{"id":19864995,"url":"https://github.com/reveng007/sharpgmailc2","last_synced_at":"2025-04-09T13:07:52.138Z","repository":{"id":63176577,"uuid":"564179862","full_name":"reveng007/SharpGmailC2","owner":"reveng007","description":"Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol","archived":false,"fork":false,"pushed_at":"2022-12-27T01:45:46.000Z","size":20955,"stargazers_count":260,"open_issues_count":1,"forks_count":45,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-02T11:07:21.745Z","etag":null,"topics":["c2","gmail","hacking-tool","imap-client","implant","powershell","redteam","redteam-tools","redteaming","smtp-client"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reveng007.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-11-10T06:48:15.000Z","updated_at":"2025-03-10T18:02:13.000Z","dependencies_parsed_at":"2023-01-31T02:16:02.607Z","dependency_job_id":null,"html_url":"https://github.com/reveng007/SharpGmailC2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2FSharpGmailC2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2FSharpGmailC2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2FSharpGmailC2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reveng007%2FSharpGmailC2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reveng007","download_url":"https://codeload.github.com/reveng007/SharpGmailC2/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248045232,"owners_count":21038553,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c2","gmail","hacking-tool","imap-client","implant","powershell","redteam","redteam-tools","redteaming","smtp-client"],"created_at":"2024-11-12T15:20:30.796Z","updated_at":"2025-04-09T13:07:52.104Z","avatar_url":"https://github.com/reveng007.png","language":"C#","readme":"# SharpGmailC2\n\nOur Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol\n\n### DISCLAIMER:\n\u003e This Project doesn't work against Windows Defender after _29th of November, 2022_. This tool is now signatured by MS Windows as `virtool:msil/ \"shgmailz.\" a!mtb`. However, I do have plan to upgrade this project in near future, to a newer version named, ***SharpGmailC2V2***\n\n---\n\u003e :no_entry_sign: [Disclaimer]: Use of this project is for **Educational/ Testing purposes only**. Using it on **unauthorised machines** is **strictly forbidden**. If somebody is found to use it for **illegal/ malicious intent**, author of the repo will **not** be held responsible.\n---\n\n### Setup\n\nWhen setting up the intermediate sender and recipient gmail account(s), enable the `POP Download` and `IMAP Access` by following the steps in this (link)[https://support.cloudhq.net/how-to-check-if-imap-is-enabled-in-gmail-or-google-apps-account/]\n\nOnce IMAP and POP are enabled, generate an App Password by following the step in this article [here](https://support.google.com/accounts/answer/185833?hl=en). If `App Password` setting is not visible in `Security`, enable 2FA verification for the Gmail account first.\n\nWhen compiling the code, update the lines that set `emailToAddress`, `password` and `emailToAddress`. Value for `password` should be set to the `App Password` generated in previous step. Also, note that values for `emailToAddress`, and `emailToAddress` can be the same.\n\n### Used:\n\n1. `EAGetMail` library from Nuget Package Manager.\n2. `Costura` and `Costura Fody` from Nuget Package Manager, in order to bundle up all the dlls altogether. This actually bulked up my implant, but for this case, I don't think that will matter much as this implant is FUD till now :).\n\n### Precautions to be taken by Operator before Using Gmail as C2:\n\n1. Make sure the Command sent via Gmail, is in `Unread` Mode (if not, mark as Unread) as the implant scans the `Last/latest Unread` mail and checks whether it starts with \"`in:`\" or not. If it does start with \"`in:`\", it understands that, that particular textbody is a legit command, and marks that particular mail as `Read` and this continues till the end.\n\nHere is the snippet:\n\n![latest_unreadMail](https://github.com/reveng007/SharpGmailC2/blob/main/img/latest_unreadMail.PNG)\n\n### C2 In-Action:\n\nhttps://user-images.githubusercontent.com/61424547/201413790-aa4c9948-d909-45d0-853e-2737e55ae4ef.mp4\n\n### Quick Scan:\n\n1. Using [@matterpreter](https://twitter.com/matterpreter)'s [DefenderCheck](https://github.com/matterpreter/DefenderCheck):\n\n![DefenderCheck](https://github.com/reveng007/SharpGmailC2/blob/main/img/DefenderCheck.PNG)\n\n2. Using [Antiscan.me](https://antiscan.me/):\n\n![AntiScan.me](https://github.com/reveng007/SharpGmailC2/blob/main/img/AntiScan.me.PNG)\n\n3. [Capa](https://github.com/mandiant/capa) Scan:\n\n![capa_scan](https://github.com/reveng007/SharpGmailC2/blob/main/img/capa_scan.PNG)\n\nIt seems like **capa** is not able to detect the capabilties of my Client implant at all. But definitely creates suspicion, forcing the Malware Analyst to give the binary a second look.\n\n4. WireShark Packet Capture:\n\n![smtp_capture](https://github.com/reveng007/SharpGmailC2/blob/main/img/smtp_capture.PNG)\n\nWe can see that the sent commands via Operator via Gmail and the informations that are exfiltrated/ sent out are all encrypted by Gmail's TLS encryption. On top of that, the ip address (marked) isn't suspicious at all, or in other words are OPSEC safe.\n\n![ip_lookup](https://github.com/reveng007/SharpGmailC2/blob/main/img/ip_lookup.PNG)\n\n### Threat Detection\n\nSharpGmailC2 can generate following generic behaviour which can assist defenders to detect `SharpGmailC2` or other processes that leverage Gmail mail protocols for Command and Control:\n\n* Anamlous increase in DNS calls to `imap.google.com` and network connections to other Google domains e.g. `1e100.net.`\n```\n# Monitor high network connections from a particular processID\nChannel=Microsoft-Windows-Sysmon\n(EventID=3 OR EventID=22)  (3=Network Connection, 22=DNS)\n(DestinationHostname=*.1e100.net OR QueryName=*.gmail.com)\n```\n\n* Invocation of `powershell` process from a binary process (`.dll` or `.exe`)\n```\nChannel=Microsoft-Windows-Sysmon\nEventID=1\nCommandLine=powershell.exe\n(ParentImage=*.exe OR ParentImage=*.dll)\n```\n\n### Honourable Mentions:\n- Got enlisted in the Golden Source of the C2 Matrix (just underneath SharpC2 by [@_RastaMouse](https://twitter.com/_RastaMouse) and [@_xpn_](https://twitter.com/_xpn_)): [google_Sheet](https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0).\n\n### \u003cins\u003eCredits\u003c/ins\u003e:\n\n1. Inspired by [NamedPipes](https://github.com/malcomvetter/NamedPipes) from [malcomvetter](https://www.linkedin.com/in/malcomvetter/).\n2. Much much much thanks to [@SoumyadeepBas12](https://twitter.com/SoumyadeepBas12) for helping me out with the proper code structure of this project! :smiley:\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freveng007%2Fsharpgmailc2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freveng007%2Fsharpgmailc2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freveng007%2Fsharpgmailc2/lists"}