The Ghost in the Machine: Master Stealth with the Orsted C2 Framework
Orsted C2 is a command an control framework. It consists of many orsted-beacons that communicates with each other and to the main orsted-server. An operator can interact with the orsted-beacon using the orsted-client.
Features
- By design Automatic Sandbox deception
If the Operator don’t interact with the beacon, no malicious DLL/SO will be send to the session. From an automatic Sandbox pov, the orsted-beacon is just a client querying a server.
- Windows Evasion Modules
Multiple ways to evade AMSI and ETW using indirect syscalls.
- Pivot and native Ligolo-ng support
It is possible to pivot and chains orsted-beacon together regardless of their transport protocol or the OS they are deployed on.
Ligolo-ng is natively supported – see autoroute (ligolo-ng) section.
- Granular Inline-clr and In-Memory powershell execution
Taken from go-clr package it is possible to execute dotnet assemblies inline of the process.
- Tab completion and help for the
orsted-client
orsted-client was made using grumble go package. For any command, you can add --help after and get help.
The Tab is enabled and allow autocompletion.
- Many more stuff
Architecture
Orsted components are pretty straight forward.
orsted-serveris the central server of the Frameworkorsted-dbis the database (file) that store and track what is doneorsted-clientis the CLI that allow the operator to interact with theorsted-serverorsted-beaconis the piece of software delivered to a victim
Here is a small diagram showcasing the components talking with each others.
Project and Directory structure
beaconcontains the code for the beacon. It is compiled on the fly everytime a beacon is generated.clientcontains the code for theorsted-client.datais a directory meant to contain data for the client. It contains theclientconf.tomlmodulescontains all the code for DLL and SO to be loaded in theorsted-beaconat runtimeprofilesshould contains the default profile embedded in the server at compile time (futur work to be done on this part)
The headersHttp are not used still. Only endpoints and domain (aka host header in HTTP, not the actual IP contacted) are parsed currently.
protobufis the protocol buffer definition of orsted C2serveris the code of theorsted-servertestshould contains tests in the futuretoolscontains all your arsenal (referenced in./data/clientconf.toml
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
