C2 Command & Control Framework

Overview

This is a pet project designed for learning and experimentation with Command & Control (C2) frameworks. It features a secure C2 server written in Go and a Windows-based agent written in C (with the help of AI). The project focuses on encrypted communication, task execution, and stealthy operations.

⚠️ Disclaimer: This project is for educational purposes only. Unauthorized deployment or usage is strictly prohibited.

Features

🔹 Server & Client (Go)

• Secure communication using mTLS
• Authentication for operators
• Agent management
• Task management
• Tab-completion
• Dynamic payload generation

🔹 Beacon (GO) Stage 0

• VM and sandbox detection
• DNS communication channel

🔹 Agent (C) Stage 1

• Small footprint achieved with modularity and SSL library for embedded devices
• TCP and mTLS communication channels with round robin logic
• Task execution:
  • Execute CMD or Powershell commands
  • Download files/directories from target, upload files
  • System info collection
  • Keylogger
  • Auto persistence
  • Change connection interval, start-up delay
  • Execute exe, dll (currently from disk) and in-memory shellcode execution)
  • Cleanup and self deletion

Setup

🔹 Server & Client (Tested only on Linux)

Quickstart on localhost for testing using scripts:

1. Install dependencies:

   sudo apt install golang mingw-w64 make xxd openssl
   

2. Generate TLS certificates using provided script:

   bash generate_certs.sh
   

3. Start server on localhost:

   bash start_server.sh
   

4. Start operator client:

   bash operator/start_operator.sh
   

---

🔹 Compiling WolfSSL for MinGW

Before generating the agent payload, you must compile WolfSSL for MinGW and put in correct folder:

cd wolfssl-5.7.6
./configure --host=x86_64-w64-mingw32 --enable-static --prefix=/home/user/Sigma-C2/agent/lib/wolfssl-compiled
make -j 6
make install

After compilation, the compiled library should be located in:

Sigma-C2/agent/lib/wolfssl-compiled

---

🔹 Payload Generation

1. Create a listener:

   listen -t ssl -h domain1.com,domain2.com -p 1337 -n test_listener1
   

2. Generate the agent payload:

   generate agent <listener_name> [flags]
   

   • Replace <listener_name> with the desired listener.
   • Optional flags:
     • --auto-persistence - Enable persistence on start-up.
     • --auto-keylogger - Enable keylogger on start-up.
     • --files - Enable periodic predefined files transfer.

3. The payload will be saved to the "agent" folder.

To-Do List

🛠 Planned Improvements

• Beacon with VM detection
• Basic tasks execution (cmd, powershell, sleep, load dll/shellcode, cleanup)
• Context switching in terminal
• File download/upload
• Encrypting shellcode and delay before execution
• HTTPS listener with profiles
• (Possibly) DNS comm channel for agent
• Installation script
• Encrypted local storage (agent's DB and loot)
• SOCK5 proxy on infected machines
• One line web-delivery
• VBS macro generation
• Beacon: rewrite to C and implement staging logic
• Agent: Buffering, shutdown detection and manual reporting for keylogger
• Detailed documentation with nice screenshots

License

📜 All Rights Reserved

This project is proprietary and confidential. Unauthorized copying, distribution, modification, or public sharing of this codebase is strictly prohibited.

⚠️ Usage is permitted only for personal learning and experimentation. Redistribution or commercial use is forbidden.

Changelog

📌 Latest Version: v0.4.3 — 2025-05-24

v0.4.3

• Added size optimization flags to payload generator
• Fixed preprocessor macros for transport selection
• Https implants now send all messages via GET and big messages via POST
• Move target cookies and headers inside of domain profiles
• Added task ID reporting by client, which helps identify operator who issued command. In next version task result will be reported selectively to operator who sent command

v0.4.2

• Added https listener prototype to server

v0.4.1

• New beacon now supports Win Schannel TLS only (no wolfssl)
• Flag --devel now skip mTLS

v0.4.0

• Added Windows Schannel TLS transport, no more overhead caused by Wolfss. However, you can still use Wolfssl.
• Fixed flags and macros from testing build
• Prototyped https listener. Currently working on it.

v0.3.2

• Fixed injection logic for new beacon
• Added new beacon to repo

v0.3.1

• Sysinfo command now follows new task result sending logic.
• Fixed keylogger and persistence commands by passing a dummy buffer.

v0.3.0

• Refactored task result sending logic. Now it's cleaner and more flexible.
• Fixed proxy bug which prevented it from stopping after stop command received.

v0.2.2

• No hardcoded keys - one-time ecnryption key generation and transfer to agents. Key are cleared after use. Makes it harder to catch shellcode.

v0.2.1

• Added missing header files to get rid of compiler warnings
• Added compile flags to Makefile

v0.2.0

• Removed unnecessary WSACleanUp, which prevented agent from reconnection after server went offline and back online.
• Rewrote some blocks to use sync.Map instead of mutex.
• Added PID and process name retrieving for "ps" command.
• Added nice output for "ps" command and it is now handled separately, like sysinfo and keylogger.
• Devel mode: if message is bigger than 512 chars, console will print only 512 chars. Laying the foundation for new task-result logic in future:
• Task handler: now generates task id for every task.
• Task handler: does not delete task after sending to agent, but just marks it as dispatched.
• Task handler: operator conn and ID retrieval by task id.

v0.1.0

• Decided to keep track of changes
• Added "inject" command to write shellcode into process by PID
• Added "spawn" command to start new suspended process and write shellcode into it. Optional: specify PPID.
• Modulesa are now not hardcoded, but loaded dynamically from folder.
• Shellcode is encrypted before task handler, decrypted right before writing to memory and cleared right after it. TODO:
• Persistence and staging mechanism for new beacon.
• Self injection for new beacon