Blue/Red Team question: does anyone have an observed example of an someone using x509 certs as part of their offensive tactics, beyond data encryption that is?
Iโm putting together a talk on x509 certs and want to cover some historic examples of offensive usages in either red team or bad actor operations.
Please boost for distribution if possible
@ropman76 Thanks! The talk is gonna be about using mTLS as a C2 channel where the coms payload is embedded in x509 certs.
But I also wanted to give a bit of overview of other ways people have used x509 certs as part of their offensive tactics
Here is the link to my talk:
https://cyphercon.com/presentation/secret-handshake-a-mutual-tls-based-c2-communication-channel/
@turbo Classic example: Stuxnet used forged code-signing certificates, possibly via stolen private keys. Many other examples of bad code-signing certificates:
https://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/
https://arstechnica.com/information-technology/2022/11/state-sponsored-hackers-in-china-compromise-certificate-authority/
https://arstechnica.com/information-technology/2022/12/microsoft-digital-certificates-have-once-again-been-abused-to-sign-malware/
https://arstechnica.com/information-technology/2023/01/github-says-hackers-cloned-code-signing-certificates-in-breached-repository/
And then there are the hacks of DigiNotar and Comodo.
Oh yesโthe very first phishing attack I ever saw involve a real certificate for paypa1.com. Does that count?
turbo
Tony Ropson
Sharon Goldberg
Bill Woodcock
Steve Bellovin
Howard Chu @ Symas