Detecting Blue Team Recon With Ads

Video thumbnail (Frame 0) Video thumbnail (Frame 592) Video thumbnail (Frame 2008) Video thumbnail (Frame 3397) Video thumbnail (Frame 4392) Video thumbnail (Frame 4877) Video thumbnail (Frame 5656) Video thumbnail (Frame 8123) Video thumbnail (Frame 9372) Video thumbnail (Frame 10649) Video thumbnail (Frame 11679) Video thumbnail (Frame 13022) Video thumbnail (Frame 16078) Video thumbnail (Frame 17373) Video thumbnail (Frame 18215) Video thumbnail (Frame 19707) Video thumbnail (Frame 22505) Video thumbnail (Frame 26084) Video thumbnail (Frame 27347)
Video in TIB AV-Portal: Detecting Blue Team Recon With Ads

Formal Metadata

Detecting Blue Team Recon With Ads
Alternative Title
Detecting Blue Team Research Through Targeted Ads
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they'll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail.
Dependent and independent variables Automatic differentiation
Point (geometry) Vacuum Mobile app Information Block (periodic table) Code Line (geometry) Mereology Front and back ends Product (business) Vector potential Subject indexing Software Computer cluster Root Personal digital assistant Search engine (computing) Term (mathematics) Operator (mathematics) Electronic visual display Office suite
Group action Mobile app Computer file Hash function Multiplication sign Damping Mereology
Email Existential quantification Computer file Average Phishing Gastropod shell Video game Bit Cycle (graph theory) Mereology
Cybersex Service (economics) Information Real number Multiplication sign Source code Mathematical analysis Online help Price index Mereology Power (physics) Front and back ends Product (business) Word Hash function Hacker (term) Blog String (computer science) Square number Right angle Traffic reporting Information security
Word Hash function Personal digital assistant Blog Website Volume (thermodynamics) Term (mathematics) Limit (category theory) Perspective (visual) Resultant Field (computer science)
Point (geometry) Web page Matching (graph theory) Information Computer-generated imagery Google AdWords Automatic differentiation Type theory Word Googol Strategy game Hash function Blog Search algorithm Videoconferencing Electronic visual display Object (grammar) Resultant Spectrum (functional analysis)
Domain name Point (geometry) Complex (psychology) Email Computer file Uniqueness quantification Multiplication sign Generic programming Mereology American Vacuum Society Bookmark (World Wide Web) Automatic differentiation Malware Word Arithmetic mean Hash function Ring (mathematics) Computer configuration String (computer science) Website Quicksort Game theory Address space Resultant
Scripting language Computer file Information Multiplication sign Graph (mathematics) Usability Graph coloring Automatic differentiation Malware Mathematics Googol Hash function Personal digital assistant Blog Website Software testing Traffic reporting
Email Mobile app Group action Thread (computing) Computer file Multiplication sign Login Mereology IP address Goodness of fit Term (mathematics) Googol Negative number Electronic visual display Damping Extension (kinesiology) Traffic reporting Plug-in (computing) Email Distribution (mathematics) Algorithm Matching (graph theory) Information Software developer Shared memory Electronic mailing list Bit Price index Cartesian coordinate system Googol Hash function Personal digital assistant Internet service provider Object (grammar)
Presentation of a group Elektronisches Marketing Vapor barrier Information security
howdy everybody thank you for showing up I know you're all pretty hungover and that you've managed to survive a couple days of Vegas and that this is you know Saturday start off before we get into the actual subject like actually talking about using ads and whatnot don't fire assuming the basic crap be responsible adults Who am I does it really matter so all
right let's dive in so a couple caveats first off so I'm operating under the assumption that the target whoever I'm trying to detect is going to be searching for the term so that they were actually going to a search engine and they will sorry I'm not gonna wobble that they're gonna go into a search and they're going to search for it second I'm picking one particular ad network in this case I'm picking Google because Google index is very quickly I have a very short attention span it plays that very nicely so they're gonna use that ad network and then the ad will actually registered as displayed to the target so some ad blockers are going to block even the display of an ad to somebody even registering on the back end versus others will still appear to have that impression given so operating under the assumption that the ad blocker doesn't block the display from registering so spherical cows in a vacuum are back story so you know you're
you're a Red Team operator and your office your baby you've been really clever clever you've put in tons and tons of effort you feel like you've exploited you know the humans very well you feel like you've written beautiful code maybe you're doing something really clever in terms of how you're going to get root in production and all of a sudden your implant gets discovered what do you do you're gonna cry so the criteria for this were it had to be indirect so the notion that this had to be really easy something that we could do just to spin up as part of the app it had to be passive we didn't want to actively go and like cheat and go look at where the blue team was coming from and use any of that information so apply to any potential blue team effort and of course low effort going back to general laziness and short attention span so what does that work to all of us to me it's worth a lot but at a certain point I draw the line so this is where the lines drawn let's catch lazy blue teamers this also stems
