Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/reveng007/sharpgmailc2
Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
https://github.com/reveng007/sharpgmailc2
c2 gmail hacking-tool imap-client implant powershell redteam redteam-tools redteaming smtp-client
Last synced: 5 days ago
JSON representation
Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
- Host: GitHub
- URL: https://github.com/reveng007/sharpgmailc2
- Owner: reveng007
- License: mit
- Created: 2022-11-10T06:48:15.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2022-12-27T01:45:46.000Z (almost 2 years ago)
- Last Synced: 2024-12-05T03:25:40.478Z (18 days ago)
- Topics: c2, gmail, hacking-tool, imap-client, implant, powershell, redteam, redteam-tools, redteaming, smtp-client
- Language: C#
- Homepage:
- Size: 20 MB
- Stars: 258
- Watchers: 10
- Forks: 46
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# SharpGmailC2
Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
### DISCLAIMER:
> This Project doesn't work against Windows Defender after _29th of November, 2022_. This tool is now signatured by MS Windows as `virtool:msil/ "shgmailz." a!mtb`. However, I do have plan to upgrade this project in near future, to a newer version named, ***SharpGmailC2V2***---
> :no_entry_sign: [Disclaimer]: Use of this project is for **Educational/ Testing purposes only**. Using it on **unauthorised machines** is **strictly forbidden**. If somebody is found to use it for **illegal/ malicious intent**, author of the repo will **not** be held responsible.
---### Setup
When setting up the intermediate sender and recipient gmail account(s), enable the `POP Download` and `IMAP Access` by following the steps in this (link)[https://support.cloudhq.net/how-to-check-if-imap-is-enabled-in-gmail-or-google-apps-account/]
Once IMAP and POP are enabled, generate an App Password by following the step in this article [here](https://support.google.com/accounts/answer/185833?hl=en). If `App Password` setting is not visible in `Security`, enable 2FA verification for the Gmail account first.
When compiling the code, update the lines that set `emailToAddress`, `password` and `emailToAddress`. Value for `password` should be set to the `App Password` generated in previous step. Also, note that values for `emailToAddress`, and `emailToAddress` can be the same.
### Used:
1. `EAGetMail` library from Nuget Package Manager.
2. `Costura` and `Costura Fody` from Nuget Package Manager, in order to bundle up all the dlls altogether. This actually bulked up my implant, but for this case, I don't think that will matter much as this implant is FUD till now :).### Precautions to be taken by Operator before Using Gmail as C2:
1. Make sure the Command sent via Gmail, is in `Unread` Mode (if not, mark as Unread) as the implant scans the `Last/latest Unread` mail and checks whether it starts with "`in:`" or not. If it does start with "`in:`", it understands that, that particular textbody is a legit command, and marks that particular mail as `Read` and this continues till the end.
Here is the snippet:
![latest_unreadMail](https://github.com/reveng007/SharpGmailC2/blob/main/img/latest_unreadMail.PNG)
### C2 In-Action:
https://user-images.githubusercontent.com/61424547/201413790-aa4c9948-d909-45d0-853e-2737e55ae4ef.mp4
### Quick Scan:
1. Using [@matterpreter](https://twitter.com/matterpreter)'s [DefenderCheck](https://github.com/matterpreter/DefenderCheck):
![DefenderCheck](https://github.com/reveng007/SharpGmailC2/blob/main/img/DefenderCheck.PNG)
2. Using [Antiscan.me](https://antiscan.me/):
![AntiScan.me](https://github.com/reveng007/SharpGmailC2/blob/main/img/AntiScan.me.PNG)
3. [Capa](https://github.com/mandiant/capa) Scan:
![capa_scan](https://github.com/reveng007/SharpGmailC2/blob/main/img/capa_scan.PNG)
It seems like **capa** is not able to detect the capabilties of my Client implant at all. But definitely creates suspicion, forcing the Malware Analyst to give the binary a second look.
4. WireShark Packet Capture:
![smtp_capture](https://github.com/reveng007/SharpGmailC2/blob/main/img/smtp_capture.PNG)
We can see that the sent commands via Operator via Gmail and the informations that are exfiltrated/ sent out are all encrypted by Gmail's TLS encryption. On top of that, the ip address (marked) isn't suspicious at all, or in other words are OPSEC safe.
![ip_lookup](https://github.com/reveng007/SharpGmailC2/blob/main/img/ip_lookup.PNG)
### Threat Detection
SharpGmailC2 can generate following generic behaviour which can assist defenders to detect `SharpGmailC2` or other processes that leverage Gmail mail protocols for Command and Control:
* Anamlous increase in DNS calls to `imap.google.com` and network connections to other Google domains e.g. `1e100.net.`
```
# Monitor high network connections from a particular processID
Channel=Microsoft-Windows-Sysmon
(EventID=3 OR EventID=22) (3=Network Connection, 22=DNS)
(DestinationHostname=*.1e100.net OR QueryName=*.gmail.com)
```* Invocation of `powershell` process from a binary process (`.dll` or `.exe`)
```
Channel=Microsoft-Windows-Sysmon
EventID=1
CommandLine=powershell.exe
(ParentImage=*.exe OR ParentImage=*.dll)
```### Honourable Mentions:
- Got enlisted in the Golden Source of the C2 Matrix (just underneath SharpC2 by [@_RastaMouse](https://twitter.com/_RastaMouse) and [@_xpn_](https://twitter.com/_xpn_)): [google_Sheet](https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0).### Credits:
1. Inspired by [NamedPipes](https://github.com/malcomvetter/NamedPipes) from [malcomvetter](https://www.linkedin.com/in/malcomvetter/).
2. Much much much thanks to [@SoumyadeepBas12](https://twitter.com/SoumyadeepBas12) for helping me out with the proper code structure of this project! :smiley: