How Red Team Does Accounting: Using Google Sheets for C2
One thing I love about being a professional offensive security engineer and red teamer is seeing all the creative ways other red team, pentest, and security researchers bend commonly used software into OffSec tools. For example, seeing others abusing bitsadmin on Windows or curl on OS X to download payloads, BigFix to deploy beacons instead of patches, or using the Jenkins script console for remote code execution rather than build automation. For this reason, I’d like to share how easy it is to use python, Google Cloud Platform, and Google Sheets to set up a quick, Internet facing, difficult to block, and encrypted channel C2 like tool. So let’s dive in!
Here is how to setup a basic python script for Command & Control that checks a Google Sheet for commands to execute, executes the commands on the host, and then writes the results back to the spreadsheet with a timestamp. I am making this script available in Github for demonstration purposes to help the community.
- Python3 installed and a visual editor like VIM
- A free Google account and a blank Google Sheet
- Google Cloud Platform access to create a Service Account and key
BONUS: For item #3 if you happen to be on a red team operation in a GCP environment then there’s a good chance you’ll find a service account key laying around like other passwords and keys. If the Google Sheet API is already enabled, then you’re in business. There’s so much you can do with valid GCP tokens when you find one. If you’re not familiar with leveraging GCP cloud accounts and tokens during red team operations then I highly recommend checking out a great article by Madhav Bhatt https://desi-jarvis.medium.com/compromised-endpoint-to-compromised-gcp-gone-in-60-seconds-3229cc185863
Setup Steps (Part I — Google Cloud Platform):
The first step is to create a service account, key, and download the key. It doesn’t need to have any admin or special permissions. The service account will be added to our Google sheet as a user with editor rights. This is necessary for reading commands from the worksheet and writing output and timestamp back to your C2 spreadsheet. While you can have as many service accounts for various C2 sheets as you like, you only have to have one if you choose.
- Navigate to your GCP cloud console -> IAM -> Service Accounts -> Create Service Account -> Provide a name for the service account -> Provide a description for the service account -> Click Done
2. Next click on the three dots under the actions column to select “manage keys”.
3. Click “Add Key”
4. Click “Create New Key” and select the json format.
5. The .json key file will be downloaded to your computer. Remember the file name and location where you saved it.
6. Last, but not least, it is important to enable Google Sheets API in your GCP console. Simply search for “Google Sheets API” in the console, select, and enable the API using the button.
7 . If you forget to do this step then you will receive permission denied first time your run the c2sheet.py script. You will receive a unique link to enable it. You only need to enable it once and for all.
Now that we have the service account and key, we can set up our Google sheet.
Part II — Setup the Google Spreadsheet
- If you haven’t already, log into the Google account you will use and navigate in a web browser to a https://sheets.google.com
- Once you are logged in simply create a blank worksheet.
3. Name the new Google spreadsheet however you wish. It may be helpful to use a naming scheme with the target host. However, the title of the spreadsheet won’t affect the functionality of the C2 via spreadsheet and multiple hosts could pull commands from one sheet. This could also be really handy for pulling down and running a full-feature C2 payload on multiple hosts at once.
4. Next, you will need to open and find or grep the “client_email address” string in the service account json key you downloaded during the setup of the service account. It should look similar to an email address and probably ends with gserviceaccount.com
5. Open your Google sheet and use the share button to add your service account’s client email address as you would any other account or email address and set the permission to “EDITOR”.
6. Unselect the option to notify since the service account doesn’t need to be notified and the automatic email will bounce anyway. Click to share it with your service account.
7. Next capture the unique key for your Google sheet. This is found in the URL address between https://docs.google.com/spreadsheets/d/KEY/edit#gid
8. It’s not required, but I find it useful to have the following columns on the first row of the C2 spreadsheet.
- A1 — “C2 Command”
- A2 — “Command Output”
- A3 — “Timestamp”
Finally, we just need to setup our python3 script to call the correct Google sheet. The script knows how to do this by adding the key value from the spreadsheet URL and having the service account json credentials file.
Part III — Modify C2 python script
- You can grab the python3 script by cloning my Github repo https://github.com/BojackThePillager/C2viaGsheet
2. There are a few python requirements so be sure to run “pip3 install -r requirements.txt” otherwise you’ll need to manually install the python required modules such as gspread.
3. Next open the c2sheet.py script in VIM or another text editor.
4. Add the spreadsheet’s unique key from earlier to this line “sh = gc.open_by_key(’SHEET_KEY_GOES_HERE’)”
5. Add the path and filename for service account json key file for “gc = gspread.service_account(filename=‘<’SERVICE_ACCOUNT_KEY_FILE_GOES_HERE’)”
6. Save and close c2sheet.py
Now it’s time to test our cool C2 over Google sheet communication to run commands on the target where C2sheet.py and the service account json file is stored.
Part IV — Testing the C2
- To test that everything works simply enter the command “pwd” in A2 of your Google spreadsheet
- Run the c2sheet.py script by executing the command “python3 c2sheet.py”
- The script should run, fetch the command from the spreadsheet, execute the command, add the command output to the appropriate column/line, and add the timestamp.
That’s all that’s needed. It’s that simple.
Of course, there are obvious OPSEC considerations with having the keys stored in the script or on disk that you’d want to consider and possibly adapt. There are much more sophisticated and feature-rich C2 tools available, but this demonstrates how a few lines of python code, the Google Cloud Platform, and the convenience of free SaaS software can be used for Offensive Security purposes in creative ways.
Cheers and happy red teaming!