Calling Home, Get Your Callbacks Through RBI

Following a brief introduction to the technology, we share our firsthand experiences when encountering RBI solutions and techniques the SpecterOps team have employed for establishing command and control to systems that proxy traffic through RBI products broken down into three segments: Payload Ingress, C2 Egress, and RBI Bypass.
There are three types of browser isolation in use today: client-side browser isolation, on-premises browser isolation, and RBI. As these names imply, client-side virtualizes the browsing on the local host, on-premises runs within the organization, and RBI virtualizes the web sessions in the cloud.
One of the primary concerns you should have as an offensive professional is the profound impact RBI will likely have on your C2 traffic.
They may offer a link where a user can do that, but an organization usually has a proxy setup that sends ALL web traffic through RBI. This means your stealthy HTTPS C2 traffic gets sent through the same virtualized host process the same as everything else and results in the server responses to your agents being rendered as an inert stream.
As you can probably imagine, trying to figure out why your C2 traffic is not returning when an organization uses RBI can be very frustrating.
When delivering payloads to clients through RBI solutions, these solutions' sandboxing and scanning capabilities present significant hurdles that must be overcome to achieve code execution in your target environment.
Utilizing standard techniques such as prime factorization, thread sleep checks, executing environment checks/guardrails like enumerating processors in a system, string obfuscation, string building, non-terminating conditional-based loops, and logic structures relying on user input will help you get through the RBI scanning process.
Some may only allow a user to view the file contents in the browser or allow the user to download a sanitized version of the file in which the product removes macros, JavaScript, or any other content the vendor deems may be suspicious; leaving the user with an inert download. Other RBI solutions are set to a fail-closed state that blocks the download of a file if it cannot scan it.
We then check out Cloudflare logs and confirm that the RBI is isolating our C2 traffic.
Like the ingress section, while some talking points may not be new, we will cover them to better explain how RBI products affect C2 traffic when deployed in a target environment.
Based on our experience with RBI, our first recommendation when crafting C2 traffic intended to egress an RBI solution with HTTP traffic is to omit any POST requests.
The type of header you use can change how the RBI solution responds to your C2 traffic and may allow you to get out without much trouble.
Not all RBI solutions will block this, but many will block web traffic with user agents that do not match approved web browsers or do not meet a minimum sufficient version of a browser.
Passing the C2 traffic in a cookie is not a new way of doing business, but it can be a great technique to get through RBI. Some RBI solutions virtualize and stream the web page content but transparently pass the cookie header to the other end of the channel for usability since many sites require cookie functionality.
As with any C2 channel, your redirector setup will significantly impact how RBI solutions react to your traffic.
Ensure you have valid TLS certificates, as RBI products often block unencrypted HTTP traffic.
This can be accomplished in a couple of different ways depending on the capabilities and configuration of the RBI implementation using either DNS C2 or Third-Party C2. DNS C2. Many RBI solutions only monitor HTTP/HTTPS traffic by default and either require explicitly configuring DNS monitoring or lack that capability altogether.
Third-Party C2. When establishing new HTTP/S communication channels through RBI solutions, new domains and IP connections will be subject to inspection for any new traffic.
Lastly, you should try to move to a GET-POST HTTP C2 channel if the RBI will let them through.
Calling Home, Get Your Callbacks Through RBI was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.


This Cyber News was published on securityboulevard.com. Publication date: Thu, 18 Jan 2024 00:13:09 +0000


