.. /Expose

Star

Paths:

• Installed version of expose binary/docker container, which gets executed anywhere on the system.

Resources:

• https://expose.dev/docs/getting-started/installation
• https://github.com/beyondcode/expose

Acknowledgements:

• Kamran Saifullah (@deFr0ggy)

Detections:

• Domain: *.sharedwithexpose.com
• Domain: *.eu-1.sharedwithexpose.com
• Domain: *.us-1.sharedwithexpose.com
• Domain: *.us-2.sharedwithexpose.com
• Domain: *.ap-1.sharedwithexpose.com
• Domain: *.in-1.sharedwithexpose.com
• Domain: *.sa-1.sharedwithexpose.com
• Domain: *.au-1.sharedwithexpose.com
• Domain: *.eu-2.sharedwithexpose.com
• Command: Execution of the binary and/or with arguments.

Install

1. Downloading and Installation of expose binary on the local system as a PHAR archive.

   curl https://github.com/beyondcode/expose/raw/master/builds/expose -L --output expose

   Use case

   Downloading the expose binary to be executed on the local machine.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

2. Downloading and Installation of expose binary on the local system.

   composer global require beyondcode/expose

   Use case

   Downloading the expose binary to be executed on the local machine via composer.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Access

1. Initiating the access via providing expose token.

   expose token <token>

   Use case

   Authenticating the session via expose token.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

2. Setting up default server via expose to connect to the nearest expose server.

   expose default-server ap-1

   Use case

   Connecting to the nearest expoe server for better bandwidth and connection stability.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

3. This can be used by threat actors to connect to the nearest expose server.

   expose share http://https://localhost:<LOCAL PORT> --server=<server>

   Use case

   Connecting to the nearest expose server in specific regions.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Exfiltration

1. Exposing the local server/services over the internet to be accessible over expose domains.

   expose share http://https://localhost:<LOCAL PORT>

   Use case

   Exposing the services running on localhost over the internet via expose tunnel domains.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Download

1. This can be used by threat actors to host malicious softwares/binaries on their local system and have it exposed via expose tunnels to be downloaded on the compromised system.

   expose share http://https://localhost:<LOCAL PORT>

   Use case

   Threat actors hosting malicious binaries and using the links to download them onto the compromised system.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Phishing

1. This can be used by threat actors to host phishing sites locally and expose them via expose tunnels to compromise users.

   expose share http://https://localhost:<LOCAL PORT>

   Use case

   Hosting phishing sites locally and exposing them over expose tunnels to compromise users.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux