T1094: Custom Command & Control Protocol

overview

Custom Command and Control Protocol are used by the adversaries to communicate with malware/trojan and exfiltrate the data. These channels mimic well-known protocols (i.e. HTTP, DNS) or follow custom protocols.

In this lab, Merlin server and agent installed on two separate machines. You are given access to the machine which has Merlin server installed don it. The Merlin agent running on the other machine is periodically trying to connect to Merlin server on port 443 over HTTPS.

Objective: Start the Merlin server on the eth1 interface. Once the Merlin agent connects back, retrieve the flag kept in the root directory of the other machine!

Guidelines:

Merlin server can be invoked using 'merlinServer' command.
Merlin agents payloads of different types can be inspected in /root/data directory.

Reference:

Custom Command & Control Protocol (https://attack.mitre.org/techniques/T1094/)
Merlin HTTP/2 C&C (https://github.com/Ne0nd0g/merlin)

Solution

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1577.pdf

PreviousC2 Framework: Leveraging PowerShell During Exploitation NextPort Scanning and Enumeration with Armitage

Last updated 9 months ago