from the idea of previously you used to be able to upload like everybody was like oh I found this weird hash I'm going to upload the file to virustotal and then all of the adversaries all of the red team's like hey so we're not going to upload the actual implant we're gonna wait for someone else to upload it and then you had adversaries that were able to go then search for their hash they knew what the hash was they wait for it to show up and appear in virustotal and that means that somebody found in somebody uploaded it the biggest problem with that of course is like you knew that they found it you didn't know what they were going to do so just but just having that fact is enough time to transition your infrastructure over so whatever your latest infrastructure is move it saves you time saves you money and again you don't do the app from scratch again and
this is the fun part blue teams are burn
out so the average sake analyst really doesn't do something important nowadays it's they're looking at false positive false positive and then oh look it's a phishing email somebody download some commodity so what we're gonna try and do here is attack the human when they find something interesting and
we're going to look at the general life cycle here so the sake analyst is like they are they're gonna get the alert something's gonna happen it's gonna be hey weird file maybe it's a reverse shell going somewhere strange like Oh what is this because they're bored this is what I'm banking on because they're bored they're gonna actually dive into this with a little bit more depth than what is traditional so the alerts the alert won't tell them it's bad it's just in be like something strange happening so as part of that investigation they're going to do more of that investigation than they normally would which is where they're gonna start making mistakes so
target the human we all know everybody has internal tools you have your internal sandbox you have all of your internal indicator databases you have all your vendor products you're paying some cyber TM vendor to tell you everything's bad but then eventually you end up going to public tools so you take the hash you throw it into Google you're like great what does hybrid analysis say did anybody write a blog about this is anybody else talking about this hash and you need that information to kind of you know you want to write your report when you send it up to the highest tier like hey I'm amazing I found out that this is really in fact not China it's actually Russia pretending to be China and you found that blog on kaspersky so sorry I love all of them I'm not being bitter I mean so it's really you're just attacking that human desire but you know someone who's really bored someone who's diving into that investigation they want to feel special they want to be able to send all the information up to the next here analyst or to the the sophisticated researcher be like hey I did all this work already I found all this and if it's not any other tools they're going to have to rely on public sources cool so next up what if I know when somebody searches for something right this is pretty basic like this is this is the advertising goals advertising is all about targeting someone based on how they're using the service based on what they're searching for based on what they want so it gives us the power to dive in the keywords we can do demographic information we can also say hey I know that they're gonna be you know hackers and we interested in security so you can even target it down a lot far that's literally by design but the really cool part here about advertising which is something that we as the general public don't see very often is all the tools on the back end to help companies and individuals fine-tune their advertising so this is the basic idea here so
highlighted in the red square is in Google this is the impression so the impression is going to appear every time a particular ad is shown to someone goes back to the caveat about it has to actually register as an impression for this to work so what we're gonna be looking for here is like when that impression is shown that means someone's searched for it and if you choose the exact string matches like yes someone had to have searched for it for that impression to happen and of course over on the right if somebody chooses to search for your ad word while they're logged into their Google account you get a ton of really scary information so if you really want to have some fun afterwards if you got this to work you could really target them almost directly because if you're a red teamer and you're looking at which particular target you probably know who's on there see sir you probably know who's gonna be running this up anyways cool so fun part
is it possible obviously yes more caveats so this is something
that was a huge pain in the ass which is there are advertising limitations it really makes sense so thinking about from Google's perspective to take out an ad word there needs to be search volume there have to be people searching for it before you can take out that Edward now a bunch of you people in the audience who are ethically they us pretty easy to bypass that one but that is still one limitation that some people will not be able to bypass to use this technique and lastly there needs to be search results so if you're going to throw the hash in there there needs to be blogs coming back and that's really yeah it just needs to be indexed by Google in this case easy to do you can throw it in comment fields you can spin up a Boogle site you can write your own blog and host it on WordPress anything you want just to get it indexed so that there are search results when someone searches for it
and of course there's the object considerations so to actually sign up for Adwords you have to enter in all this easily sweepable information and on top of that then the pages have to be indexed which is actually a huge consideration going back to the initial point oh if we wanted this to be really low effort we want it to be passive and indirect so if you have to expose yourself additionally by creating all these blogs again you're going up against someone who you're assuming is bored and we'll dive into all those blogs that you write so every blog that you write just to generate that search result get it indexed is going to result in potentially more exposure to whoever is looking for you so they're gonna they're gonna maybe be able to dig so you're just gonna you have to be really careful if you do that cool let's do it