Cyber News related to Calling Home, Get Your Callbacks Through RBI

Calling Home, Get Your Callbacks Through RBI - Following a brief introduction to the technology, we share our firsthand experiences when encountering RBI solutions and techniques the SpecterOps team have employed for establishing command and control to systems that proxy traffic through RBI ...
11 months ago Securityboulevard.com
7 Steps to Build a Defense in Depth Strategy for Your Home - To have the best chance of preventing digital intruders' attacks, home networking equipment must be configured properly and updated regularly. Here are seven best practices for improving your home network security with a defense in depth strategy. ...
11 months ago Cyberdefensemagazine.com
Smart Home Security Essentials: Protecting What Matters Most - Smart home security systems provide homeowners with the ability to keep their personal and property safe from intruders, theft, and other potential threats. This article will discuss different types of smart home security systems, benefits, setting ...
1 year ago Securityzap.com
DIY Home Security System: Your Step-by-Step Setup - Recent studies have suggested that the installation of a home security system is one of the best ways to deter theft and property damage. This article will provide detailed instructions on how to plan, install, and maintain a DIY home security system ...
1 year ago Securityzap.com
Smart Home Technology: Your Gateway to Modern Living - Smart home technology offers homeowners an array of benefits, from increased convenience and comfort to enhanced safety and energy savings. Smart home technology offers convenience, comfort, safety, and energy savings. Smart home technology provides ...
1 year ago Securityzap.com
Creating a Smart Home Ecosystem: Seamless Connectivity - Like a finely tuned symphony, creating a smart home ecosystem has the potential to bring harmony and convenience to everyday life. Establishing an interconnected network of digital devices to enable user-controlled automation of various household ...
1 year ago Securityzap.com
Enhancing Home Privacy with Technology: Your Digital Shield - In an ever-evolving world, technology has become increasingly integral to home privacy. Smart lock systems, video doorbells, motion sensors, security cameras, and automated privacy settings are some of the popular home privacy tech options available. ...
1 year ago Securityzap.com
Home Security Cameras: Keeping an Eye on Your World - As technology advances, home security cameras have become a popular option for households seeking to increase their protection. This article will explore the various types of home security cameras available, the advantages they provide, and factors ...
1 year ago Securityzap.com
Home Automation for All: Enabling Independence - As technology advances, home automation provides a sense of empowerment for elderly and disabled individuals. Home automation for the elderly and disabled reduces dependence on others and promotes independence in the home environment. Home automation ...
1 year ago Securityzap.com
Energy-Efficient Home Automation: Saving the Planet and Your Wallet - Home automation solutions offer an array of benefits, from improved convenience to decreased energy bills. This article will explore the types of home automation systems available, as well as their cost and potential for energy efficiency. The ...
1 year ago Securityzap.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
Home AI Revolution: From Assistants to Smart Appliances - In a world where technology is advancing faster than ever, home AI has become an integral part of everyday life. Anachronistically speaking, a time-traveler from even just a few decades ago would be amazed at how far we've come in terms of home ...
1 year ago Securityzap.com
How to Temporarily Deactivate Instagram? - Instagram is an amazing social platform where you can stay in touch with your friends and influencers, but sometimes it can be too much. If Instagram has become too distracting or overwhelming for you to use effectively-whether for mental peace, ...
1 year ago Hackercombat.com
Marketing Strategies for PaaS Services: Get Ahead of the Curve - With the ever-growing demand for cloud-based performance and services, Platform-as-a-Service (PaaS) is becoming increasingly critical for modern software development. PaaS is a cloud-based platform, providing businesses with an integrated suite of ...
1 year ago Hackread.com
US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com
Is it possible to use an external SSD to speed up your Mac - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
Defend Your Business: Testing Your Security Against QakBot and Black Basta Ransomware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
6 months ago Securityboulevard.com
What is Biometric Security? Your Body Becomes Your Key - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
11 months ago Hackersonlineclub.com
"Get Paid to Like Videos"? This YouTube Scam Leads to Empty Wallets - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
US insurers using drones to deny home insurance policies The Register - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
8 months ago Packetstormsecurity.com
Hackers Attack UK's Nuclear Waste Services Through LinkedIn - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
Lee County student Chromebooks hacked in 'Cyber Monday prank' - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Nbc-2.com
Google to Delete Inactive Gmail Accounts From Today - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)