• Stars
    star
    256
  • Rank 159,219 (Top 4 %)
  • Language
    C#
  • License
    MIT License
  • Created about 2 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol

SharpGmailC2

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol

DISCLAIMER:

This Project doesn't work against Windows Defender after 29th of November, 2022. This tool is now signatured by MS Windows as virtool:msil/ "shgmailz." a!mtb. However, I do have plan to upgrade this project in near future, to a newer version named, SharpGmailC2V2


🚫 [Disclaimer]: Use of this project is for Educational/ Testing purposes only. Using it on unauthorised machines is strictly forbidden. If somebody is found to use it for illegal/ malicious intent, author of the repo will not be held responsible.


Setup

When setting up the intermediate sender and recipient gmail account(s), enable the POP Download and IMAP Access by following the steps in this (link)[https://support.cloudhq.net/how-to-check-if-imap-is-enabled-in-gmail-or-google-apps-account/]

Once IMAP and POP are enabled, generate an App Password by following the step in this article here. If App Password setting is not visible in Security, enable 2FA verification for the Gmail account first.

When compiling the code, update the lines that set emailToAddress, password and emailToAddress. Value for password should be set to the App Password generated in previous step. Also, note that values for emailToAddress, and emailToAddress can be the same.

Used:

  1. EAGetMail library from Nuget Package Manager.
  2. Costura and Costura Fody from Nuget Package Manager, in order to bundle up all the dlls altogether. This actually bulked up my implant, but for this case, I don't think that will matter much as this implant is FUD till now :).

Precautions to be taken by Operator before Using Gmail as C2:

  1. Make sure the Command sent via Gmail, is in Unread Mode (if not, mark as Unread) as the implant scans the Last/latest Unread mail and checks whether it starts with "in:" or not. If it does start with "in:", it understands that, that particular textbody is a legit command, and marks that particular mail as Read and this continues till the end.

Here is the snippet:

latest_unreadMail

C2 In-Action:

GmailC2.mp4

Quick Scan:

  1. Using @matterpreter's DefenderCheck:

DefenderCheck

  1. Using Antiscan.me:

AntiScan.me

  1. Capa Scan:

capa_scan

It seems like capa is not able to detect the capabilties of my Client implant at all. But definitely creates suspicion, forcing the Malware Analyst to give the binary a second look.

  1. WireShark Packet Capture:

smtp_capture

We can see that the sent commands via Operator via Gmail and the informations that are exfiltrated/ sent out are all encrypted by Gmail's TLS encryption. On top of that, the ip address (marked) isn't suspicious at all, or in other words are OPSEC safe.

ip_lookup

Threat Detection

SharpGmailC2 can generate following generic behaviour which can assist defenders to detect SharpGmailC2 or other processes that leverage Gmail mail protocols for Command and Control:

  • Anamlous increase in DNS calls to imap.google.com and network connections to other Google domains e.g. 1e100.net.
# Monitor high network connections from a particular processID
Channel=Microsoft-Windows-Sysmon
(EventID=3 OR EventID=22)  (3=Network Connection, 22=DNS)
(DestinationHostname=*.1e100.net OR QueryName=*.gmail.com)
  • Invocation of powershell process from a binary process (.dll or .exe)
Channel=Microsoft-Windows-Sysmon
EventID=1
CommandLine=powershell.exe
(ParentImage=*.exe OR ParentImage=*.dll)

Honourable Mentions:

Credits:

  1. Inspired by NamedPipes from malcomvetter.
  2. Much much much thanks to @SoumyadeepBas12 for helping me out with the proper code structure of this project! πŸ˜ƒ

More Repositories

1

DarkWidow

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing
C
532
star
2

Learning-EDR-and-EDR_Evasion

I will be uploading all the codes which I created with the help either opensource projects or blogs. This is a step by step EDR learning path for me.
C++
254
star
3

reveng_rtkit

Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.
C
231
star
4

ReflectiveNtdll

A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber
C
163
star
5

CheckHooks-n-load

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, as well as FUD till now (24/02/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
C++
97
star
6

AMSI-patches-learned-till-now

I have documented all of the AMSI patches that I learned till now
C++
66
star
7

C2_Server

C2 server to connect to a victim machine via reverse shell
Python
49
star
8

DareDevil

Stealthy Loader-cum-dropper/stage-1/stager targeting Windows10
C#
37
star
9

reveng_loader

C# loader capable of running stage-1 from remote url, file path as well as file share
C#
14
star
10

ETW_patches_from_userMode_learned_till_now

ETW patches from userMode learned till now
C++
9
star
11

Executable_Files

Database for custom made as well as publicly available stage-2 or beacons or stageless payloads, used by loaders/stage-1/stagers, or for further usage of C2 as well
PowerShell
9
star
12

GDB-Cheat-Sheet

8
star
13

VulnCon-WorkShop-Slides

VulnCon WorkShop - Maldev Workshop : Offensive TradeCraft - Syscalls to Stack Spoofing
5
star
14

RemoveFalsePositives

Just a small python script which spits out unsigned char representation for Hooked Underlying Ntapis (Which are False Positives) , for c/cpp Usage
Python
2
star
15

TryHackMe

THM Walkthroughs
PowerShell
2
star
16

HTB

Shell
1
star
17

SSH_Bruter

Bruteforces ssh creds.
Python
1
star
18

Simple_Port_Scanner

Scans Single port as well as Multiple Ports
Python
1
star
19

C-for-Everyone-Programming-Fundamentals

All the topics and concepts of C programming that I have learned so far. The things covered in this repo are all beginner-friendly.
C
1
star
20

reveng007

1
star
21

reveng007.github.io

1
star