Talking to implants

C2 request

First, let's clearly define what we would expect to send to and receive from implants. Operators typically issue commands to their controlled implants. This includes commands to transfer large unstructured data, such as binary files. Thus, we decided to define a simple message from the C2 server like so:

{
	"agent_id": "",
	"request_id": "",
	"opcode": 0,
	"args": ["base64(bytes)"]
}

agent_id: Unique identifier for the agent / implant.

request_id: Unique identifier for the request-reply exchange.

opcode: An integer code that indicates to the implant what operation it should perform.

args: The arguments to the operation request.

Implant response

We defined a response like so:

{
	"agent_id": "string",
	"request_id": "string",
	"responses": [
		{
			"status": 0,
			"dest": 0,
			"name": "string",
			"data": "base64(bytes)",
		}
	]
}

responses: an array of responses for the initial request.

status: the status of the operation. Was it successful (0) or not (1)?

dest: what to do with this response. should we save it to a file (0) or print it to the console (1)?

name: if we want to save the data to a file, this parameter determines the file's name on the server.

data: the response data itself, which is treated as an error if the status is 1.

Last updated 11 months ago