November 14, 2017
Covering arbitrary commands through legitimate traffic is a must for every red team engagement. The majority of the command and control tools are implementing a stealthy technique that it will allow red teams to hide their activities as data exfiltration is part of the goals.
David Kennedy developed a command and control tool called TrevorC2 that can be used to execute commands via legitimate HTTP traffic. The URL attribute on the trevorc2_server.py needs to be modified to a website of choice.
The implant (trevorc2_client.py or trevorc2_client.ps1) has a SITE_URL attribute. This needs to be changed with the IP address of the command and control server. When the command and control server file will run it will start to clone the website.
There are two implants to be used one based in python and one in PowerShell. From the moment that the implant will be executed a connection will be established with the command and control server.
Commands can be sent from the server to the clients:
The commands will be sent encrypted via HTTP/S protocol. TrevorC2 is using AES encryption with the following cipher. Encrypted commands will be inserted into the fake website inside the oldcss parameter:
The fake website will be hosted into the same system as the command and control server and it will look exactly as the original.
However examining the source code the oldcss parameter will contain the encrypted command.
By doing traffic inspection it is visible that the executed commands are covered through legitimate HTTP traffic.