RT-3021 Alternative C2 Frameworks Part 1 - Apfell

Presented at Texas Cyber Summit 2019, Oct. 11, 2019, 1 p.m. (120 minutes)

In the age of EDR products, Red Teamer's need to be able to customize everything on the fly - stock Command and Control (C2) frameworks and agents quickly become insufficient. Why stop at simple obfuscation or name changes for customization though? Red Teamer's can leverage operational data to track artifacts created on target, create callback hierarchies, and even map operations to MITRE ATT&CK. In this workshop, we'll present two C2 frameworks designed with customization and collaboration in mind - Apfell and Covenant. Students will navigate a series of labs to illustrate the advantages and use cases for when to use Apfell and Covenant over other frameworks while in a simulated Active Directory enterprise environment. They should expect to be able to install, customize, and leverage these frameworks within operational environments when they get back to the office. Workshop Outline (outline of teaching topics) * Intro to Apfell * Overview of lab scenario * Discuss install (but don't do it live) * Walk-through the lab, highlighting the following: * changing/tracking command modifications on the fly * Customized c2 traffic * Using modules (how it integrates with other tools people might use for macos/*nix, loading in safety checks/AD queries) * How to add a new command * How to add a new payload type/c2 profile * Reporting (artifacts and otherwise)


  • Cody Thomas - SpecterOps
    Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE. Cody has spoken at a few conferences and works on his open source framework for macOS Red Teaming called Apfell. He maintains his blog at its-a-feature.github.io.
  • Ryan Cobb - SpecterOps
    Ryan Cobb is an operator and red teamer at SpecterOps, who specializes in building offensive security toolsets. Ryan has contributed to several open source security projects, such as Empire and Invoke- Obfuscation, and is the author of PSAmsi, SharpSploit, and Covenant. Ryan has presented at several security conferences, including: DerbyCon, BSides Austin, and BSides DFW. Ryan maintains a blog at cobbr.io where he shares research and development projects.


Similar Presentations: