Making Donuts Explode – Updates to the C3 Framework

output onlinepngtools 1

A new release of C3 has been made available with significant changes that aim to extend the user-base as well as enhance the operational capabilities of the framework. Specifically, the “Exploding Donut” release features integration with the open source Covenant C2 framework (C3 + Covenant = C4). Compressed shellcode generation from the Web UI is also now possible through integration of the Donut project, facilitating weaponisation of delivery mechanisms. Finally, channel development is easier than ever with the addition of the ChannelLinter project.

Covenant Integration

 

Since a large user-base is a key driver to development, extending the number of people using C3 has been one of the main objectives of the project. It was therefore decided that demonstrating the integration of an open source C2 framework would aid in the completion of this objective. The integration served two purposes:

1. Allow operators who do not have access to a COTS product like Cobalt Strike the chance to use C3.

2. Demonstrate to other C2 framework maintainers how they would set about integrating their solution with C3.

A walk-through of how this integration was achieved can be found here: https://github.com/FSecureLABS/C3/blob/master/Res/C2Integration.md

Links:

Donut Integration

 

One of the key issues that the initial release did not solve was payload delivery. F-Secure was aware that there was no option for users to generate Relay shellcode, and that the relays themselves were quite large. The Donut project was identified as being a well-developed and easy to use framework that would meet C3’s needs.

Links:

Efficient Channel Development

 

The ChannelLinter projects serves to enhance the ease of which new C2 channels can be developed and therefore added to C3. As such, red team operators are able to spend less time developing and debugging channels, and more time using them.

Links:

 

Final Notes

 

The Exploding Donut release of C3 can be found on the F-Secure Labs Github page: https://github.com/FSecureLABS/C3/tree/v1.1.0

Users are also encouraged to ask questions and discuss capabilities in the #c3 channel of the bloodhound slack.

Credits

 

@cobbr - for the development of Covenant as well as help integrating C3.

@therealwover, Odzhan (modexp) (https://modexp.wordpress.com/) - for developing and maintaining the donut project.