Introduction to Callidus

Hello All,

Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges.

While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments.

This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or Domain Fronting techniques etc.

In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage cloud services for the benefit of the user. I will also provide an overview of how to setup the tool & walk you through the steps to configure & use the tool.

About Callidus

Latin word for “Sneaky” is “Callidus”. It was developed using .net core framework in C#. Allows operators to leverage O365 services for establishing command & control communication channel. It uses the Microsoft Graph APIs for communicating with the O365 services. The tool can be found on my github repo.

Currently Supports :
  • Outlook
  • OneNote
  • Microsoft Teams
What is O365 ?

Office 365(O365) is a cloud-based subscription to a suite of Office programs offered by Microsoft. Office 365 is an integrated experience of apps and services, designed to help you pursue your passion and grow your business.

Everything you need in one solution:
  • Comes with Office - Stay up to date on any device with the latest versions of Word, Excel, PowerPoint, and more.
  • Communicate more effectively - Get your team on the same page with group chat, online meetings, calling, and web conferencing.
  • Connect, plan and get work done - Work efficiently with email, calendar, contacts, tasks, and more together in one place.
  • Automate business process - Streamline, automate, and transform processes with rich forms, workflows, and custom mobile apps.
  • Customize your workspace - Add in the Microsoft apps and third-party services you use to keep the business moving forward.
  • Secure access to your business - Access sensitive information with user authentication and automated policy-based rules.
  • Protect your information - Secure business data on personal and company-owned devices.
  • Defend against cyber threats - Guard against unsafe attachments, suspicious links, and other malware.

What is Microsoft Graph ?

Microsoft Graph is a gateway to the data and intelligence in Microsoft 365. It provides a unified programmable model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security.

Microsoft Graph exposes REST APIs and client libraries to access data on the following Microsoft 365 services:
  • Office 365 services: Delve, Excel, Microsoft Bookings, Microsoft Teams, OneDrive, OneNote, Outlook/Exchange, Planner, and SharePoint
  • Enterprise Mobility and Security services: Advanced Threat Analytics, Advanced Threat Protection, Azure Active Directory, Identity Manager, and Intune
  • Windows 10 services: activities, devices, notifications
  • Dynamics 365 Business Central




Functions or Components and modules of Callidus
  • Outlook - Outlook module has 2 sub modules: 
    • Server (OutlookC2) - used by the operator to send & read the output of the commands. It creates a draft message in the folder with the subject "Input" which will be read by the Implant. Once the command is sent it will wait for the Implant to reply with the output by creating another draft message with the subject "Output" which that server will keep polling. The output is then rendered in the console and the draft message with the subject "Output" will be deleted. 
    • Implant (OutlookC2Client) - deployed on the target system which reads & executes the command on the system & sends back the output. It reads the draft message with the subject "Input" & executes the command written in the body. After the command is executed it will create a new draft message with the subject "Output". The output is returned in the body of the message that is read by the Server.
  • OneNote - OneNote module also has 2 sub modules:
    • Server (OneNoteC2) - used by the operator to create to-do list on the OneNote page that is read by the implant to execute the commands. 
    • Implant (OneNoteC2Client) - deployed on the target system which reads & executes the command & write the output back to a OneNote page. It reads the to-do list with pending status and executes the commands. Once the command is executed the output is written below the to-do list & the status of the to-do list updated to "completed".
  • Microsoft Teams - Microsoft Teams has only 1 module:
    • Implant (TeamsC2) - deployed on the target system that reads & executes the command & reply with the output on the Teams channel. It reads the messages from the channel and checks the messages that doesn't contain any reply message & executes the commands and sends the reply in the same message. There is a limitation on the message size on microsoft teams of 28 kb.


