CG - Google Apps Scripts Kill Chain - Maor Bin

excellent welcome thank you all for joining us today this is Maurer Ben I'm sure I said that incorrectly he can fix it here in a little bit his presentation today is Google Apps Script skill chain before we get going here I want you to all remember that these videos are all being recorded and they will be available on YouTube that means if your cell phone goes off everybody on the internet will then know that you are the one whose cell phone went off in the presentation so please don't be that person I definitely want to thank our sponsors I'm gonna pull up my cheat sheet here so varis pright pro tippity tenable amazon and the source of knowledge all are our

major sponsors for this and without them we could not put this conference on so thank you all thank you sponsors very much and thank you all for being here when and if and when you have questions for this speaker during the presentation or after please come signal me I'll be standing in the back of the room you want to have this microphone in your hand the reason for that is again these are being recorded so someone is going to want to hear your question other than that there is a website sched org come get me later if you want to leave feedback for this presenter and please do if you have anything you'd like to

say it helps everybody to have more feedback from the audience so without further adieu have at it

hi everyone thank you for coming Wolff I start with a short in to about myself as this guy mentioned my name is mala bean i will proof point as a research lead I come from the background of win32 row-level development I also used to do some reverse engineering for mobile mobile apps and mobile native code for the last year I'm working on like we're doing research on SAS applications especially in Google included some vulnerability disclosure so we're gonna talk about Google Apps scripts and we're gonna present it as like I killed change sort of things I don't have a slide on the on the kill chain itself because I was like saying yeah this is besides right everybody

knows killed what kill chain is so oh that's fine and we'll try to go over the steps and we'll start with like introduction to Google Apps which for those of you who are not familiar with that and after that we'll try to get a bit more malicious and see some example I will be switching like screens all the time because I have these slides over here and I will like do some live demos like all the time so let's start yeah so as I said the short overview on Google Apps Script so I don't know how much a feel like familiar with this service like if you'd like not much okay okay I love it I love it you like came to here

what so how much of you are familiar with the concept of third-party applications like okay okay better so Google Apps scripts are like they're in the same family of third-party application like if I'm a cloud service or just a cloud provider or something like that and I want some people like to develop like service to expose services of what I'm offering so they expose like an API and I as a developer can use that API and use their services so Google app scripts actually do the same just with some limitation of the regular API we'll try to cover what like what the difference and stuff like that so if we were speaking about Google Apps which it's basically like a

JavaScript JavaScript language and it it's been execute like within Google backend it's not low not running like on my back-end like I said party application or stuff like that it just been executed as part of the Google cloud service or back-end or whatever you want to call it so and it lets you use like some services that are very neat I think like the Gmail app lets you develop likes and emails and do stuff like with within your Gmail it's lets you like do stuff within your drive up like Google Drive of I'm sure like everyone here is using Google Drive and you can do like other stuff as well like connecting to you like an API or

acquiring another API like for the service or stuff like that it lets you do that as well so you can like automate automate your all your action if I'm like if I were like cease admin of maintaining a Google account so I'll definitely will be using like because it's like the best way to maintain an account to my opinion of course so we have a type of different types we have the standalone script which is like basically a file that just like you know what in your Google Drive we have bound bound script which is like if you think about Microsoft macros okay so it's basically it's like a pound to a document about you screw about you

Google about a bounty form or something like that and we have another interesting concept which is the web app so let's see one example like that we have right alright so we probably see like the example services we have the Gmail example which is like it's very simple code I think very complicated to just go over go over your Gmail account okay I like in my dream you can't just prints the attachments that's like within my emails we have like a simple drive up example okay which uses drive up I'm like searching in files okay and looking for this ring Allah would like which document like created in this date and contains the title hello would and we have like query

to the API some weapon a P I that I found online with CI o--'s API so I guess now that you see it you probably thinking yeah this is strong to I can definitely use that during this talk I will be like going malicious and will like try to see some more example how to try to use like this is the usage of Google Apps Script but we will try during this talk like abusing it okay like trying to scale up campaigns and trying to like do some more interesting stuff so let's see like a quick example like how to run around this thing okay so this is the script editor okay when you create a file I just

I'll be right to show you how to do that but when you create the file you just like put your code inside you can create like other files as well and you just like run like whatever method you want to wrap to execute so if you will like try one that will be asking like permissions like if I allow if I allow this you should usage if stopped so let's review the permissions and we can see that we can see that asks for Redeemers doing some stuff in your onedrive and querying like external links okay that's cool because that what it does right so let's allow it let's allow it and that makes clear like

if I allow it now it's just been executed you can see like I'm preaching some vlogs here so you can just like go to the logs and see like yeah no logs because I have no but let's try this one yeah so just Graham the API and you can see the response of Yahoo api's okay now the interesting thing about here is that he you've seen that this service this script was asking for permission so if we go to like my mic my permission like in my account like the connected ups in my in my account we can see the script what it's name example services right yes of tea like refresh this page and you can see it right over here yeah

so this is it this is basically it so this is as I said as I mentioned this is like legit usage of Google Apps with like and if we want to create a spirit it is also very very simple so let's write you like give an example for that as well.you like just go into your Google Drive account and like create a new file and you go like Google Apps right this one is standalone script okay because it stands by itself okay very simple so you can just like write write your code here and do whatever necessary like Gmail app okay and do stuff like that yeah so that's the standalone script you can like change its name or

