Covering arbitrary commands through legitimate traffic is a must for every red team engagement. The majority of the command and control tools are implementing a stealthy technique that it will allow red teams to hide their activities as data exfiltration is part of the goals.

David Kennedy developed a command and control tool called TrevorC2 that can be used to execute commands via legitimate HTTP traffic. The URL attribute on the needs to be modified to a website of choice.

TrevorC2 - Server Configuration

TrevorC2 – Server Configuration

The implant ( or trevorc2_client.ps1) has a SITE_URL attribute. This needs to be changed with the IP address of the command and control server. When the command and control server file will run it will start to clone the website.

TrevorC2 - Server

TrevorC2 – Server

There are two implants to be used one based in python and one in PowerShell. From the moment that the implant will be executed a connection will be established with the command and control server.

TrevorC2 - PowerShell Implant

TrevorC2 – PowerShell Implant

Commands can be sent from the server to  the clients:

TrevorC2 - Commands

TrevorC2 – Commands

The commands will be sent encrypted via HTTP/S protocol. TrevorC2 is using AES encryption with the following cipher. Encrypted commands will be inserted into the fake website inside the oldcss parameter:

TrevorC2 - Encryption Key and Data Location

TrevorC2 – Encryption Key and Data Location

The fake website will be hosted into the same system as the command and control server and it will look exactly as the original.

TrevorC2 - Cloned Website

TrevorC2 – Cloned Website

However examining the source code the oldcss parameter will contain the encrypted command.

TrevorC2 - Encrypted Command

TrevorC2 – Encrypted Command

By doing traffic inspection it is visible that the executed commands are covered through legitimate HTTP traffic.

TrevorC2 - WireShark Traffic

TrevorC2 – Wireshark Traffic