Skip to content

Customisation

Jump to bottom
Grzegorz Rychlik edited this page Jan 18, 2021 · 1 revision

Relays can be customised in a number of different ways. Understanding how to customise a relay prior to its use can aid in reducing the size of the relay, as well as allow for more opsec friendly and stable use.

Note:

  • Operators should only perform customisations after having fully compiled C3.
  • It is recommended that any customised relays are kept in a templates directory, backups of the default relay build should be performed prior to using the customised builds.

Choosing Channels

By default all channels are compiled into the relay and gateway executables, dlls and shellcode when C3 is compiled. Operators may not wish to use channels that are likely to be blocked by an organisations outbound proxy (such as Slack or Trello).

To pick a specific set of channels for a relay:

  1. With C3 open in Visual Studio, browse to Common->FSecure->C3->Interfaces->Channels
  2. Select the .cpp and .h files for the channel you do not want compiled into the relay.
  3. Right click and then select "Exclude from project".

In the image below, the Slack channel has been excluded in favour of the Outlook365RestTask egress channel.

excludes

  1. Select the NodeRelayConsoleExe, NodeRelayDLL and CebuLoader projects, right-click and select "Build selection".
  2. Move the compiled files to the templates directory on the host running C3.

To use the customised relay, backup the original exe or dll, move the customised version into the C3/Bin/ folder and ensure it's name matches the original, and then simply generate the relay as standard. Remember to remove the customised relay and restore the backed up version when finished.

Customise Injection

By default a Cobalt Strike beacon peripheral is injected into the current relay process using the VirtualAlloc->memcpy->VirtualProtect->CreateThread technique.

Operators can customise memory allocation and how the payload is written to memory in the file Src/Common/FSecure/WinTools/InjectionBuffer.cpp,.h files.

In order to alter the execution technique (eg. if the operator wants to use an alternative to CreateThread), this must be performed in Src/Common/FSecure/C3/Interfaces/Peripherals/Beacon.cpp.

Customise Behaviour

Operators may wish to alter the behaviour of relays. For example, mutexes may need to be added to relays intended to be used for persistence to avoid unnecessary executions. Anti-sandbox and AV Evasion may be needed to prevent detection.

The following list describes which file is best to alter depending on the type of relay that is used:

  • Shellcode - CebuLoader/CebuLoaderMain.cpp - function ExecResource
  • DLL - NodeRelayDLL/NodeRelayDLL.cpp - function StartNodeRelay
  • Exe - NodeRelayConsoleExe/NodeRelayConsoleExe.cpp - function main
Clone this wiki locally