Callidus: leverage O365 services for establishing command & control communication channel

Callidus

The Latin word for “sneaky” is called “Callidus”. It is developed for learning and improving my knowledge about developing custom toolset in C# and learning how to leverage cloud services for the benefit of the user.

It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channels. It usages Microsoft Graph APIs for communicating with O365 services.

Currently Supports :

• Outlook
• OneNote
• Microsoft Teams

Functions or Components and modules of Callidus

• Outlook – Outlook module has 2 sub-modules:
  • Server (OutlookC2) – used by the operator to send & read the output of the commands. It creates a draft message in the folder with the subject “Input” which will be read by the Implant. Once the command is sent it will wait for the Implant to reply with the output by creating another draft message with the subject “Output” which that server will keep polling. The output is then rendered in the console and the draft message with the subject “Output” will be deleted.
  • Implant (OutlookC2Client) – deployed on the target system which reads & executes the command on the system & sends back the output. It reads the draft message with the subject “Input” & executes the command written in the body. After the command is executed it will create a new draft message with the subject “Output”. The output is returned in the body of the message that is read by the Server.
• OneNote – OneNote module also has 2 sub-modules:
  • Server (OneNoteC2) – used by the operator to create a to-do list on the OneNote page that is read by the implant to execute the commands.
  • Implant (OneNoteC2Client) – deployed on the target system which reads & executes the command & write the output back to a OneNote page. It reads the to-do list with pending status and executes the commands. Once the command is executed the output is written below the to-do list & the status of the to-do list updated to “completed”.
• Microsoft Teams – Microsoft Teams has only 1 module:
  • Implant (TeamsC2) – deployed on the target system that reads & executes the command & reply with the output on the Teams channel. It reads the messages from the channel and checks the messages that don’t contain any reply message & executes the commands and sends the reply in the same message. There is a limitation on the message size on Microsoft teams of 28 kb.

Download && Use

Copyright (C) 2020 3xpl01tc0d3r