PrimusC2

PrimusC2

Primusinterp's Github logo

PrimusC2 Github link


For educational use only

A C2 framework built for my bachelors thesis at KEA - Københavns Erhvervsakademi - WORK IN PROGRESS - expect bugs and missing features

I work on this project in my spare time when i am not working or doing other security stuff, i am by no means a skilled coding genius, but i love to learn and improve :) If you have any suggestions for me or feedback i would love to hear it, you can reach me on my socials.

If interested you can download my bachelor thesis here - keep in mind that a lot has changed for the framework since its publication, so some aspects may not apply any more.

Installation

The easy way

Docker shenanigans

Clone and cd into the PrimusC2 folder

1
2
3
git clone https://github.com/Primusinterp/PrimusC2.git

cd PrimusC2

build all the things!

1
sudo docker build -t primusc2 .   

Run all the things!

1
sudo docker run --network=host -v $(pwd)/C2/Generated_Implants:/app/C2/Generated_Implants/ -it primusc2

The hard way

To get the dependencies installed and the server ready to go, it’s needed to run the setup script and a few manual commands.

git clone PrimusC2

1
git clone https://github.com/Primusinterp/PrimusC2.git

cd into PrimusC2 and chmod the bash script

1
sudo chmod +x setup.sh

run the setup script with source

1
source setup.sh

Install nim (use your preferred method) -I recommend choosenim

Install nim packages:

1
2
3
4
5
6
nimble install -y winim 
nimble install -y shlex 
nimble install -y terminaltables
nimble install -y RC4
nimble install -y puppy
nimble install -y byteutils

Run the server from the C2 folder:

1
sudo -E python3 server.py

Features

  • Python C2 server
  • Nim Implant
  • Bypass AMSI
  • Directory Operations
  • Download functionality
  • Execute .NET assembly - Risky
  • Powershell in unmanaged runspace
  • GetAV - current anti-virus products installed
  • Powershell download cradle
  • Dynamic implant generation
  • .exe, .bin & .dll payload formats.
  • Automated Redirector setup via Digital Ocean VPS(Smart-Pipe & Dump-Pipe)
  • Web Interface
  • steal_token

Usage

The following functionality is implemented in PrimusC2’s current state:

Beware that some features are only supported with the HTTP implant

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
    ------------------------------------------------------------------------------------------------------
    Menu Commands
    ------------------------------------------------------------------------------------------------------
    help <command>              --> Get help for a specific command
    listener -g <TYPE>          --> Generate a HTTP or TCP listener
    nimplant -g <TYPE>          --> Generate a compiled exe payload written in nim with advanced capabilities for windows for either TCP or HTTP
    callbacks                   --> List callbacks
    use <callback ID> [use 0]   --> Enter a callback session
    pwsh_cradle                 --> Generate a pwsh cradle for a payload on the payloads server
    kill <sessions_val>         --> Terminate active callback
    payloads                    --> List payloads available on for either transfer or execution
    exit                        --> exit from the server

    Implant Commands
    ------------------------------------------------------------------------------------------------------
    help <command>              --> Get help for a specific command
    background                  --> Backgrounds current sessions
    exit                        --> Terminate current session
    GetAV                       --> Get the current AV running
    pwsh <COMMAND>              --> Load CLR and run powershell in unmanaged runspace 
    execute-ASM <file> <args>   --> Execute .NET assembly from memory   
    ls                          --> List files in current directory
    cd <dir>                    --> Change current working directory
    pwd                         --> Print current working directory
    payloads                    --> List payloads available on for either transfer or execution
    shell <COMMAND>             --> Run Windows CMD commands on target
    sleep <milliseconds>        --> Adjust callback time [Default 5000] - HTTP only
    persist <k_name> <payload>  --> Deploy registry persistance to run a payload on startup(OPSEC: RISKY) - HTTP only
    download <file>             --> Download file from target(dont use "" around file name or path) - HTTP only
    steal_token <PID>           --> Steal token from a process
    rev2self                    --> Revert impersonation to original context
    tShell                      --> run CMD.exe commands in the context of the stolen token
    whoami                      --> Get the current user context

Roadmap

  • Execute-Assembly
  • Encryption of data streams
  • Implementation of smart pipe redirectors with automation
  • Download functionality for the implant
  • Upload functionality for the implant
  • Directory operations
  • HTTP C2 channel
  • Improve OPSEC
  • Rework backend to accommodate a database for persistent storage
  • Evasion techniques
  • Custom Term Rewriting Macro
  • Refactor entire code base into multiple files and maybe classes

Documentation

The following section documents the usage of PrimusC2 in more detail. If you have any questions or doubts please reach out.

