Skip to content

JaamesBond/proteus-c2

Repository files navigation

Adaptive C2 Framework

A research-grade Command & Control framework extending Mythic with two novel capabilities:

  1. Adaptive transport switching — the implant detects hostile network conditions (TLS interception, DoH blocking, port filtering) and autonomously cascades through transport tiers without operator intervention.
  2. AI-assisted recon analysis — a local LLM pipeline (Ollama) ingests Mythic task output (Nmap XML, etc.) and returns MITRE ATT&CK–mapped findings with follow-on recommendations.

Legal notice: This project is intended for authorized penetration testing, red team engagements, academic research, and CTF competitions only. Do not deploy against systems you do not own or have explicit written permission to test. See SECURITY.md for the full responsible-use policy.

For defenders

Every technique in this framework is documented in detail so blue teams can build detection for it:

  • Transport detection: DNS tunneling produces characteristic query volume and label patterns; DoH from a non-browser process on port 443 is anomalous; TLS cert issuer changes mid-session indicate MITM proxy interaction.
  • Evasion detection: AMSI/ETW in-process patching shows up as unexpected memory writes to AmsiScanBuffer / NtTraceEvent entry points; sleep-encrypted memory regions have high entropy during sleep; PEB tampering is detectable via process integrity checks.
  • Behavioral detection: Jittered HTTPS beaconing at a fixed base interval is a reliable C2 indicator; DNS queries with base32-encoded subdomains exceeding normal label length are tunneling candidates.

MITRE ATT&CK coverage is mapped in SECURITY.md.


Architecture

┌─────────────────────────────────────────────────────────┐
│                      Mythic Server                       │
│  ┌─────────────────┐  ┌────────────────┐                │
│  │  Payload Type   │  │   C2 Profile   │                │
│  │  (adaptive)     │  │ (adaptive-     │                │
│  │  builder.py     │  │  profile)      │                │
│  │  agent_funcs/   │  │  server.py     │                │
│  └────────┬────────┘  └───────┬────────┘                │
└───────────┼───────────────────┼─────────────────────────┘
            │ Mythic gRPC       │ relay
            │                   │
┌───────────┼───────────────────┼─────────────────────────┐
│           │     AI Analyzer   │                          │
│  ┌────────▼────────┐  ┌───────▼────────┐                │
│  │  Recon Webhook  │  │  FastAPI Svc   │                │
│  │  (normalizes    │──▶  (Ollama LLM   │                │
│  │   Nmap XML)     │  │   + pgvector)  │                │
│  └─────────────────┘  └────────────────┘                │
└─────────────────────────────────────────────────────────┘
            │ HTTPS (Tier 0)
            │ DNS-DoH (Tier 1)   ← automatic fallback
            │ DNS-Raw (Tier 2)   ← last resort
            │ SMB (Tier 3)       ← lateral movement
            ▼
┌─────────────────────────────────────────────────────────┐
│                   C11 Implant (~45KB)                    │
│                                                          │
│  ┌──────────────────────────────────────────────────┐   │
│  │  Transport vtable   │  Rule engine (<10ms)        │   │
│  │  HTTPS / DoH /      │  fingerprint env →          │   │
│  │  DNS-Raw / SMB /    │  detect TLS interception,   │   │
│  │  WebSocket          │  port blocking, failures    │   │
│  └──────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────┐   │
│  │  Evasion layer                                    │   │
│  │  AMSI patch · ETW bypass · sleep encryption       │   │
│  │  process masquerading · anti-debug                │   │
│  └──────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

Transport priority chain

Tier Protocol Trigger to switch down
0 HTTPS TLS interception detected (cert issuer mismatch)
1 DNS over HTTPS (DoH) DoH resolver blocked
2 DNS Raw (UDP 53) N consecutive failures
3 SMB named pipe All IP-layer transports blocked

The rule engine can also upgrade back to HTTPS when a periodic probe succeeds — no manual intervention needed.


