Full Report
We blogged a little while back about the Snoopy demonstration given at 44Con London. A similar talk was given at ZaCon in South Africa. Whilst we’ve been promising a release for a while now, we wanted to make sure all the components were functioning as expected and easy to use. After an army of hundreds had tested it (ok, just a few), you may now obtain a copy of Snoopy from here. Below are some instructions on getting it running (check out the README file from the installer for additional info).
Analysis Summary
# Tool/Technique: Snoopy
## Overview
Snoopy is a distributed tracking, data interception, and profiling framework designed for use with Linux-based client devices (drones). It facilitates the collection of probe data from compromised or controlled clients and centralizes it for analysis, with integration capabilities for Maltego for graphical data exploration.
## Technical Details
- Type: Tool / Framework
- Platform: Linux (Ubuntu 12.04 LTS server component; client devices run Linux, with specific support mentioned for Nokia N900)
- Capabilities: Distributed data collection, data interception, client profiling, OpenVPN tunneling for client traffic routing, MySQL database for raw data storage, Web interface, and Maltego integration.
- First Seen: Public release information points to around December 2012 (based on the publication date of the article).
## MITRE ATT&CK Mapping
Snoopy appears to enable various post-compromise activities related to network traffic manipulation and command and control:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If communication uses standard web protocols beyond the management interface)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Data collected is uploaded to the server)
- **TA0004 - Privilege Escalation** (Implied, as it requires installation/execution on client devices)
- T1548.002 - Bypass User Account Control (Likely, depending on initial access on the client)
*Note: Specific ATT&CK mappings are inferred based on the described functionality (e.g., routing traffic, centralized data collection) rather than explicit adversary use.*
## Functionality
### Core Capabilities
- **Distributed Data Collection:** Collects "probe data" from remote Linux client devices ("drones").
- **Data Aggregation:** Uploads collected data to the central Snoopy server component every 30 seconds.
- **Network Tunneling:** Routes all associated client internet traffic through the Snoopy reporting server using OpenVPN.
- **Data Storage:** Stores raw collected data in a designated MySQL database named 'snoopy'.
### Advanced Features
- **Configuration Packs:** Allows creation of custom installation packages for drone devices via configuration packs, deployable via setup scripts (`setup_linux.sh` or `setup_n900.sh`).
- **Maltego Integration:** Provides transform URLs and entities to integrate the collected data into Maltego for graphical analysis and exploration (via Maltego TDS).
- **Web Interface:** Features a web interface (port 5000) for viewing data and supports writing custom data exploration plugins.
## Indicators of Compromise
*Self-reported LoCs related to initial setup:*
- File Hashes: Not provided in the article.
- File Names: `install.sh` (Server installation script), `setup_linux.sh`, `setup_n900.sh` (Client setup scripts).
- Registry Keys: Not applicable (Linux/Nokia N900 focus).
- Network Indicators:
- Management Interface: `http://yoursnoopyserver:5000/`
- Maltego TDS endpoint dependency: `https://cetas.paterva.com/tds` (External dependency for transforms)
- Behavioral Indicators: Clients establish an OpenVPN tunnel to the server; client data uploads occur every 30 seconds.
## Associated Threat Actors
The tool appears to be an in-house or open-source framework developed by SensePost for penetration testing or security research purposes, demonstrated at conferences like 44Con and ZaCon. No mature threat actor groups are explicitly associated with its usage based on this text alone.
## Detection Methods
- **Signature-based detection:** Could target file hashes of the released components or specific unique strings within the configuration files/scripts.
- **Behavioral detection:** Monitoring for the initiation of OpenVPN tunnels from client devices originating from specific installation directories or executables. Detecting routine network connections (every 30 seconds) to a single centralized server from multiple endpoints.
- **YARA rules:** Not provided.
## Mitigation Strategies
- **Prevention measures:** Strict control over installing third-party configuration scripts and executables on internal Linux endpoints.
- **Hardening recommendations:** Implement host-based intrusion detection/prevention systems on Linux endpoints. Restrict outbound VPN connections unless explicitly authorized and monitored. Ensure MySQL database used by Snoopy is properly secured and segmented.
## Related Tools/Techniques
- **Maltego:** Used as the primary tool for graphical data visualization and analysis.
- **OpenVPN:** Used for network traffic routing and encapsulation.
- **Other Penetration Testing/Tracking Frameworks:** Tools combining C2, tracking, and data profiling (e.g., Metasploit, Cobalt Strike beacons, depending on scope).