Last year and the year before, I spent a lot of time on a project called AutoPoC, which I presented at both BSides London last year and SecuriTay this year. At the end of my second talk, I said I might release the AutoPoC framework and Sandbox Spy, a project I was working on.
This short blog post explains what each tool does and overviews the use/reason for the release. The backbone of both projects leverages Thinkst's CanaryTokens project; during the AutoPoC research, they were nice enough to give me access to their paid API; however, the open source version on git will work just as well if you want to recreate your own instance of the project.
HoneyPoC and AutoPoC are two combined projects that were created to investigate how easy it is to poison different data feeds and whether there is integrity in parsing data and passing it to different parties.
The secondary objective was to identify what range of people run things directly from GitHub; the preliminary findings from the original HoneyPoC project were that folks will run anything blindly, it appeared, but as I automated the project more, it became apparent that different geographic locations had a deeper interest in different types of CVEs and software vulnerabilities.
Therefore I am releasing the underlying framework that AutoPoC is built upon so that defensive teams can learn from how the binaries are structured, look at how a disinformation campaign may affect their internal landscape and get a better understanding of how I automated misinformation with CVE proofs of concept.
Caveat/Disclaimer: While I'm releasing AutoPoC, the framework on its own is harmless as it requires some pre-requisites to build the automated backend, but the outputted code is technically malware so be careful what you do with it and it's for educational purposes etc, I'm not liable if you use it for crime or other chaos.
The framework and its code can be found here https://github.com/ZephrFish/AutoHoneyPoC
In addition to the framework, I also built a project called SandboxSpy, which is detailed below.
Initially, an idea to profile sandboxes, the code is written to take environmental variables and send them back in a Base32 string over HTTP to an endpoint.
The project was born off the back of data analysis performed from the AutoPoC project. Different types of analytics were observed on each analysis platform profiled and signature AutoPoC binaries.
The primary goal is to understand if we're in a sandbox or not based on the path and domain/username.
The repo itself consists of two main factors:
- SandBoxSpy.go - This is the main tool; there was an initial binary in the repository, but I've removed this and kept the GO source code for folks to read.
- decoder.go - Takes the Base32 string and decodes it; there is a compiled binary version that will simply decode base32; although there is nothing malicious in this binary, I still recommend you compile it yourself for peace of mind.
Enjoy folks, it's a project I created because I was bored one evening and it grew arms and legs!