 Howdy everybody. Thank you for showing up. I know you're all pretty hung over and that you've managed to survive a couple days of Vegas. And that this is, you know, Saturday. Start off before we get into the actual subject like actually talking about using ads and what not. Don't fire or sue me, the basic crap. Be responsible adults. Who am I? Does it really matter? So, all right, let's dive in. So, couple copyouts. First off, so I'm operating under the assumption that the target, whoever I'm trying to detect, is going to be searching for the term so that they will actually go into a search engine and they will, sorry, I'm not going to wobble, that they're going to go into a search engine and they're going to search for it. Second, I'm picking one particular ad network. In this case, I'm picking Google because Google index is very quickly. I have a very short attention span. It plays out very nicely. So they're going to use that ad network. And then the ad will actually register as displayed to the target. So some ad blockers are going to block even the display of an ad to somebody, even registering on the back end versus others will still appear to have that impression given. So operating under the assumption that the ad blocker doesn't block the display from registering. So spherical cows in the vacuum. Back story. So, you know, you're a red team operator and your office is your baby. You've been really clever. You've put in tons and tons of effort. You feel like you've exploited, you know, the humans very well. You feel like you've written beautiful code. Maybe you're doing something really clever in terms of how you're going to get root in production. And all of a sudden, you're implant discovered. What are you going to do? You're not going to cry. So the criteria for this were it had to be indirect. So the notion that this had to be really easy, something that we could do just to spin up as part of the app. It had to be passive. We didn't want to actively go and like cheat and go look at where the blue team was coming from and use any of that information. So apply it to any potential blue team effort. And of course, low effort. Going back to general laziness and short attention span. So what is that worth to all of us? To me, it's worth a lot. But at a certain point, I draw the line. So this is where the line is drawn. Let's catch lazy blue teamers. This also stems from the idea of previously you used to be able to upload like everybody was like, oh, I found this weird hash. I'm going to upload the file to virus total. And then all of the adversaries, all of the red teams were like, hey, so we're not going to upload the actual implant. We're going to wait for someone else to upload it. And then you had adversaries that were able to go then search for their hash. They knew what the hash was. They wait for it to show up and appear in virus total. And that means that somebody found it and somebody uploaded it. Biggest problem with that, of course, is you knew that they found it. You didn't know what they were going to do. But just having that fact is enough time to transition your infrastructure over. So whatever your latest infrastructure is, move it. Saves you time. Saves you money. And again, you don't have to do the opt from scratch again. And this is the fun part. Blue teams are burnout. So the average SOC analyst really doesn't do something important nowadays. They're looking at false positive, false positive. And then, oh, look, it's a phishing email somebody downloaded some commodity shit. So what we're going to try and do here is attack the human when they find something interesting. And we're going to look at the general life cycle here. So the SOC analyst is like, they're going to get the alert, something's going to happen. It's going to be, hey, weird file, maybe it's a reverse shell going somewhere strange. Like, oh, what is this? Because they're bored, this is what I'm banking on. Because they're bored, they're going to actually dive into this with a little bit more depth than what is traditional. So the alert won't tell them it's bad. It's just going to be like something strange happen. So as part of that investigation, they're going to do more of that investigation than they normally would, which is where they're going to start making mistakes. So Target the Human, we all know everybody has internal tools. You have your internal sandbox. You have all of your internal indicator databases. You have all your vendor products. You're paying some cyber TM vendor to tell you everything's bad. But then eventually you end up going to public tools. So you take the hash, you throw it in the Google and you're like, great, what does hybrid analysis say? Did anybody write a blog about this? Is anybody else talking about this hash? And you need that information to kind of, you want to write your report when you send it up to the highest tier. You're like, hey, I'm amazing. I found out that this is really in fact not China. It's actually Russia pretending to be China. And you found that blog on Kaspersky. So sorry, I love all of them. I'm not being bitter. So it's really, you're just attacking that human desire, you know, someone who's really bored, someone who's diving into that investigation. They want to feel special. They want to be able to send all the information up to the next tier analyst or to the sophisticated resources like, hey, I did all this work already. I found all of this. And if it's not any other tools, they're going to have to rely on public sources. Cool. So next up, what if I know when somebody searches for something, right? This is pretty basic like this is the advertising goals. Advertising is all about targeting someone based on how they're using the service based on what they're searching for based on what they want. So it gives us the power to dive into keywords. We can do demographic information. We can also say, hey, I know that they're going to be, you know, hackers are going to be interested in security. So you can even target it down a lot far. That's literally by design. But the really cool part here about advertising, which is something that we as the general public don't see very often is all the tools on the back end to help companies and individuals fine tune their advertising. So this is the basic idea here. So highlighted in the red square is in Google, this is the impression. So the impression is going to appear every time a particular ad is shown to someone. It goes back to the caveat about it has to actually register as an impression for this to work. So what we're going to be looking for here is like, when that impression is shown, that means someone searched for it. And if you choose the exact string match, it's like, yes, someone had to have searched for it for that impression to happen. And of course, over on the right, if somebody chooses to search for your ad word while they're logged into their Google account, you get a ton of really scary information. So if you really wanted to have