The Ghost in the Machine: Master Stealth with the Orsted C2 Framework

Orsted C2 is a command an control framework. It consists of many orsted-beacons that communicates with each other and to the main orsted-server. An operator can interact with the orsted-beacon using the orsted-client.

Features

• By design Automatic Sandbox deception

If the Operator don’t interact with the beacon, no malicious DLL/SO will be send to the session. From an automatic Sandbox pov, the orsted-beacon is just a client querying a server.

• Windows Evasion Modules

Multiple ways to evade AMSI and ETW using indirect syscalls.

• Pivot and native Ligolo-ng support

It is possible to pivot and chains orsted-beacon together regardless of their transport protocol or the OS they are deployed on.

Ligolo-ng is natively supported – see autoroute (ligolo-ng) section.

• Granular Inline-clr and In-Memory powershell execution

Taken from go-clr package it is possible to execute dotnet assemblies inline of the process.

• Tab completion and help for the orsted-client

orsted-client was made using grumble go package. For any command, you can add --help after and get help.

The Tab is enabled and allow autocompletion.

• Many more stuff

Architecture

Orsted components are pretty straight forward.

• orsted-server is the central server of the Framework
• orsted-db is the database (file) that store and track what is done
• orsted-client is the CLI that allow the operator to interact with the orsted-server
• orsted-beacon is the piece of software delivered to a victim

Here is a small diagram showcasing the components talking with each others.

Project and Directory structure

• beacon contains the code for the beacon. It is compiled on the fly everytime a beacon is generated.
• client contains the code for the orsted-client.
• data is a directory meant to contain data for the client. It contains the clientconf.toml
• modules contains all the code for DLL and SO to be loaded in the orsted-beacon at runtime
• profiles should contains the default profile embedded in the server at compile time (futur work to be done on this part)

The headersHttp are not used still. Only endpoints and domain (aka host header in HTTP, not the actual IP contacted) are parsed currently.

• protobuf is the protocol buffer definition of orsted C2
• server is the code of the orsted-server
• test should contains tests in the future
• tools contains all your arsenal (referenced in ./data/clientconf.toml

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy