security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c32f9d7c8f00f68acd9ea8cf623b073251932cb
atomic-red-team/Mac/Command_and_Control/Custom_Command_and_Control_Protocol.md
T
Alexander Hogue 1cdbdc51bf Move scripts to Payloads directory
2018-02-27 14:24:06 +11:00

1.6 KiB
Raw Blame History

Custom Command and Control Protocol

MITRE ATT&CK Technique: T1146

Communication over Bitbucket Snippets

The use of a legitimate service as transport is a common technique to evade detection by masquerading as the legitimate service.

Below are instructions to run a script to simulate traffic from a malware implant that communicates via a custom protocol implemented in Bitbucket Snippets.

The malware itself isn't included, just the traffic simulation.

Installation

Step 1: Create a new Bitbucket account

We recommend using a fresh account for this so as not to pollute the snippets of your existing account.

https://bitbucket.org/account/signup/

Step 2: Include its credentials in auth.json

In the directory Payloads/Custom_Command_and_Control_Protocol_Bitbucket_Snippets:

cp auth.json.template auth.json

Edit auth.json to include the username, email, and password of the Bitbucket account. auth.json should not be added to version control.

Step 3: Install dependencies

pip install -r requirements.txt

Usage

To simulate the network traffic, run:

python replay.py

You will need to be using Python 3.

This will make requests to bitbucket.org urls, recorded from an interactive session with the malware. The session recording of the malware is available to view and modify at traffic_history.json

Reference in New Issue View Git Blame Copy Permalink