This short blog post explains what each tool does and overviews the use/reason for the release. Release of AutoPoC and SandboxSpy.
Last year and the year before, I spent a lot of time on a project called AutoPoC, which I presented at both BSides London last year and SecuriTay this year. At the end of my second talk, I said I might release the AutoPoC framework and Sandbox Spy, a project I was working on.
This short blog post explains what each tool does and overviews the use/reason for the release. The backbone of both projects leverages Thinkst's CanaryTokens project; during the AutoPoC research, they were nice enough to give me access to their paid API; however, the open source version on git will work just as well if you want to recreate your own instance of the project.
HoneyPoC and AutoPoC are two combined projects that were created to investigate how easy it is to poison different data feeds and whether there is integrity in parsing data and passing it to different parties.
The secondary objective was to identify what range of people run things directly from GitHub; the preliminary findings from the original HoneyPoC project were that folks will run anything blindly, it appeared, but as I automated the project more, it became apparent that different geographic locations had a deeper interest in different types of CVEs and software vulnerabilities.
Therefore I am releasing the underlying framework that AutoPoC is built upon so that defensive teams can learn from how the binaries are structured, look at how a disinformation campaign may affect their internal landscape and get a better understanding of how I automated misinformation with CVE proofs of concept.
Caveat/Disclaimer: While I'm releasing AutoPoC, the framework on its own is harmless as it requires some pre-requisites to build the automated backend, but the outputted code is technically malware so be careful what you do with it and it's for educational purposes etc, I'm not liable if you use it for crime or other chaos.
The framework and its code can be found here https://github.com/ZephrFish/AutoHoneyPoC
In addition to the framework, I also built a project called SandboxSpy, which is detailed below.
Initially, an idea to profile sandboxes, the code is written to take environmental variables and send them back in a Base32 string over HTTP to an endpoint.
The project was born off the back of data analysis performed from the AutoPoC project. Different types of analytics were observed on each analysis platform profiled and signature AutoPoC binaries.
The primary goal is to understand if we're in a sandbox or not based on the path and domain/username.
https://github.com/ZephrFish/SandboxSpy
The repo itself consists of two main factors:
Enjoy folks, it's a project I created because I was bored one evening and it grew arms and legs!