BOFs and how those aren’t compatible. By the end of this journey I had developed a fairly reliable tool and I have a few things to say about both the journey and the tool itself. And that’s the second answer to the question: there were some lessons learned for me on this journey that I’d like to share. Furthermore, I’d like to share how this was a rocky project with quite some challenges and an open end.
Why do you think this is an important topic?
Today, red teamers operate in very complex environments which are incredibly hard (and virtually impossible) to navigate and operate in without solid tooling. Our talk and the tool we developed shows how we faced a situation where we couldn’t use said tooling anymore and had to find a workable solution. Not only can this exact solution come in handy for people in cybersecurity who are facing the same problem, but the general approach we followed and the challenges we encountered might also be relevant to neighbouring topics.
Is there something you want everybody to know – some good advice for our readers maybe? (Except for “come to my talk”)
Obviously: come to my talk! 🙂 Besides that I’d like to emphasize that we’re doing our best to make this talk accessible to everyone in cybersecurity – I’m convinced that there will be takeaways for everyone!
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
That’s a tough one! Developments in offensive infrastructure solutions have been incredibly rapid in recent years, with new techniques being implemented by various C2 developers as they become publicly available. Both the commercial and open source C2 solutions bring impressive features and capabilities to the table. I’m afraid it’s hard to predict where this development is heading without consulting the good ol’ crystal ball.
Widening the scope a bit from C2 solutions to red teaming in general, I definitely see AI (and LLMs in particular) playing an every-increasing role in red team engagements. Right now they’re widely used to generate content (e.g. for phishing) but I wouldn’t be particularly surprised if we’ll get support from some AI assistant in C2 solutions in the coming years.
Moritz is a senior red team security consultant at NVISO ARES (Adversarial Risk Emulation & Simulation). He focuses on research & development in red teaming to support, enhance and extend the team’s capabilities in red team engagements of all sorts. Before joining the offensive security community, Moritz worked on a voluntary basis as a technical malware analyst for a well-known internet forum with focus on evading detections and building custom exploits. When he isn’t infiltrating networks or exfiltrating data, he is usually knees deep in research and development, dissecting binaries and developing new tools.
Patrick is working as a Red Team Lead at NVISO ARES (Adversarial Risk Emulation & Simulation) and coordinates exposure activities. Additionally, he also likes to get his hands dirty with creating sophisticated spear phishing campaigns and improving the Red Team’s life by maintaining open-source methodology and tooling.