06-27, 12:15–13:15 (Europe/Vienna), Mittlerer Saal (Track 1)
Using Beacon Object Files (BOFs) to execute external post-exploitation capabilities from a C2 agent has been a staple technique in offensive security for years now. The self-contained programs are great for one-off tasks, such as gaining situational awareness, elevating privileges or dumping credentials. Recently, BOFs have received a powerful upgrade that allows for them to be executed in the background, enabling long-running real-time monitoring functionality. This talk shows how the Conquest framework supports Async BOFs and how they can benefit modern red teaming.
In last year's talk, I introduced Conquest, a command and control framework written in Nim. Since then, the project has been under heavy development and has seen countless new features, fixes and improvements. One of the most substantial changes was the addition of a Python module system, which allows red teamers and penetration testers to turn their favourite BOFs into Conquest commands. This drastically decreases the amount of functionality that has to be included in the base agent, because post-exploitation capabilities can simply be executed as external BOFs.
However, regular BOF loading is boring. There are countless open-source implementations and it's a feature in almost all C2 frameworks on the market. On the other hand, the number of frameworks that support asynchronous BOFs can almost be counted on one hand. In fact, Conquest is one of the only C2s that features stable async object file execution, even when the agent memory is obfuscated or encrypted, something that until now has been exclusive to commercial tooling.
This talk goes beyond proof-of-concepts by also featuring novel use-cases for async BOFs that benefit real engagements.
- TGT Monitoring
- KeePass Abuse
- Clipboard Monitoring
- ...
Jakob is a penetration tester and security professional from Austria. He is particularly passionate about offensive security, including network penetration testing and Windows malware development. By day he works in an internal penetration testing team, conducting and leading engagements, while at night he works on Conquest, a malleable and modular C2 framework written in Nim, or practices lock-picking.