• Stars
    star
    1,498
  • Rank 31,328 (Top 0.7 %)
  • Language
    C++
  • License
    Other
  • Created about 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.

C3

C3

Build C3 (MSVC)

Build C3 (Clang)

C3 (Custom Command and Control) is a tool that allows Red Teams to rapidly develop and utilise esoteric command and control channels (C2). It's a framework that extends other red team tooling, such as the commercial Cobalt Strike (CS) product via ExternalC2, which is supported at release. It allows the Red Team to concern themselves only with the C2 they want to implement; relying on the robustness of C3 and the CS tooling to take care of the rest. This efficiency and reliability enable Red Teams to operate safely in critical client environments (by assuring a professional level of stability and security); whilst allowing for safe experimentation and rapid deployment of customised Tactics, Techniques and Procedures (TTPs). Thus, empowering Red Teams to emulate and simulate an adaptive real-world attacker.

Usage

See this blog post for a detailed tutorial.

For contribution guide (how to develop a Channel tutorials), see this page.

Supported Channels

External Channels

Channel Name Contributor
Mattermost @mariuszbit
Asana @tvgdb2
GitHub @sunn_y_k
Dropbox @adm1nPanda
JIRA
Discord
GoogleDrive
Slack
EWS Tasks
OneDrive 365 Rest File
OneDrive 365 Rest Task

Internal Channels

Service Contributor
MSSQL @checkymander
UNC Share File
LDAP
Printer Jobs

Detection

Glossary

The most commonly used terms in C3:

  • Relays - stand-alone pieces of C3 Networks. They communicate using Interfaces. There are two types of Relays: Gate Relays (or Gateways) and Node Relays.
  • Gateway - a special Relay that controls one C3 Network. A C3 Network cannot operate without an operational Gateway. The Gateway is the bridge back to the attacker’s infrastructure from Node Relays. It's also responsible for communicating back to a third-party C2 server (such as Cobalt Strike’s Teamserver). Gateways should always be hosted within attacker-controlled infrastructure.
  • Node Relay - an executable to be launched on a compromised host. Node Relays communicate through Devices either between one another or back to the Gateway.
  • Interface - a high level name given to anything that facilitates the sending and receiving of data within a C3 network. They are always connected to some Relay and their purpose is to extend Relay's capability. Currently there are three types of Interfaces: Channels, Peripherals and Connectors.
  • Devices - common name for Channels and Peripherals. This abstraction is created to generalize Interfaces that are able to be used on Node Relays.
  • Channel - an Interface used to transport data between two Relays. Channels works in pairs and do not support the one-to-many transmission (see Negotiation Channels).
  • Negotiation Channel - a special Channel capable of establishing regular Channel connections with multiple Relays. The negotiation process is fully automatic. Negotiation Channels support only negotiation protocol and cannot be used in any other transmission.
  • Gateway Return Channel (GRC) - the configured Channel that a Relay will use to send data back to the Gateway. GRC may be a route through another Relay. The first Channel (initial) on a Node Relay is automatically set as GRC for that Node Relay.
  • C3 Minimal MTU - the minimal portion of data that every C3 Channel is required to be able to send. Currently C3 Minimal MTU is equal to 64 bytes. Unless a chunk shorter than 64 bytes contains a complete packet, receiver Relay ignores it and sender Relay tries and re-sends last portion of data.
  • Peripherals - a third-party implant of a command and control framework. Peripherals talk to their native controllers via a Controller. For example, Cobalt Strike’s SMB beacon.
  • Connectors - an integration with a third-party command and control framework. For instance the ‘External C2’ interface exposed by Cobalt Strike’s Teamserver through the externalc2_start command.
  • Binders - common name for Peripherals and Connectors.
  • Device ID - a dynamic ID that uniquely addresses one Device on a Relay.
  • Agent ID - a dynamic ID that uniquely addresses a Node Relay. Node Relays instantiated from the same executable will have different Agent IDs.
  • Build ID - a static ID that is built into every Relay. Stays unchanged over reboots.
  • Route ID - a pair of an Agent ID and a Device ID. Used to describe one "path" to a Node Relay (Node Relays might be reachable via many Routes).
  • Route - a "path" to a Node Relay. Every Relay keeps a table of all of their child Relays (and grandchildren, grand-grandchildren, and so on) along with Channel Device IDs used to reach that particular Relay (see Route ID). When a packet from the Gateway arrives to a Node Relay, routing table is used to choose appropriate Channel to send the packet through to the recipient.
  • Update Delay Jitter - delay between successive updates of an Interface (in case of Channels - calls to OnReceiveFromChannel method). Can be set to be randomized in provided range of time values.

License

BSD 3-Clause License

Copyright (c) 2019-2020, F-Secure Copyright (c) 2018-2019, MWR Infosecurity All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,894
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

needle

The iOS Security Testing Framework
Python
1,331
star
4

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
5

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
913
star
6

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
7

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
8

android-keystore-audit

JavaScript
385
star
9

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
10

Jandroid

Python
323
star
11

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
12

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
13

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
14

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
15

snake

snake - a malware storage zoo
Shell
205
star
16

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
17

IAMSpy

Python
169
star
18

damn-vulnerable-llm-agent

Python
169
star
19

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
20

IceKube

Python
161
star
21

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
123
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
113
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
102
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
48
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
22
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
12
star
42

volatility-plugins

Python
11
star
43

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
44

snake-core

snake-core - the real snake
Python
11
star
45

jdiesel

jdiesel fuels the drozer
Java
10
star
46

deject

Memory dump and Sample analysis tool
Python
8
star
47

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
48

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
49

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
50

datamate

Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star