so what type of add I kind of talked about briefly but Google has a bunch of really awesome ad types if you want to do a keyword search on a Google search so you can do broad you can do phrase and you can do exact for this we're doing a very simple we're doing an exact match on a hash but you can also do display and video ads so you can target people all across the entire spectrum if you wanted to get really really picky if you want to work with probably someone who's a marketing major or focuses and advertising and then for the bid strategy on this like for those of you who don't know how Google AdWords work you actually have to bid to get your ad displayed and your bid is based on how much you're willing to pay per click for this technique it's super easy to get your ad displayed because theoretically no one else should be taking out an ad word for your hash because you're the only one who knows it exists so you can bid you know five cents whatever it is it's no big deal
other possibilities so this is the really fun part is I'm using hash is because hashes are easy I can guarantee that's unique but you can use all sorts of other references so if you want to attack and see if someone was actually reversing your malware you can take your handle and take out an ad word for it no one else should be googling for your handle unless they found it in you know you stick it in the strings of the file so someone read the strings on your implant and that's how they're looking for your handle it gives you like the value of knowing that someone is reversing your malware the value of knowing that exactly like they ran strings on my file or they've decompiled in there actually doing something mean like that value is priceless for a lot of people depending upon your target same goes like you can do email address have a really unique file name and then you know a bunch of random miss lane miscellaneous phrases so like pick your favorite battle from Lord of the Rings or something really really obscure from literature throw that in as a reference in your file and see if people are googling for it the one problem though with this is if you're trying to say what the goal of the campaign is so if you're trying to catch that someone's reversing your file these options are really good however if you just want to see if hey someone found my file and they may be spinning up an investigation they may be going after my infrastructure you want to keep it as simple as possible so really my recommendation is to keep it with a file hash everybody is gonna take an md5 they're gonna take the md5 or the sha-1 they're gonna throw it into Google not a guarantee but it's more likely that they're gonna do that then actually reverse your file and dig and find your email address find your handle find all of those things so keep it unique keep it simple is my recommendation I made this mistake as part of this is don't ever use generic terms don't try and put in complex idea ideas and also last part is a domains and IPS so almost everybody on a blue team is going to be using some other tool that will be able to dig into domains and IPS better than throwing it into Google so that's just something to be aware of if you really want like you're trying to get really high fidelity results and you're trying to get it so that if somebody searches for it you're going to get that alert that they did cool so for this example
because I love lawyers and lawyers love me I'm not going to be doing it for a custom file I'm going to be doing it for just some ransomware that has already generated a lot of traffic so I already passed that ethically ambiguous point the traffic's already been generated and this is kind of you know something interesting I learned it's all of the AV companies take out ads they do exact same thing so if Google were to combat this technique they're gonna say great you can't take out ads for hashes but all of the Avs are already taking out ads for hashes after something hits so it's it's really gonna be a hard game to combat something like this so the ad that I did was just a really huge bid so I was bidding like five dollars per click so I got displayed all the time and then I was the the campaign was a maximize click so I'm trying to drive all that revenue by driving people to my site so there it is it actually works
it's a miracle so up at the top all I did was I my ad is a simple Google site and I said so Google also looks at ads very carefully because they've been dealing with a lot of malware and ads so what you're trying to do is you're trying to demonstrate that the ads you've created is going to be relevant for the particular audience that you're targeting so in this case I pretend to be a a malware blog about weird file hashes and it's just a Google site it shows up when someone searches for it it's awesome but this is what the sake analysts are someone on the blue team would see this is what you would see so
this is where the actual valuable information is obviously Google has these fancy colors and pretty graphs it you know if you actually wanted to log in and use your mouse you can see but it also has this beautiful API so you can grab the report you can just set up a python script it pulls down the report every hour and all you're looking for is that column right there that column is gonna change from 0 to 1 when it does you can automatically switch your infrastructure over so it works really nicely to just automate away the having to deal with like blue team recon actually coming after you and then there is one other annoying caveat with Google is that it's Adwords so it's designed for marketing people it's not going to be a real-time alert it's they claim in their documentation it's 3 hours during my testing it wasn't ever that long but the same time it's not going to be a real-time alert so someone's not going to search from it and then 5 minutes later you're gonna see it it's gonna be probably a couple of hours and then then that's how you know that someone's been searching for it but it works but
