Microsoft Dev Tunnels as C2 Channel

9 August 2023

Background

This article provides an introduction to utilizing Microsoft's Dev Tunnels as a C2 (Command and Control) channel.

Setting up the dev tunnels

Begin by downloading the most recent version of the dev tunnels from Microsoft, available for both Linux and Windows versions. Upon successful download of the dev tunnels binary, execution is as follows:

To use the dev tunnels, you will have to sign in with your Azure Active Directory (AAD) or GitHub account. In my example, I'll authenticate using my GitHub account with the -g flag and utilize device code authentication with the -d flag.

Following this, a device code will be generated. Simply enter the provided device code link into your web browser to authenticate.

You can initiate the dev tunnels using the specified commands. Importantly, the --allow-anonymous flag allows anonymous clients to access your page.

./linux-x64-devtunnel create --allow-anonymous

Upon generating a tunnel ID, you can allocate a port to it, such as 443.

./linux-x64-devtunnel port create -p 443

After all configurations are in place, employ the following command to host the dev tunnels service:

./linux-x64-devtunnel host <tunnel id>

Bypass the Microsoft dev tunnels confirmation page

Upon attempting to access the dev tunnels link via a browser, you might encounter the following confirmation page.

A trick to enable your C2 to bypass this confirmation page is to ensure your C2 HTTP request does not contain Accept header or simply remove text/html from the Accept header.

Setting up C2 listener

With the dev tunnels active, proceed to integrate your preferred C2 on the same host machine. As an illustration, I'll be utilizing Brute Ratel for C2 and setting up the listener as below:

The Dev Tunnel is designed to forward all traffic to your localhost port. As such, it's important to ensure that your C2 listener binds to the localhost port.

Depending on the specific C2 in use, it might be necessary to establish an appropriate payload profile so that your shellcode will connect to the dev tunnels URL instead of localhost.

Once the listener is appropriately configured, use your loader of choice to run your shellcode. This will establish a C2 connection under the domaindevtunnels.ms.

Reference

PreviousExecution of Remote VBA Script in ExcelNextStage Your Payload in Atlassian Confluence

Last updated