This was presented during DefCon 22, back in 2014, but I only just found it tonight... Here is the presentation as a PDF: https://www.defcon.org/images/defcon-22/dc-22-presentations/Balazs/DEFCON-22-Zoltan-Balazs-Bypass-firewalls-application-whitelists-in-20-seconds-UPDATED.pdf The binary-dropping bit is pretty old news; apparently AppLocker is not much better than SRP, and comes with obvious bypasses for some stupid reason. Hurray for running arbitrary binaries from Office macros without Windows noticing. Anyway, the macro/binary drop is a nice kludge... The more interesting thing IMO - in a "Why didn't I think of that?" way - is the firewall bypass. It works like this: 1. Note what destination ports the target's hardware firewall allows for outbound traffic. 2. Have the backdoor communicate back to you on one of the allowed ports, but with the source port for the packets set to something you can recognize. 3. Used the firewall on your end to redirect those packets to the SSH port or whatever, based on their source port. This requires root/admin access on the compromised machine, otherwise it can't craft packets with specific source ports. (Although I do wonder how applicable that is on Windows, since it tends to give limited users more power than e.g. Linux does.) For the takeaway points, I'll just refer you all to the PDF (under "Lessons learned for the blue team"). Though I'm not sure about using an NGFW. Proxies like Squid are rather limited from what I've seen - they might be an improvement on outbound stateful firewalls, but I'm not sure they're a significant one. (And you still have to open ports to let through encrypted or non-HTTP traffic!) Anyway, this may be something to keep in mind, if outbound packet filtering is part of your setup. ... On a less paranoid note, I wonder if anyone has tried something like this for SSH, or other remote access connections. e.g. ssh client -> iptables on client changes source port -> internet -> iptables on server accepts only from that source port -> log in Obviously not as good as public key auth, but might be useful for certain things.
