Introduction

Command and Control, commonly referred to as C2 or C&C, is a set of tools and protocols utilized by adversaries to have control of target victim machines and operate remotely.

There are plenty of options to choose from when the topic is C2 tooling.

  • Havoc
  • Sliver
  • Cobalt Strike
  • Empire
  • Brute Ratel
  • Mythic

However, they may not always have built-in features for your tailored needs, while also having more room for getting detected if defense evasion is considered (it most probably should).

Doomed is my personal attempt to fulfill those tailored needs while being aware of how every functionality operates. This allows for operating stealthily and avoiding signatures and artifacts from common tools, while also learning about numerous topics simultaneously.


Current State

The tool’s back-end is written in Python3 with Flask and SQLite.



Currently, Doomed has the following features implemented:

  • Keylogging
  • Asynchronous OS command execution
  • Data exfiltration
  • Screenshot taking


It has a Windows implant written in C, which does most of the heavy lifting on the victim machine while exfiltrating the intended data.



Below is displayed an example of how the interface reacts to some operations.



It currently has the ability to list victims and their details, as well as receive and export keystrokes from the keylogging feature.


One can note that, although it already “works” at this initial stage, it barely has its basic functionality in place.



Intended Features

With enough time, the idea is to make Doomed a simple yet reliable tool. For that, a few foundational features are yet to be implemented.

  • Built-in AMSI bypass for PowerShell instrumentation
  • Exfiltration of common/pre-defined data
  • Credential dumping
  • Built-in UAC bypass(es)
  • Public implant, intended to be written in C#
  • … and much more!

Initially, the idea will be to conduct all the research and development privately, only releasing crucial features when they are mature enough. Different implants are also considered, where a personal version will be closed-source (the one written in C and showcased above) and a public version written in C# that should be released together with the alpha version.

This is due to the nature of defense evasion, as releasing everything would result in me not being able to use it in real assessments as it’ll probably be “burned” by then.



Closing Thoughts

Although there are already plenty of such tooling available, writing your own from scratch offers a myriad of benefits.

Currently, DoomedC2 is still in the early stages of development and will remain “closed-source” until it reaches a certain maturity level.


References


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *