AWS GuardDuty - Post-DNS Era Covert Channel For C&C

Explore advanced covert communication techniques for malware in this Hack In The Box Security Conference talk. Delve into the evolution of DNS tunneling and its detection by Network Intrusion Detection Systems (NIDS). Learn how malware can maintain stealthy communication channels by leveraging cloud services and Content Delivery Networks (CDNs). Discover a robust Command and Control (C&C) method using attacker-owned S3 buckets to evade AWS GuardDuty detection. Examine various AWS services that can be exploited for covert C&C and data exfiltration. Gain insights into mitigation strategies and common pitfalls to avoid when using public cloud services like AWS. Benefit from the speaker's extensive programming background and previous conference experiences to understand cutting-edge cybersecurity threats and defenses.

Introduction
Agenda
Timeline
DNS Tunneling
DNS Over HTTPS
NetworkBased Ideas
HostBased Ideas
SIM
Cloud services
Preparation
How it establishes
Three possible outcomes
AWS GuardDuty
What do we need
Embed the access key
Set up the C server
Attackers S3 Bucket
Common Flaws