Microsoft Dev Tunnels as C2 Channel
9 August 2023
Last updated
9 August 2023
Last updated
Background
This article provides an introduction to utilizing Microsoft's Dev Tunnels as a C2 (Command and Control) channel.
Begin by downloading the most recent version of the dev tunnels from Microsoft, available for both Linux and Windows versions. Upon successful download of the dev tunnels binary, execution is as follows:
To use the dev tunnels, you will have to sign in with your Azure Active Directory (AAD) or GitHub account. In my example, I'll authenticate using my GitHub account with the -g flag and utilize device code authentication with the -d flag.
Following this, a device code will be generated. Simply enter the provided device code link into your web browser to authenticate.
You can initiate the dev tunnels using the specified commands. Importantly, the --allow-anonymous flag allows anonymous clients to access your page.
./linux-x64-devtunnel create --allow-anonymous
Upon generating a tunnel ID, you can allocate a port to it, such as 443.
./linux-x64-devtunnel port create -p 443
After all configurations are in place, employ the following command to host the dev tunnels service:
./linux-x64-devtunnel host <tunnel id>
Upon attempting to access the dev tunnels link via a browser, you might encounter the following confirmation page.
A trick to enable your C2 to bypass this confirmation page is to ensure your C2 HTTP request does not contain Accept header or simply remove text/html from the Accept header.
With the dev tunnels active, proceed to integrate your preferred C2 on the same host machine. As an illustration, I'll be utilizing Brute Ratel for C2 and setting up the listener as below:
The Dev Tunnel is designed to forward all traffic to your localhost port. As such, it's important to ensure that your C2 listener binds to the localhost port.
Depending on the specific C2 in use, it might be necessary to establish an appropriate payload profile so that your shellcode will connect to the dev tunnels URL instead of localhost.
Once the listener is appropriately configured, use your loader of choice to run your shellcode. This will establish a C2 connection under the domaindevtunnels.ms.