whatever let's see an example of bounce trip like if I open a Google sheet okay so as I mentioned this is like Microsoft macros okay but it doesn't really affect the binary because there is no binary we're talking about cloud like if I will download this file I won't see like binary difference I mean believe me I checked it because I was looking I was like yeah this would be cool if we can like do something like put some militia same with inside the binary yeah but I couldn't find it so you just connect just like a virtual link within your cloud provider so let's see how to do that like we created a new file a new

sheet and we go to tools and open the script editor and the script editor will be open and we'll see it takes us in same like we can write our code right here the thing is that the interesting thing that these bound scripts are you can access them like regular file like if the standalone script is like line within your Google Drive this one I mean you can't find it just you can just access it from this sheet nothing nothing more so yeah the same concept here of course you write your code the staff do like register for malicious stuff whatever you want and the last type is like web okay and the web app is

like you know you just create an actual web application like a real web application that I can add that that they provide you like a link that you can access like from anywhere and you can create your own HTML and like do a real web application with within it and the interesting stuff that we'll see like in this example just this is a static HTML page okay it's like not doing anything we'll see like if we continue like few slides more we'll see like an example of self executing JavaScript that I can use for phishing attacks and stuff like that and we can see another interesting concept it's like for this web app using like my cloud permission

like if I'm accessing this link I would be able to get some information with permissions of course of the cloud user that access this link so in order to get this link you just have to like deploy a web app like do you like yeah new and as you see you can choose like who is gonna execute this this app so it could be like me or the user that access in it okay and that that part is really interesting we'll see why in a few moments and you can choose like who can access it like if it's public if it's not public okay so you you like getting this this new address and you can go and

try to access this link and you see like this status okay which is exactly exactly the HTML that we just created okay said yeah let's continue yeah so I'm sure you all understand that this is a very very powerful tools to as well for like IT admins like that maintain Google accounts and for like attackers right you can you you can now think about some usage how to abuse this kind of like things so as I said I don't have like a slide of the step of the kill chain but I'll try to you like go over with you so the first step is like infiltration right like how do we how do we do

infiltration so as I said like standalone scripts and bounce rates are just fine right so what can I do I can just share it share it with everyone right so yeah that's basically it we just share it and the web app as you'll see it's a link right so I can send it by email by instance messages by any other thing that you might think okay so yeah that's basically it and for those of you who are not familiar like how to share a file over how to do stuff like that it's really really easy it's like coming to you this fall and like press share and you like choose choose wherever you want to share it with okay

really easy and we just such an example of like getting web app links oh I want one more time on that will just continue to the next step yeah so if you if you want to do some like you use this Google Apps scripts in order to like get data out of the organization so we can do like stuff like auto forward emails and post to external URL and as well use it as a C&C server like think about that it's like very simple you just create some random Google account you create like a web app okay and start using it as a C&C server I mean this is a very powerful tool right I mean I wanted to show you some

example about it but I think I have like a more interesting example that I want to show so I'll just talk about like really short about the kara bank campaign that we've seen in the world which was using Google Apps with us a C&C server it was also also they also use Google Forms if you familiar with that concept as their CNC server so yeah you can imagine it's like very very powerful tool for attackers and we've seen it in the world so yeah so that's for the exfiltration part now I want to like show you some innovating fishing method that we were like in my researching we were just like thinking about so we'll try to do it

real quick because we don't have like laughs much time so this is my CV okay and if I open it we'll see like an encrypted document right because I don't want like I want to have my CV and document is being down there decrypted the documents are being downloaded so let's check the file what is this file right so if we like before download and what was the name yeah I have some I do a lot of stuff with this file you know so this is a 25 and if you like go to real quick to virustotal have it right here [Applause] we'll see yeah Wow basically it's malicious file as you can tell so as he already guessed I was

using a Google script in order to create this fishing method and this is us you can guess by now this is a bounce script and we will just let's examine this script and see what what it does so we'll go to the script editor again and yeah this is the not very interesting portlet just look at the HTML and we're just seeing that I'm creating an element and providing like a download in class and at first I was thinking like yeah I'm gonna set up a server and like you know connect him to never and do stuff like that and then I just realized why not using Google Drive right yeah so that's what I'm doing here

I'm just like putting the file like within Google Drive and no no antivirus and nothing like they don't run it so why not use it right so yeah the thing is about this method is like if if I want to share it so it won't exactly work as expected and why is that because Google will actually block Google script if I like take a shareable link like if I do something like that go right here and try to get shareable link and like share it and copy this link and send it to one of my friends it won't work now because they block so we can like do this like share files like scale up this

campaign using actually Google Apps trips will just like create a script and this is the file id which with Google and will just share it with mr. Brahn that's exactly describes okay let's give it permission to do that okay allow and we're about to see that okay I have it right yeah new email like right here opening dogs and this is our file and we're seeing that downloaded file again so that's basically the main example that I wanted to show we don't have much time so we'll jump right into the mitigation in if someone has like question where we don't time for the propagation but let's continue to like do real quick to the mitigation part

because I think that's very important even though probably won't be very effective so for the self execution of JavaScript like we might be want to use like an endpoint security although as you all know it has its limitations right so yeah that's about it try to use it and if not just try to be aware of what you like guys I do for the third-party apps will try to review like the script permission like really understand what it does like what its gonna do to your account what's gonna use and stuff like that so you wanna review the script scopes like its permissions and you want to probably if you installed it and you probably will

want and if you find out it's malicious you probably want to revoke it like using this link and there was also like Cosby solution that T's that like prevent or do stuff like that so yeah that's would be it I think that we don't have time for questions I feel - you can have the speaker demo in the conference and ask him everything you want to know thank you very much for your presentation [Applause]