Mac/Command_and_Control/Custom_Command_and_Control_Protocol.md

# Custom Command and Control Protocol

MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1094)

## Communication over Bitbucket Snippets
The use of a legitimate service as transport is a common technique to evade detection by masquerading as the legitimate service.

Below are instructions to run a script to simulate traffic from a malware implant that communicates via a custom protocol implemented in [Bitbucket Snippets](https://confluence.atlassian.com/bitbucket/snippets-719095082.html).

The malware itself isn't included, just the traffic simulation.

### Installation

#### Step 1: Create a new Bitbucket account

We recommend using a fresh account for this so as not to pollute the snippets of your existing account.

https://bitbucket.org/account/signup/

#### Step 2: Include its credentials in `auth.json`
In the directory [Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets](Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets):

```
cp auth.json.template auth.json
```

Edit `auth.json` to include the username, email, and password of the Bitbucket account. `auth.json` should not be added to version control.

### Step 3: Install dependencies
```
pip install -r requirements.txt
```

### Usage
To simulate the network traffic, run:
```
python replay.py
```

You will need to be using Python 3.

This will make requests to `bitbucket.org` urls, recorded from an interactive session with the malware.
The session recording of the malware is available to view and modify at [traffic_history.json](bitbucket_protocol/traffic_history.json)
Add Custom C2 Protocol - Bitbucket Snippets 2018-02-22 13:47:47 +11:00			`# Custom Command and Control Protocol`

			`MITRE ATT&CK Technique: [T1146](https://attack.mitre.org/wiki/Technique/T1094)`

			`## Communication over Bitbucket Snippets`
			`The use of a legitimate service as transport is a common technique to evade detection by masquerading as the legitimate service.`

			`Below are instructions to run a script to simulate traffic from a malware implant that communicates via a custom protocol implemented in [Bitbucket Snippets](https://confluence.atlassian.com/bitbucket/snippets-719095082.html).`

			`The malware itself isn't included, just the traffic simulation.`

			`### Installation`

			`#### Step 1: Create a new Bitbucket account`

			`We recommend using a fresh account for this so as not to pollute the snippets of your existing account.`

			`https://bitbucket.org/account/signup/`

			#### Step 2: Include its credentials in `auth.json`
Move scripts to Payloads directory 2018-02-27 14:23:41 +11:00			`In the directory [Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets](Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets):`
Add Custom C2 Protocol - Bitbucket Snippets 2018-02-22 13:47:47 +11:00
			```
			`cp auth.json.template auth.json`
			```
Move scripts to Payloads directory 2018-02-27 14:23:41 +11:00
Add Custom C2 Protocol - Bitbucket Snippets 2018-02-22 13:47:47 +11:00			Edit `auth.json` to include the username, email, and password of the Bitbucket account. `auth.json` should not be added to version control.

			`### Step 3: Install dependencies`
			```
			`pip install -r requirements.txt`
			```

			`### Usage`
			`To simulate the network traffic, run:`
			```
			`python replay.py`
			```

			`You will need to be using Python 3.`

			This will make requests to `bitbucket.org` urls, recorded from an interactive session with the malware.
			`The session recording of the malware is available to view and modify at [traffic_history.json](bitbucket_protocol/traffic_history.json)`