SANSFIRE 2024: SANS@Mic - Implant, Phone Home
This presentation delves into the strategic utilization of Windows HTTP libraries, WinInet and WinHTTP, for developing red team malware tools. Starting with an overview of these libraries, we highlight their pivotal roles in Windows networked applications, particularly in covert operations and data exfiltration scenarios. The WinInet API, primarily client-focused, and the server-optimized WinHTTP API are examined for their applicability in maintaining stealthy communications with command and control servers. A practical beaconing example in C++ will demonstrate each library's functionality in simulated red team scenarios. The session concludes with a case study on certificate pinning, essential for bypassing network security measures and enhancing the stealthiness of malware communications. Attendees will leave with a comprehensive understanding of how to choose and implement the right HTTP library to bolster the effectiveness and discretion of their malware initiatives.
