Agent Side Coding

This section talks about the different components for creating messages from the agent to a C2 docker container and how those can be structured within a C2 profile. Specifically, this goes into the following components:

Another major component of the agent side coding is the actual C2 communications piece within your agent. This piece is how your agent actually implements the C2 components to do its magic.

Every C2 profile has zero or more C2 Parameters that go with it. These describe things like callback intervals, API keys to use, how to format web requests, encryption keys, etc. These parameters are specific to that C2 profile, so any agent that "speaks" that c2 profile's language will leverage these parameters. If you look at the parameters in the UI, you'll see three pieces:

  • Name - This is what's presented to the User when creating the payload

  • Key - This is the value within the agent's code that gets swapped out by what the user types. When creating the payload, Apfell loops through the C2 profile code and for each line, looks for all of the keys associated with this C2 profile parameters. So, if there's a key, AESPSK that is supposed to be replaced by the initial AES pre-shared key, then every instance of AESPSK within the agent's C2 profile code will get replaced.

  • User Hint - This is the initial value pre-populated for the user as an example of what to type. This is useful if you have a specific format for how the information should be presented. An example of this is the default C2 profile has a parameter for the callback host where the hint is http(s)://domain.com to indicate that the user needs to not just specify the domain to callback to, but also the protocol type (http or https).

Last updated