Friday, May 9, 2025
HomeCyber AttackNew 'BYOTB' Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

Published on

SIEM as a Service

Follow Us on Google News

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique known as Bring Your Own Trusted Binary (BYOTB).

This method leverages legitimate, trusted binaries to evade detection by advanced security measures such as Endpoint Detection and Response (EDR) systems and firewalls.

The findings, presented by cybersecurity researcher David Kennedy of Jumpsec Labs, shed light on how attackers are increasingly exploiting trusted tools to conduct covert operations.

- Advertisement - Google News

Exploiting Trusted Tools for Malicious Purposes

The BYOTB technique capitalizes on the inherent trust placed in legitimate binaries, such as Cloudflare’s cloudflared and OpenSSH utilities.

These binaries, often digitally signed and widely used for legitimate purposes, are repurposed by attackers to bypass security controls.

BYOTB Attack
Windows Machine

For instance, Kennedy demonstrated how the cloudflared binary can be used to tunnel SSH traffic over HTTPS (port 443), effectively bypassing network restrictions and evading detection by security tools like CrowdStrike EDR.

By employing commands such as cloudflared tunnel run --token YourTokenHere, attackers can establish encrypted tunnels that appear benign.

These tunnels can then be used for reverse port forwarding or SOCKS proxying, enabling attackers to exfiltrate data or maintain persistent access to compromised systems.

OpenSSH binaries were also highlighted as a means to establish remote access by deploying them alongside necessary dependencies like libcrypto.dll.

Advanced Techniques and OPSEC Considerations

Kennedy further elaborated on advanced techniques, including the use of Cloudflare’s WARP client as an alternative to traditional SSH tunneling.

This approach acts like a VPN, allowing attackers to access target networks without relying on SSH or Proxychains.

BYOTB Attack
Proxychains connections

Additionally, a “double tunnel” method was described, where attackers reroute traffic through multiple layers of tunnels to evade firewall rules that block specific ports.

Despite the effectiveness of these methods, Kennedy emphasized the importance of operational security (OPSEC) for attackers.

According to the Jumpsec Labs, overloading trusted binaries with excessive traffic or failing to conceal their presence could trigger alerts, compromising the attack.

To mitigate the risks posed by BYOTB attacks, organizations must adopt proactive monitoring and detection strategies:

  • Process Telemetry: Monitor command-line arguments for suspicious keywords like “tunnel” or “access,” which may indicate misuse of binaries like cloudflared.
  • DNS Logging: Track queries to domains associated with tunneling tools (e.g., argotunnel.com) to identify potential abuse.
  • Firewall Rules: Restrict outbound traffic on non-essential ports and monitor for anomalies in port usage.
  • File Monitoring: Detect unauthorized downloads of trusted binaries from platforms like GitHub by verifying file hashes against approved lists.

These measures, combined with regular updates to endpoint security solutions and employee awareness training, can help organizations defend against BYOTB tactics.

The rise of BYOTB attacks underscores the evolving tactics of threat actors who exploit trusted tools for malicious purposes.

By leveraging legitimate binaries, attackers can blend into normal network activity, making detection significantly more challenging.

As these techniques gain traction among cybercriminals, it is imperative for organizations to enhance their defensive capabilities and remain vigilant against emerging threats.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the...

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the...