some fun afterwards, if you got this to work, you could really target them almost directly because if you're a red teamer and you're looking at which particular target, you probably know who's on their seats or you probably know who's going to be running this up anyways. Cool. So fun part. Is it possible? Obviously, yes, more caveats. So this is something that was a huge pain in the ass, which is there are advertising limitations. Really makes sense. So thinking about it from Google's perspective, to take out an ad word, there needs to be search volume. There have to be people searching for it before you can take out that ad word. Now, a bunch of you people in the audience who are ethically ambiguous, pretty easy to bypass that one. But that is still one limitation that some people will not be able to bypass to use this technique. And lastly, there needs to be search results. So if you're going to throw a hash in there, there needs to be blogs coming back. And that's really, it just needs to be indexed by Google in this case. Easy to do. You can throw it in comment fields. You can spin up a Google site. You can write your own blog and host it on WordPress. Press anything you want just to get it indexed so that there's search results when someone searches for it. And of course, there's the offset considerations. So to actually sign up for AdWords, you have to enter in all of this easily spoofable information. And on top of that, then the pages have to be indexed, which is actually a huge consideration going back to the initial point of we wanted this to be really low effort. We wanted it to be passive and indirect. So if you have to expose yourself additionally by creating all of these blogs, again, you're going up against someone who you're assuming is bored and will dive into all of those blogs that you write. So every blog that you write just to generate that search result, get it indexed, is going to result in potentially more exposure to whoever is looking for you. So they're going to, they're going to maybe be able to dig. So you just have to be really careful if you do that. Cool. Let's do it. So what type of ad? I kind of talked about it briefly, but Google has a bunch of really awesome ad types. If you want to do a keyword search on a Google search, so you can do broad, you can do phrase, and you can do exact. For this, we're doing a very simple, we're doing an exact match on a hash, but you can also do display and video ads. So you can target people all across the entire spectrum. If you want to get really, really picky, if you want to work with probably someone who's a marketing major or focuses in advertising. And then for the bid strategy on this, like for those of you who don't know how Google AdWords work, you actually have to bid to get your ad displayed. And your bid is based on how much you're willing to pay per click. For this technique, it's super easy to get your ad displayed, because theoretically no one else should be taking out an ad word for your hash, because you're the only one who knows it exists. So you can bid, you know, five cents, whatever it is. It's no big deal. Other possibility, so this is the really fun part, is I'm using hashes because hashes are easy. I can guarantee that's unique, but you can use all sorts of other references. So if you want to attack and see if someone was actually reversing your malware, you can take your handle and take out an ad word for it. No one else should be Googling for your handle unless they found it in, you know, you stick it in the strings of the file. So someone read the strings on your implant and that's how they're looking for your handle. It gives you, like, the value of knowing that someone is reversing your malware, the value of knowing that exactly like they ran strings on my file or they've decompiled and they're actually doing something mean, that value is priceless for a lot of people, depending upon your target. Same goes like you can do email address, have a really unique file name, and then, you know, a bunch of random miscellaneous phrases so like pick your favorite battle from Lord of the Rings or something really, really obscure from literature. Throw that in as a reference in your file and see if people are Googling for it. The one problem though with this is if you're trying to, it's like, what the goal of the campaign is. So if you're trying to catch that someone's reversing your file, these options are really good. However, if you just want to see if, hey, someone found my file and they may be spinning up an investigation, they may be going after my infrastructure, you want to keep it as simple as possible. So really, my recommendation is to keep it with a file hash. Everybody's going to take an MB5, they're going to take the MB5 or the shovel and they're going to throw it in the Google. Not a guarantee, but it's more likely that they're going to do that than actually reverse your file and dig and find your email address, find your handle, find all of those things. So keep it unique, keep it simple. It's my recommendation. I made this mistake as part of this, don't ever use generic terms, don't try and put in complex ideas. And also, the last part is domains and IPs. So almost everybody on a blue team is going to be using some other tool that will be able to dig into domains and IPs better than throwing it into Google. So that's just something to be aware of. If you really want, like you're trying to get really high fidelity results and you're trying to get it so that if somebody searches for it, you're going to get that alert that they did. Cool. So for this example, because I love lawyers and lawyers love me, I'm not going to be doing it for a custom file. I'm going to be doing it for just some ransomware that has already generated a lot of traffic. So already passed that ethically ambiguous point. The traffic's already been generated and this is kind of, you know, something interesting I learned is all of the AV companies take out ads, they do the exact same thing. So if Google were to combat this technique, they're going to say, great, you can't take out ads for hashes, but all of the AVs are already taking out ads for hashes after something hits. So it's really going to be a hard game to combat something like this. So the ad that I did was just a really huge bid, so I was bidding like $5 per click, so I got displayed all the time and then I was the campaign was a maximize click. So I'm trying to drive all that revenue by driving people to my site. So here it is. It actually works. It's a miracle. So up at the top, all I did was my ad is a simple Google site and I said so Google also looks at ads very carefully because they've been dealing with a lot of malware and ads. So what you're trying to do is you're trying to demonstrate that the ad you've created is going to be relevant for the particular audience that you're targeting. So in this case I pretend to be a malware blog about weird file hashes and it's just a Google site. It shows up when someone searches for it. That's awesome. But this is what the SOC analyst or someone on the blue team would see. This is what you would see. So this is where the actual valuable information is. Obviously Google has these fancy colors and pretty graph set. If you actually want to log in and use your mouse you can see. It also has this beautiful API. So you can grab the report. You can just set up a Python script. It pulls down the report every hour and all you're looking for is that column right there. That column is going to change from zero to one. When it does you can automatically switch your infrastructure over. So it works really nicely to just automate a way of having to deal with a blue team recon actually coming after you. And then there is one other annoying caveat with Google is that it's AdWords so it's designed for marketing people. It's not going to be a real-time alert. They claim in their documentation it's three hours. During my testing it wasn't ever that long but at the same time it's not going to be a real-time alert. So someone's not going to search from it and then five minutes later you're going to see it. It's going to be probably a couple of hours and then that's how you know that someone's been searching for it. But it works but there's a ton of practical considerations to take into account. So if you're a team of one is it really worth going into all of this effort to target a blue team that you already know is overworked and completely underwater and bored out of their mind? Really the most applicable use case of this is someone who can spend millions of dollars. Someone who has a staff of several thousand that can go out and generate that traffic for you in advance and also someone who's going to be burning an ode. So if you're burning an ode it's really really important that you know that you've been detected. Like that all of a sudden becomes really valuable. If you're just you know if you send out a phishing email and it's like it's just generic if you're running empire or something like that. That being burned like it's a pain to set up again and spin up from scratch but it's not going to be it's not going to be the death of an entire op. It's not going to be actually have any serious implications. But if you're dropping like three or four odays and you end up with that getting burned then all of a sudden it's like oh great we lost millions of dollars or however much time it took to find those odays. So having any kind of visibility into how quickly you've been found out is amazing. And of course OPSEC I touched on this before but I can't emphasize this enough is like you have to expose quite a bit of information to whoever is researching it but also then to Google. So if you're not careful about how you're registering this if you're a very sophisticated actor and you're taking out an ad so like you spin up a campaign you take out only one ad for one particular hash Google can dive into that data and say hey you took out one ad for one particular thing that's really suspicious and even after like eventually you're going to get discovered everything's going to get publicized Google can go back and say all right great I know all this information they can see all of your logins they can see every time you ran the API and pulled down that report so you're really exposing a lot of OPSEC and it's definitely something you need to take into consideration if you're going to be a sophisticated actor and if you're really like if you really want to use this in the wild. But this is this is really the exciting part for me is is the next steps so keyword matching on a Google search is probably going to be phased out within the next 12 months just based on how quickly they continue to change the ad tech just between when I submit this talk in April and what I'm presenting today Google has changed their back end algorithm at least three times that I've noticed and it's ridiculously annoying because there's no way to understand how the false negatives are going to change so with this technique if someone searches for the hash and they get the ad displayed to them it's pretty much a guarantee that you know that they found your hash but what you don't know is if someone doesn't if someone searches for the hash and the ad doesn't display there are plenty of times when Google and you just tweak that algorithm a little bit great so we're not going to show that ad to the first 50 people that search for that term and they'll never tell you so you don't know when the ad is not being shown so there's no guarantee that it will actually work in every single case it's just all you know is that if someone searches for it and the ad is shown to them then it will actually be useful and valuable to you but of course there's also the extension of this into email and that's the really exciting part so all of the blue team communities they have their secret scroll groups that are basic distribution lists everybody is using a third party email provider and if one of those third party email providers is not as sophisticated as Google so Google no longer lets you like look at the email bodies so if someone is not that sophisticated I'm not going to rat on any companies here but there's a couple of them out there that will allow you to take out an ad for a keyword match on a body doing the same thing with hashes on the email keyword match in a body would allow you to know if someone is talking about your file in a closed group that's arguably much more useful to you because that means that someone who isn't like most of us try not to put things in the Google but we will share suspicious files suspicious IPs in closed communities that we perceive to be safe so this is a really good indicator for people who think that they're more sophisticated and they could be spinning up a working group against you great you know it's great early warning to move your infrastructure and of course there's always going to be third party apps so of course we all read about Google who is that was still allowing developers to read email you can always just go ask all of the people on a threat intel team at your target to install a third party plug-in and they'll do it probably one of them will and you can read all their emails and of course why do you care I think we all know why we care is that advertising is everywhere we actually should pay attention to how our data is being stored but also we should think about how we can use it the barrier to entry into online marketing and advertising is continually getting lower this entire presentation could have been done simply just by clicking buttons and reading online documentation there was no actual technical barrier to use advertising for the benefit of the community and for the benefit of security so that's what's pretty awesome about how the ad word advertising role is changing like we get to do we get to take advantage of big companies trying to make money and let's use it to our advantage. Thank you very much.