DeimosC2 is presented as an open-source post-exploitation C2 framework that attackers may consider alongside Cobalt Strike, with details on how it operates, how its traffic and binaries can be identified, and defensive recommendations. The report covers DeimosC2’s architecture, network traffic (HTTPS, TCP, and DoH), agent-encryption, modules, and historical IOCs to help SOCs defend networks. #DeimosC2 #CobaltStrike #BruteRatel #Sliver #PoshC2 #PHPSploit #Merlin #dns.google #TrendMicro
Keypoints
- DeimosC2 is an open-source C2 framework released in June 2020 that supports multi-platform agents (Windows, Linux, macOS, Android) compiled from Go.
- Attacker use of DeimosC2 is discussed as part of a broader trend toward alternatives to Cobalt Strike, with defenders urged to study these tools in advance as more may enter criminal use.
- The framework offers multiple listeners (HTTPS, TCP, DoH) and can generate, obfuscate, and download post-exploitation binaries via a GUI interface.
- Agent traffic can be encrypted with RSA/AES, and initial data sent includes system info, including OS, antivirus, host, user, and internal IP.
- Commands and modules enable a range of post-exploitation actions (shell, download/upload, screen capture, credential dumping modules, etc.).
- DoH usage and DNS-based C2 traffic are highlighted as stealthy options, with DoH leveraging dns.google, and HTTPS/TCP traffic patterns described for detection.
- Defensive recommendations include Snort rules for heartbeat traffic, blocking or logging DoH to Google, and monitoring outbound communications for anomalies.
MITRE Techniques
- [T1071.001] Web Protocols – DeimosC2 uses HTTPS for C2 communications; ‘The listener is configured by entering the data required for mandatory and certain optional settings. Settings such as domain names and IP addresses are required by the user’ and ‘The first message sent to the C&C listener includes information about the infected machine in JSON format’
- [T1071.004] DNS – DoH listener uses DNS queries to communicate with the C&C server; ‘The DoH listener uses DNS queries to communicate with the C&C server’
- [T1027] Obfuscated/Compressed Files and Information – DeimosC2 samples are obfuscated with gobfuscate; ‘most DeimosC2 samples are obfuscated with gobfuscate’
- [T1055] Process Injection – Modules can be executed in memory via code injection; ‘execute them from either disk or memory (using code injection)’
- [T1113] Screen Capture – Module screengrab takes a screenshot on an infected machine; ‘Takes a screenshot on an infected machine’
- [T1082] System Information Discovery – The first data sent includes OS, antivirus, host name, logged user, internal IP address; ‘The data sent includes information about the operating system, installed antivirus products, the host name, the logged username, the internal IP address’
- [T1003] OS Credential Dumping – Credential dumping modules like lsadump, ntdsdump, samdump, shadowdump; ‘Downloads SECURITY, SYSTEM, and SAM registry hives for credentials stealing’
- [T1105] Ingress Tool Transfer – Binaries for DeimosC2 are created and downloaded via the interface; ‘the binaries will be created… Then downloaded via the interface’
- [T1090] Proxy – Pivoting capability with pivotTCP to allow other agents to use the infected host as a listener; ‘Starts a TCP server in the infected machine so it can be used as a listener by other agents’
Indicators of Compromise
- [IP Address] Historical DeimosC2 servers – 3.133.59.113 (03/05/2022 to 04/09/2022) and 3.17.189.71 (20/08/2021); and 18+ additional IPs listed in the table
- [Domain] DoH/C2-related domains – dns.google (used for DoH queries) and trendmicro.com (example subdomain in queries)
- [URL] DoH query example – https://dns.google.com/resolve?name=0000000000.6765746e616d65.ftr.trendmicro.com