.. /Tmate
Star

Tmate.io provides a simple binary to expose local terminal via tmate.io domains. These domains are accessible over the internet. Providing opportunity for insiders to expose local system, exfiltrate data, create backdoors via SSH etc.

Paths:

Downloaded/Installed version of tmate, which gets executed anywhere on the system.

Resources:

https://dfir.ch/posts/tmate_as_a_backdoor/

Acknowledgements:

Kamran Saifullah (@deFr0ggy)

Detections:

Domain: *.tmate.io
Domain: https://tmate.io/t/*
Command: Execution of the binary and/or with arguments.

Access

This will generate instant tmate tunnel which is accessible via web browser as well as via SSH client. Insider threat or external threat actor can used this for accessing and monitoring the terminals using the read-only tunnel links.
```
tmate
```
Use case
Accessing the terminal via web browser or ssh remotely.

Privileges required
User

Operating systems
Mac, Linux

Exfiltration

This will generate instant tmate tunnel which is accessible via web browser as well as via SSH client. Insider threat or external threat actor can used this for data exfiltration.
```
tmate
```
Use case
Exposing file system over the internet.

Privileges required
User

Operating systems
Mac, Linux

Shell Access

This will generate instant tmate tunnel which is accessible via web browser as well as via SSH client. Insider threat or external threat actor can used this for backdoor as `-F` will foreground the current process.
```
tmate -F
```
Use case
Maintaning access via Web or via SSH.

Privileges required
User

Operating systems
Mac, Linux