Segnaliamo ai lettori di Cybertrends una interessante lista di Open Source C2 Post-Exploitation Frameworks di un ricercatore di PenTestIT

  1. APfellAPfell is a cross-platform, OPSEC aware, red teaming, post-exploitation C2 framework built with python3, docker, docker-compose, and a web browser UI. It is designed to provide a collaborative and user friendly interface for operators, managers, and reporting on Mac OS and Linux based operating systems. It includes support for multiple C2 profiles, multiple payload types, JavaScript for Automation(JXA) exclusive to Mac OS, and an interesting Chrome extension payload. APfell maps to my favourite MITRE ATT&CK framework as well. Interestingly, the C2 framework finds inspiration from well known malware families such as PlugX, Flame, etc. Check out APfell version 1.2.
  2. CovenantCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive.NET tradecraft easier, and serve as a collaborative command and control platform for red-teamers. What sets this apart from other C2 Post-Exploitation Frameworks is that it supports .NET Core – which is multi-platform. Hence, Covenant can run natively on Linux, MacOS, and Windows platforms! Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed. It consists of three components – Covenant (server-side component), Elite (client-side component) and Grunt (implant). Check out Covenant v0.3.
  3. Faction C2: The Faction C2 framework focuses on operational security, flexibility & teamwork. Its API focused design provides the foundation for secure communications across any transport method via well documented REST and Socket.IO APIs, to any agent that can speak its language. Currently Faction supports only .NET payloads and modules. Marauder is an example .NET agent for the Faction C2 Framework. However you can easily create your own agent as well. Faction was designed with redirects in mind in the form of Transport Servers. These sit between Faction and your agent and handle masking your communications. This C2 post-exploitation framework has a role based access control system and data can be queried using SQL queries! Check out Faction C2 and Marauder.
  4. iBombshell: iBombShell is a dynamic, open source tool that allows post-exploitation functionalities via a shell or a prompt on systems that support Powershell. Supported features are loaded dynamically in-memory avoiding any hard drive writes, whenever they are needed from a repository. I blogged about this C2 post-exploitation framework here. Get the latest iBombshell version here.
  5. Koadic: Koadic is an open source, post-exploitation rat aka remote access trojan that uses the Windows Script Host; via the COM interface, for most of it’s operations. Since it uses VBScript/JScript you can expect it to work on all Microsoft Windows operating systems from Windows 2000 onwards as it has inbuilt support. I covered it in a blog titled – Koadic: An Advanced Windows JScript/VBScript RAT. Give Koadic a run here.
  6. Merlin: Merlin is a cross-platform post-exploitation HTTP/2 C2 server

    & agent written in Golang. It helps you to evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect. Both the Merlin Server and Agent can easily be compiled to run on a multitude of operating systems to include Windows, Linux, Mac OS, Solaris, FreeBSD, ARM, MIPS, or Android. Latest versions of Merlin support features such as Shellcode execution and Shellcode Reflective DLL Injection (sRDI). Get Merlin v0.7.0.

  7. PoshC2: PoshC2 is a proxy aware C2 framework that utilizes Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework. In addition to the Powershell implant, PoshC2 also has a basic dropper written purely in Python that can be used for command and control over Unix based systems such as Mac OS or Ubuntu. Get PoshC2 v4.8.
  8. Silver: This is one of the more recent C2 post-exploitation frameworks. Sliver is a cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Implants support features such as dynamic code generation, compile-time obfuscation, process injection, anti-forensics, Windows process migration and Windows user token manipulation. Get Silver v0.0.6-alpha.
  9. SILENTTRINITY: It is an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET’s DLR. SILENTTRINITY introduces a somewhat new Red Team approach called as BYOI (Bring Your Own Interpreter). Currently the implant only supports C2 over HTTP 1.1. Get SILENTTRINITY.
  10. TrevorC2: TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfiltration and it supports Windows, MacOS, and Linux. Get TrevorC2 1.0.


Visit Us