Skip to content

Feat/safe t1902 covert channel responses #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saurabh-yergattikar wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Feat/safe t1902 covert channel responses #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f7176d
feat(SAFE-T1901): add Outbound Webhook C2 technique
saurabh-yergattikar Nov 8, 2025
3492b4c
feat(SAFE-T1902): Add Covert Channel in Responses technique
saurabh-yergattikar Nov 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,10 +123,10 @@ The SAFE-MCP framework defines 14 tactics that align with the MITRE ATT&CK metho
| ATK-TA0009 | Collection | SAFE-T1803 | Database Dump | Use SQL tool to SELECT * from prod DB |
| ATK-TA0009 | Collection | SAFE-T1804 | API Data Harvest | Loop over customer REST endpoints via HTTP tool |
| ATK-TA0009 | Collection | SAFE-T1805 | Context Snapshot Capture | Query vector store embeddings wholesale |
| **ATK-TA0011** | **Command and Control** | SAFE-T1901 | Outbound Webhook C2 | LLM calls "http.post" to attacker URL with commands/results |
| ATK-TA0011 | Command and Control | SAFE-T1902 | Covert Channel in Responses | Encode data in whitespace or markdown links returned to chat |
| **ATK-TA0011** | **Command and Control** | [SAFE-T1901](/techniques/SAFE-T1901/README.md) | Outbound Webhook C2 | Abuse of outbound HTTP webhooks for command and control |
| ATK-TA0011 | Command and Control | [SAFE-T1902](/techniques/SAFE-T1902/README.md) | Covert Channel in Responses | Encode data in whitespace or markdown links returned to chat |
| ATK-TA0011 | Command and Control | SAFE-T1903 | Malicious Server Control Channel | Attacker operates rogue server; every tool call doubles as heartbeat |
| ATK-TA0011 | Command and Control | SAFE-T1904 | Chat-Based Backchannel | LLM embeds base64 blobs in normal answers that another bot decodes |
| ATK-TA0011 | Command and Control | [SAFE-T1904](/techniques/SAFE-T1904/README.md) | Chat-Based Backchannel | LLM embeds base64 blobs in normal answers that another bot decodes |
| **ATK-TA0010** | **Exfiltration** | SAFE-T1910 | Covert Channel Exfiltration | Data smuggling through tool parameters, error messages, or legitimate-appearing operations |
| ATK-TA0010 | Exfiltration | SAFE-T1911 | Parameter Exfiltration | Sneak secrets into unused JSON arg (note) |
| ATK-TA0010 | Exfiltration | SAFE-T1912 | Stego Response Exfil | Hide data in code blocks shown to user then copied elsewhere |
Expand Down
98 changes: 98 additions & 0 deletions techniques/SAFE-T1901/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# SAFE-T1901 : Outbound Webhook C2

## Tactic
**Command and Control (ATK-TA0011)**

---

## Description
Outbound Webhook C2 is a technique where an adversary abuses legitimate outbound HTTP webhook mechanisms to establish covert command-and-control (C2) channels from a Model Context Protocol (MCP) environment.
Because MCP agents and tools routinely use HTTPS for integration with external services (Slack, GitHub, Jira, etc.), malicious webhook calls blend with normal traffic, making detection difficult.

This mirrors MITRE ATT&CK technique [T1567.004 – Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/) and expands it to AI agent ecosystems.

---

## How It Works
1. **Initial Access** – Attacker gains code execution inside an MCP agent or server (e.g., through malicious tool registration or supply-chain package).
2. **Webhook Setup** – They embed an attacker-controlled URL (`https://discord.com/api/webhooks/...`, `https://hooks.slack.com/services/...`, or custom endpoint) in configuration or environment variables.
3. **Beaconing & Tasking** – The compromised component periodically issues small HTTPS POST requests to the webhook, sending status or encoded data and receiving instructions from the attacker’s channel.
4. **Command Execution / Exfiltration** – Responses from the webhook or attacker messages drive additional actions or data uploads.
5. **Persistence / Evasion** – Traffic appears as benign API usage; the attacker may rotate URLs or use trusted domains to avoid detection.

---

## Examples
- **Malicious packages** in npm and PyPI (2025 reports) that exfiltrated developer tokens to Discord webhooks under benign names like “post-install analytics.”
- **KurayStealer** and similar malware families use Slack and Discord webhooks as lightweight C2 channels to send logs and receive tasks.
- In an enterprise MCP setup, a backdoored tool could POST conversation summaries to a remote webhook every hour, evading firewall rules because HTTPS egress is permitted.

---

## Impact
| Property | Level | Explanation |
|-----------|-------|-------------|
| Confidentiality | **High** | Sensitive data or tokens can leave the organization undetected via legitimate HTTPS channels |
| Integrity | **Medium** | External commands may alter agent behavior or workflow outputs |
| Availability | **Low** | Usually stealthy and low-bandwidth; minor resource impact |

---

## Detection
**Network Indicators**
- Frequent small HTTPS POSTs to rare domains (e.g., `discord.com`, `webhook.site`, dynamic tunnels like `*.ngrok.io`) from MCP hosts not expected to communicate externally.
- Unusual SNI or TLS fingerprints in outbound connections.

**Host Indicators**
- Config files or .env entries containing webhook-like URLs.
- Tools or scripts embedding HTTP client calls without documented purpose.

**Example SIEM rule (pseudo-Sigma)**
```yaml
title: Outbound Webhook C2 Detection
logsource: network/proxy
detection:
selection:
url|contains:
- "discord.com/api/webhooks"
- "hooks.slack.com/services"
- "webhook.site"
- "ngrok.io"
method: POST
condition: selection
level: medium
```

---

## Mitigation
**Preventive**
1. Restrict egress from MCP agents to approved domains (HTTP allow-listing).
2. Proxy all outbound HTTP(S) traffic through a controlled gateway with inspection and rate limits.
3. Disallow hard-coded webhook URLs in code; require secret stores with rotation and audit trails.
4. Require manifest review for tools requesting network capabilities.
5. Implement signed or authenticated webhook payloads and mutual TLS for approved integrations.

**Detective**
1. Monitor and baseline outbound destinations per server.
2. Scan source repos and pipelines for webhook URL patterns.
3. Correlate proxy logs with MCP task timestamps to spot covert beaconing.

**Response**
- Block or revoke the malicious webhook URL, rotate tokens, and collect forensic logs.

---

## References
- MITRE ATT&CK – [T1567.004 Exfiltration Over Webhook](https://attack.mitre.org/techniques/T1567/004/)
- CISA Advisory on Webhook Exfiltration (2024)
- Invicti Research – *Securing Webhooks Against Abuse* (2023)
- HackerOne – *Webhook Security Best Practices* (2023)
- Reports on Malicious npm/PyPI Packages Exfiltrating to Discord (Oct 2025)
- KurayStealer Analysis – Use of Discord Webhooks as C2 (2023)

---

## MITRE ATT&CK Mapping
**ATT&CK Technique:** T1567.004 – Exfiltration Over Webhook
**ATT&CK Tactic:** Command and Control (TA0011)**
Loading