Skip to content
DefCon 2019 proof of concept demonstrating how to use SaaS for CnC
Python
Branch: master
Clone or download
rcanzanese Merge pull request #1 from NetskopeOSS/doc_change_bug_fix
README changes, minor bug fix, additional documentation
Latest commit dbbfd92 Aug 10, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
saasy_boi README changes, minor bug fix, additional documentation Aug 10, 2019
LICENSE Initial version of saasy_boi Aug 8, 2019
README.md README changes, minor bug fix, additional documentation Aug 10, 2019
requirements.txt Initial version of saasy_boi Aug 8, 2019

README.md

saas_cnc

This is a project for the Cloud Village at DefCon 27, demonstrating just how easy it is for attackers and malware authors to use SaaS and social media services as command and control vectors.

This code is a proof of concept intended for research purposes only. It does not contain any payloads. It is not weaponized.

Design was in no small part influenced by:

We leverage the following apps/services:

Retrieving API keys

  • Github Gist
  • Pastebin

Command and Control

  • Slack
  • Twitter
  • Github

File Exfiltration

  • Slack
  • Imgur (images only)
  • Dropbox
  • File.io

saasy_boi offers file upload and download/execute functionality, reverse shell functionality, and can take and upload screenshots of the active screen.
They key here is that we're looking to be robust to changing API keys, getting banned from platforms, and from IDS/IPS. The weakness that can be exploited is that the initial fetching of API keys from Github and Pastebin necessitates that those locations be hard-coded. There are some potential workarounds there (including maybe just hard-coding the API keys for Slack from the start!).

Note that this code works on my configuration of my machines and even though I've successfully tested it on Mac, Linux (Ubuntu 18.04), and Windows, it may require some work to run in your particular environment. No guarantee of this code working or warranty of any kind is implied.

Again, this code is a proof of concept intended for research purposes only. It does not contain any payloads. It is not weaponized.

You can’t perform that action at this time.