Pre-Requirements for Callidus

Before running Callidus complete the following pre-requisites:
  • Create or use a valid Azure AD tenant - Setup a developer account that is free and leverage the same for testing various modules in Callidus. For creating the developer account follow the steps mentioned in the link. An existing account can be used as well that has the permissions to register application in Azure.
  • Register application in Azure - Register a single or multiple application (depends on the operator who uses the tool) with any name and provide the required permissions to run Callidus modules. Do the following steps to register an application in Azure Portal: 
    • Login to Azure Portal
    • Search for and select App registrations 
    • Click on New registration
    • Enter the application name
    • Select supported account types as "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
    • Click on Register
  • Assign Permissions - Once the application is registered, assign permissions that are required to run the various modules of Callidus. There are 2 types of permissions exist:
    • Delegated - Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent.
    • Application - Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
    • Permissions required to run various modules of Callidus (all the permissions can be applied to a single application & used all the modules of Callidus)-
      • Outlook(Application Permission):
        • Directory.Read.All
        • Directory.ReadWrite.All
        • Mail.ReadWrite
        • User.Read.All
        • User.ReadWrite.All
      • OneNote(Delegated Permission):
        • Notes.Read
        • Notes.ReadWrite
        • Notes.Read.All
        • Notes.ReadWrite.All
      • Microsoft Teams(Delegated Permission):
        • Group.Read.All
        • Group.ReadWrite.All
  • Modify the App.config file - Once the above steps are completed, modify the App.config file in the Callidus module. Each module has different requirements. Below are the details
    • Outlook - Below are the parameters which are required for the OutlookC2 & OutlookC2Client to communicate with Outlook:
      • Instance - "https://login.microsoftonline.com/{0}"
      • Tenant - We can find this in the Azure active directory services or on app registration page when any application is registered. It is an unique identifier (GUID) of the Azure account.
      • ClientId - Each registered application has an unique identifier (GUID) which is also known as application id.
      • ClientSecret - ClientSecret is the credentials that will be used for accessing the graph api's. To create ClientSecret follow the below steps
        • Login to Azure Portal
        • Search for and select App registrations 
        • Click on the application which is already registered.
        • Click on the App name which is registered in the above steps.
        • Go to Certificates & secrets
        • Click on New client secret
        • Enter any name in the Description field and select expires to Never (The client secret will never expire) and click on Add.
        • Copy the Value and paste the same as ClientSecret value in App.config file (Note:- Once you refresh or leave the page the Value field will be masked and the value cannot be retrieved).
      • User - Specify the display name of the user as value that will be used for the communication and on which a folder is created for crafting draft messages for communication. 
      • FolderName - Create a folder in the user email box and specify the name of the folder as value. 
    • OneNote - Below are the parameters that are required for OneNoteC2 & OneNoteC2Client to communicate with OneNote:
      • ClientId - Each registered application has an unique identifier (GUID) which is also known as application id.
      • UserName - Specify the email id of the user which will be used for login and updating the documentation.
      • Password - Specify the password of the user which will be used for login and updating the documentation.
    • Microsoft Teams - Below are the parameters that are required for TeamsC2 to communicate with the Teams channel:
      • ClientId - Each registered application has an unique identifier (GUID) which is also known as application id.
      • GroupName - Specify the Group/Teams Channel name
      • UserName - Specify the email id of the user which will be used for login and sending the chat messages on the Teams channel.
      • Password - Specify the password of the user which will be used for login and sending the chat messages on the Teams channel.
  • Build the application - Follow the below steps to build the application or else view this post for publishing the application with single binary.
    • Click on Build in Visual Studio
    • Click on Publish
    • Click on New Folder
    • Click on the edit icon near the Target Framework settings
    • Modify the Deployment Mode settings to "Self-Contained"
    • Select the Target Runtime to win-x64 or win-x86 depending on the target environment.
    • Expand the File Publish Options
    • Select the checkbox "Trim unused assemblies"
Demo

Outlook



OneNote



Microsoft Teams



Detection / Prevention
  • Monitor unknown process accessing legitimate services.
  • Monitor calls to graph.microsoft.com domain.
  • Monitor parent child relationship for unknown processes.
  • Monitor system file calls such as cmd.exe, whoami, hostname etc.
  • Implement Applocker & Windows Defender Application Control.
Thanks for reading this post.

Special thanks to all my friends who helped / supported / motivated me for writing blogs. 🙏

Comments

  1. Informative blog. Thank you for sharing with us..
    AWS Online Training

    ReplyDelete
  2. how about multiple client connections? Is it implemented here?

    ReplyDelete
    Replies
    1. Currently multiple client connections are not implemented.

      Delete
  3. This is an excellent topic to discuss because Microsoft 365 is so important for teamwork and productivity in today's business environment. And individuals looking for Microsoft 365 services should use Microsoft 365 Edmond OK plans, as their outcomes are superior.

    ReplyDelete

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Process Injection - Part I