A proof of concept that demonstrates a method of sending/receiving data from .NET via a legitimate browser process of your choosing.
There are situations where a red teamer may want to have more control over the specific origin of their traffic on a system. Defensive tools such as JA3 and other EDR product components can identify known bad and contribute to building up a risk score based on the aspects of the web client being used to send data. I played around with JA3 and looked at the results for some of the typical web clients that are used. On the whole there was nothing too alarming, since lots of legitimate software uses the same methods. That said a JA3 hash of a client can contribute to a wider mechanism/set of metrics for filtering/determing a risk score for connections. Equally EDR products may look at the process responsible for sending traffic. I set out thinking of a way I can control which client sends data and where better to start than a legitimate web browser or in fact any of them.
What does this proof of concept do?
Demo showing DNS over HTTPS resolution via Internet Explorer:
Demo showing DNS over HTTPS resolution via Chrome:
- David Middlehurst - Twitter- @dtmsecurity