During the first months of this year, Sander joined our ‘Software Security & Assessments’ team as an intern and worked on writing Custom Beacon Object Files for the Cobalt Strike C2 framework.
Below you can find out how it all went!
Who are you?
My name is Sander, @cerbersec on twitter. I’m a student information management & cybersecurity at Thomas More and I’ve had the opportunity to do an 8-week internship in NVISO’s Red Team.
How did you discover NVISO?
NVISO co-organizes the Cyber Security Challenge Belgium and there I noticed they had open internship positions for IoT projects. I’ve always been passionate about offensive security and red teaming. Needless to say, I was pleasantly surprised when NVISO offered an internship position in a red team where I’d be working on research for new tooling.
What was it like to be an intern at NVISO?
With the ongoing COVID-19 pandemic, the internship would be fully remote. This meant that meeting colleagues would be slightly more difficult, and the entire internship required a high degree of autonomy. Regardless, I felt very welcome from the start. I had a kick-off meeting with my mentors where I could ask any questions I had and received a nudge in the right direction to get me started.
The overall atmosphere was very pleasant and light-hearted, they encouraged me to ask questions, but also made sure I did my own research first. I learned a lot just from sharing and discussing potentially interesting topics and techniques we came across, not all of them necessarily pertaining to my internship topic. Working with like-minded people really motivated me to push myself.
As my project developed over time, I got the opportunity to present my work during lunch to colleagues from different teams and even from different countries! NVISO regularly organizes Brown Bag sessions during lunch for anybody to attend. During these sessions an NVISO expert presents their insights into a currently hot topic. As an intern, I also got the opportunity to present my own project during lunch. My presentation was met with great feedback and opened up a discussion on the presented techniques, their strengths and possible shortcomings.
On my final day I had a chance to see the office and meet my mentors and colleagues in person. NVISO has a shared open space and after a tour of the office and some quick work, we went for lunch together, which gave me a chance to get to know my mentors in real life and share my experience as an intern. To finish the day, I demoed my project and discussed my findings.
What was your internship project?
When I first met my mentors Jonas and Jean-François, they came up with a variety of topics that would directly contribute to the daily operations of the different red teams. This allowed me to choose topics I’d like to work on which would be in line with my skills, experience, and interests. Little did I know I picked one of the toughest of them all.
I’ve always had a secret love for coding and recently ventured into malware analysis, which turned out to be a great stepping stone towards writing malware. For 8 weeks I would be working on custom process injection techniques and investigate alternative methods to exfiltrate C2 traffic since Domain Fronting is no longer a viable option (at least not “legitimately” via Azure).
My main task consisted of writing custom Beacon Object Files (BOFs) for the Cobalt Strike C2 framework, to perform process injection and bypass Endpoint Detection and Response (EDR) and Anti-Virus (AV) products by using direct syscalls. As my secondary task, I researched different protocols and techniques like DNS over HTTPS (DoH), Domain Borrowing and Software as a Service (SaaS) for exfiltrating C2 traffic.
Working with the Windows Native API was definitely a challenge at first, as there is very limited documentation available, debugging code that is not fully compiled into an executable is a challenge on its own, and use of undocumented functions requires a lot of trial and error to get right. I wrote most of my code in C, which took some time to relearn as I only had limited experience with the language before I started. During development it quickly became apparent that relying on documentation only wasn’t going to get me the results I needed, so I had to break out a debugger and dive into the assembly instructions to figure out where things were going wrong.
As a result, I was able to provide BOFs making use of various injection techniques and ported the recently disclosed Domain Borrowing technique to CobaltStrike (https://github.com/Cerbersec/DomainBorrowingC2).
What is your conclusion?
Overall, I had a great time and got to know some very cool people. I got to explore the highly technical concepts behind malware and at the same time translate this into an easily understandable format so a less technical audience could still understand my work. I’m excited to keep developing these skills and hopefully return for a second internship very soon.