there's a ton of practical considerations to take into account so if you're a team of one is it really worth going into all of this effort to target a blue team that you already know is overworked completely underwater and bored out of their mind really the most applicable use case of this is someone who can spend millions of dollars someone who has a staff of several thousand that can go out and generate that traffic for you in advance and also someone who's gonna be burning in O'Day so if you're burning in O'Day it's really really important that you know that you've been detected like that all of a sudden becomes really valuable if you're just you know if you've sent out a phishing email and it's like it's just generic you're running Empire or something like that that being burned like it's a pain to set up again and and spin up from scratch but it's not going to be something to be the death of an entire app it's not going to be actually have any serious implications but if you're dropping like three or four Oh days and you end up with that getting burned that all sounds like oh great we lost millions of dollars or however much time it took to find those O'Day so having any kind of visibility into how quickly you've been found out is amazing and of course object I touched on this before but I can't emphasize this enough is like you have to expose quite a bit of information to whoever is researching it but also then to Google so if you're not careful about how you're registering this if you're a very sophisticated actor and you're taking out an dad so like you spin up a campaign you take out only one ad for one particular hash Google can dive into that data and say hey you took out one ad for one particular thing that's really suspicious and even after like eventually you're gonna get discovered everything is gonna get publicized Google can go back and say all right great I know all this information they can see all of your logins they can see every time you ran the API and pull down that report so you're really exposing a lot of OPSEC and it's definitely something you need to take into consideration if you're going to be a sophisticated actor and if you're really like if you really want to use this in the wild but this is this is really the
exciting part for me is is the next steps so keyword matching on a Google search is probably going to be phased out within the next 12 months just based on how quickly they continue to change the ad tech just between when I submit this talk in April and when I'm presenting today Google has changed their back-end algorithm at least three times that I've noticed and it's ridiculously annoying because there's no way to understand how the false negatives are going to change so with this technique if someone searches for the hash and they get the ad displayed to them it's pretty much a guarantee that you know they found your hash but what you don't know is if someone doesn't if someone searches for the hash and the ED doesn't display there are plenty of times when Google and you just tweak that algorithm a little bit great so we're not gonna show that ad to the first 50 people that search for that term and they'll never tell you so you don't know when the ad is not being shown so there's no guarantee that it will actually work in every single case it's just all you know is that if someone searches for and the ad is shown to them then it will actually be useful and valuable to you but of course there's also the extension of this into email and that's the really exciting part so all of the blue team communities they have their secret scroll groups that are basic distribution lists everybody is using a third party email provider and if one of those third party email providers is not as sophisticated school so Google no longer let's you like look at the email bodies so if someone is not that sophisticated I'm not gonna write on any companies here but um there's there's a couple of them out there that would allow you to take out an ad for a keyword match on a body doing the same thing with hashes on the email keyword match in a body would allow you to know if someone is talking about your file in a closed group that's arguably much more useful to you because that means that's someone who isn't like most of us try not to put things into Google but we will share suspicious files suspicious IPS in closed communities that we perceive to be safe so this is a really good indicator for people who think that they're more sophisticated and they could be spinning up a working group against you great you know it's great early warning to move your infrastructure and of course there's always going to be third party apps so of course we all read about Google who is that was still allowing developers to read email you can always just go ask all the people and thread and tell team at your target to install a third party plug-in and they'll do it probably one of them will and you can read all their emails and of course why do you care I
think we all know why we care is that advertising is everywhere we actually should pay attention to how our data is being stored but also we should think about how we can use it the barrier to entry into online marketing and advertising is continually getting lower this entire presentation could have been done simply just by clicking buttons and reading online documentation there was no actual technical barrier to use advertising for the benefit of the community and for the benefit of security so that's that's what's pretty awesome about how how the Admiral Edward it were yeah advertising world is changing like we get to do we get to take advantage of big companies trying to make money and let's use it to our advantage
thank you very much [Applause]