Listeners

Please be sure that all prerequisites have been met before trying to use a HTTPS redirector.

CLI

To generate a listener through the CLI, the following commands can be utilized:

1
listener -g HTTP

For the HTTP listener, two options will be available:

  • Interface
    • Enter port to listen on
    • The server will automatically fetch available interfaces and ask you to choose one.
  • Listener with HTTPS redirector

Web Interface - Listeners

  • Go to http://localhost:5000/listener and click through the options and select the desired listener.

Implants

2 types of implants exist in the current version of PrimusC2, HTTP and HTTPS. The first one is the most common and is easily generated using the command:

nimplant -g <TYPE>

Example:

1
2
3
4
5
6
7
8
Enter command#>nimplant -g HTTP
[*] Use listener address or specify other IP for implant to connect to: 
[*] 1. Listener address
[*] 2. Other IP
[*] 3. Redirector
[#] Enter 1, 2 or 3: 1
[*] Compiling executable wicker-opportunity.exe... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:16
[+] wicker-opportunity.exe saved to /home/primus/dev_env/PrimusC2_Latest/PrimusC2/C2/Generated_Implants/wicker-opportunity.exe

Web Interface - Implant

  • Go to http://localhost:5000/listener and click on compile implant after creating a listener.

Redirectors

HTTPS Smart pipe redirector

Prerequisites

The following prerequisites needs to be met in order to successfully deploy a HTTPS redirector using a domain.

  • DigitalOcean account + API key.
  • Cloudflare account + API TOKEN with Zone.DNS permissions.
  • Own a Domain name.
  • Add domain(s) as a site on cloudflare and add the custom nameservers to the domain registrar.

In order to deploy the redirector for the first time. It’s needed to modify PrimusC2/Terraform_HTTP/config_templates/variable.tf and insert the API keys from Digital Ocean and Cloudflare.

API Keys

When generating a listener it is now possible to provision a redirector that uses HTTPS and your domain name as the callback address. The server will ask for your domain name when choosing the redirector and here you will input the domain in the following format: subdomain.domain.com - eg: cheese.mycooldomain.com

Example

1
2
3
4
5
6
7
8
9
10
11
12
╔═╗┬─┐┬┌┬┐┬ ┬┌─┐  ╔═╗2
╠═╝├┬┘│││││ │└─┐  ║  By Oliver Albertsen
╩  ┴└─┴┴ ┴└─┘└─┘  ╚═╝
[*] Internal PrimusC2 webinterface started on http://127.0.0.1:5000
[+] AuthKey for this session is nJv8Xtsmup1RY2ChMA
Enter command#>listener -g HTTP
[*] 1. Interface
[*] 2. Listener with HTTPS redirector
 
[*] Choose an option: 2
[+] Keypair already present...
Enter the domain name for the redirector and implant: foo.gooddomain.com

Press enter and then wait :)

Advanced commands

execute-ASM

The execute-ASM commands provides the operator with the ability to execute .NET assemblies from memory remotely, without the need to drop anything to disk. The implementation handles the conversion to a byte array automatically.

1
execute-ASM <file> <args>

Example:

1
execute-ASM Rubeus.exe --help

In order to execute a .NET assembly through PrimusC2, place the .NET assembly in the generated PrimusC2/C2/Payloads directory. This can either be done manually with the CLI, file browser or through the web interface at http://localhost:5000/payloads.

When placing a payload in the PrimusC2/C2/Payloads directory and running the payloads command, it will automatically add the payload name to the autocomplete list.

This post is licensed under CC BY 4.0 by the author.