Since C2 profiles can vary pretty wildly, it's not always easy to know what potential indicators of compromise exist for any given c2, especially when you consider how it's modified for a very specific agent. The thing that would know best what kinds of IOCs exist for a given agent configuration for a C2 profile would be the C2 profile itse.f
Where is it?
The dropdown actions button for any payload will have an option to generate IOCs from the corresponding built-in C2 profiles.
What does it look like?
asyncdefget_ioc(self,inputMsg: C2GetIOCMessage) -> C2GetIOCMessageResponse:"""Generate IOCs for the network traffic associated with the specified c2 configuration :param inputMsg: Payload's C2 Profile configuration :return: C2GetIOCMessageResponse detailing some IOCs """ response =C2GetIOCMessageResponse(Success=True) response.IOCs = []return response
packagec2structs// C2_GET_IOC STRUCTS// C2GetIOCMessage given the following C2 configuration, determine the IOCs that a defender should look fortypeC2GetIOCMessagestruct {C2Parameters}// IOC identify the type of ioc with Type and the actual IOC value// An example could be a Type of URL with the actual IOC value being the configured callback URL with URI parameterstypeIOCstruct { Type string`json:"type" mapstructure:"type"` IOC string`json:"ioc" mapstructure:"ioc"`}// C2GetIOCMessageResponse the resulting set of IOCs that a defender should look out for based on the// C2GetIOCMessage configurationtypeC2GetIOCMessageResponsestruct { Success bool`json:"success"` Error string`json:"error"` IOCs []IOC`json:"iocs"`}