Repository Layout

adaptive-c2-framework/
├── mythic-install/              # Drop-in for a Mythic installation
│   ├── Payload_Type/adaptive/   # Payload type container
│   │   ├── agent_code/implant/  # C11 implant source (MinGW cross-compile)
│   │   │   ├── src/
│   │   │   │   ├── transport/   # HTTPS, DoH, DNS-Raw, WebSocket, SMB
│   │   │   │   ├── engine/      # Rule engine (rules.c)
│   │   │   │   ├── fingerprint/ # TLS interception & env detection
│   │   │   │   ├── evasion/     # AMSI, ETW, sleep-crypt, proc masquerade
│   │   │   │   ├── crypto/      # AES, Base32, Base64
│   │   │   │   └── commands/    # shell, ls, upload, download, sleep, persist
│   │   │   └── Makefile
│   │   └── container/           # Mythic Python container (builder + agent funcs)
│   └── C2_Profiles/
│       └── adaptive-profile/    # C2 profile: HTTP relay + DNS listener
├── ai-analyzer/                 # FastAPI + Ollama + pgvector analysis service
├── mythic-containers/
│   ├── recon-webhook/           # Mythic webhook: normalizes Nmap XML → analyzer
│   └── adaptive-profile/       # (dev copy of C2 profile)
├── implant/                     # Standalone implant build sandbox
├── tools/                       # mock_doh_resolver.py, test_doh_chain.py
├── lab/                         # Demo scripts and test scenarios
└── docs/                        # Architecture deep-dives

Features

Implant

  • Adaptive transport vtable — runtime transport switching via C function-pointer table; adding a new transport is a single struct literal.
  • TLS interception detection — compares the server certificate's issuer CN against a compile-time constant; a mismatch triggers a DoH cascade without any server-side signal.
  • DNS-over-HTTPS transport — RFC 8484 wire format, 8-byte per-session ID for reassembly; works through corporate HTTP proxies that allow outbound 443.
  • DNS-Raw transport — base32-encoded data in DNS A/CNAME queries + TXT responses; tested through strict firewalls that only permit port 53.
  • Auto-upgrade probe — every N beacons (configurable), the implant quietly tests if HTTPS is available again and upgrades back without operator input.
  • Jittered beacon — configurable interval + percentage jitter via the sleep command.
  • AMSI bypass — patches AmsiScanBuffer in-process at runtime.
  • ETW bypass — patches NtTraceEvent to silence ETW telemetry.
  • Sleep encryption — XOR-encrypts the implant's heap/stack during sleep intervals to defeat memory scanning.
  • Process masquerading — sets the PEB to present as a benign Windows process.
  • Anti-debug — checks common debugger indicators and can self-terminate.
  • Self-destruct — operator-triggered or automated cleanup on detection signals.
  • Persistence — Run key and scheduled task options via persist command.

Mythic Integration

  • Custom payload type with GUI builder (C2 host, port, beacon interval, UUID injection).
  • Agent functions: shell, ls, download, upload, sleep, exit, persist, transport_switch, transport_status, analyze_recon.
  • C2 profile handles both HTTPS relay (aiohttp) and DNS listener (asyncio UDP) in a single container.

AI Analyzer

  • Local LLM inference via Ollama (no data leaves the operator's machine).
  • Structured JSON output enforced by Pydantic schemas — the LLM cannot return free-form text that breaks downstream parsing.
  • MITRE ATT&CK technique mapping with confidence scores.
  • PostgreSQL + pgvector for RAG (retrieval-augmented generation) over historical findings.
  • Async job queue so analysis doesn't block the beacon loop.

