About RogueApps

The RogueApps project documents when Good Apps Go Rogue.

RogueApps are OIDC/OAuth 2.0 applications that, while not explicitly evil, are often abused and used maliciously. This repository documents the emerging attack surface of SaaS, OIDC, and OAuth 2.0 applications that help attackers during intrusions. If the application was not specifically created for evil purposes, but has been observed during identity compromises, it's a RogueApp.

This project aims to surface OIDC/OAuth 2.0 application tradecraft to aid defenders in detection, deterrence, and mitigation of application attacks in the SaaS world.

The repository for this project is open source and available here!

⚠ Disclaimer ⚠

This repository documents the tradecraft of OAuth applications and how they are used in attacks. This repository cannot perform a full investigation for any specific instance of an application to determine if it is malicious or not. This repository should only be used as a reference and for education.

Acknowledgements

RogueApps was inspired by WTFBins, which is the excellent work of The Taggart Institute / Michael Taggart. Thank you to TTI/Taggart!

RogueApps was created by Matt Kiely, Principal Security Researcher at Huntress, and the Huntress Research Team.