Prerequisites

Component Requirement
Mythic server Mythic 3.x installed and running
Implant build x86_64-w64-mingw32-gcc (MinGW), gcc, make
Python containers Python 3.11+, Docker
AI Analyzer Ollama running locally, PostgreSQL 15+ with pgvector extension
OS Linux build host (tested on Debian/Ubuntu and Raspberry Pi OS)

Quick Start

1. Install Mythic

Follow the official Mythic install guide. Once Mythic is running:

cd ~/Mythic
sudo ./mythic-cli status

2. Register the payload type and C2 profile

# Copy into Mythic's plugin directories
cp -r mythic-install/Payload_Type/adaptive  ~/Mythic/Payload_Type/
cp -r mythic-install/C2_Profiles/adaptive-profile  ~/Mythic/C2_Profiles/

# Start the new containers
sudo ./mythic-cli start adaptive
sudo ./mythic-cli start adaptive-profile

3. Build the implant manually (optional)

Mythic's builder does this automatically when you create a payload in the UI, but you can also build standalone:

cd mythic-install/Payload_Type/adaptive/agent_code/implant

# Windows PE (requires MinGW)
make windows C2_HOST=10.0.0.1 C2_PORT_HTTPS=443

# Linux test binary
make linux C2_HOST=10.0.0.1

# Clean
make clean

Build variables:

Variable Default Description
C2_HOST 192.168.56.30 C2 server IP or hostname
C2_PORT_HTTPS 443 HTTPS transport port
C2_PORT_DNS 53 DNS transport port
BEACON_INTERVAL 10 Beacon interval in seconds
PAYLOAD_UUID placeholder Injected by Mythic builder

4. Start the AI Analyzer (optional)

cd ai-analyzer
cp ../.env.example .env   # edit OLLAMA_HOST and OLLAMA_MODEL
docker compose up -d      # or: pip install -r requirements.txt && uvicorn app.main:app

5. Start the recon webhook

cd mythic-containers/recon-webhook
pip install -r requirements.txt
ANALYZER_URL=http://localhost:8000 python webhook_code/main.py

Configuration

The implant's compile-time configuration lives in include/config.h. Key constants:

#define EXPECTED_CERT_ISSUER    "Mythic C2 CA"   // must match C2 server cert CN
#define BEACON_INTERVAL_SEC     10
#define BEACON_JITTER_PCT       20               // ±20% sleep jitter
#define MAX_FAILURES_BEFORE_SWITCH  3            // failures before transport cascade
#define PROBE_INTERVAL_BEACONS  30               // beacons between HTTPS upgrade probes

The C2 profile config lives in mythic-install/C2_Profiles/adaptive-profile/adaptive_profile/c2_code/config.json:

{
  "instances": [{
    "port": 443,
    "dns_port": 5353,
    "dns_domain": "data.c2.local",
    "use_ssl": true,
    "debug": false
  }]
}

TLS note: The server certificate's CN must match EXPECTED_CERT_ISSUER in the implant. A mismatch causes the rule engine to treat the connection as a MITM proxy and cascade to DNS transports. Generate the cert with -subj '/CN=Mythic C2 CA'.


Supported Commands

Command Description
shell <cmd> Execute a shell command and return output
ls [path] List directory contents
download <path> Exfiltrate a file to Mythic
upload <path> Upload a file from Mythic to the target
sleep <seconds> [jitter%] Change beacon interval at runtime
persist <method> Install persistence (run key, scheduled task)
transport_switch <tier> Force switch to a specific transport tier
transport_status Report current transport and failure counters
analyze_recon Trigger AI analysis of buffered recon output
exit Clean up and terminate the implant

Testing

DoH chain

# Start mock DoH resolver (forwards to real DNS)
python tools/mock_doh_resolver.py --port 8553

# Run the full test suite
python tools/test_doh_chain.py

Implant unit tests

cd implant
python test_implant.py  # tests message serialization and protocol parsing

Transport switching demo

bash lab/scenarios/RUN_DEMO.sh

Development

See docs/architecture.md for a detailed walkthrough of the transport vtable, rule engine, and AI pipeline design decisions.

The implant/ directory is a lighter standalone build sandbox (no evasion modules) for rapid iteration on transport and protocol logic. The full production implant with all evasion features lives in mythic-install/Payload_Type/adaptive/agent_code/implant/.


Contributing

See CONTRIBUTING.md.


License

MIT


Acknowledgements

About

Adaptive Mythic C2 agent with runtime transport switching (HTTPS → DoH → DNS-Raw) and AI-assisted recon analysis

Resources

License

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors