Home

Awesome

C2-JARM

A list of JARM hashes for different ssl implementations used by some C2 tools. Also adding other useful red team tools that use ssl (ex: EvilGinx2). Though I work on the red team side, I thought this would be a good thing to gather both to help blue teams who have the appropriate visibility with additional indicators for identifying C2 activity as well as to help other red teamers understand another method that can be used to detect their C2, depending on how it is set up.

For more info on JARM hashing, check out the work by the Salesforce security team on their JARM github link here: https://github.com/salesforce/jarm

This is a neat way to fingerprint ssl servers by the software implementation. This alone would not be sufficient to detect C2 in a high fidelity manner, but JARM hashes coupled with other high value indicators would certainly be of value. This also highlights the need for red teams to ensure their C2 infra is not exposed for public access.

I plan to add more to this list over time. Feel free to contribute!!

C2/RED TEAM TOOLSSL IMPLEMENTATION TESTEDJARM HASHLINK TO TOOL
Mythicpython 3 w/aiohttp 32ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06ebhttps://github.com/its-a-feature/Mythic
Metasploit ssl listenerruby 2.7.0p007d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042dhttps://github.com/rapid7/metasploit-framework
Metasploit ssl listenerruby07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823https://github.com/rapid7/metasploit-framework
Cobalt StrikeJava 1107d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1https://www.cobaltstrike.com/
Merlingo 1.15.2 linux/amd6429d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38https://github.com/Ne0nd0g/merlin
Deimosgo 1.15.2 linux/amd64 with github.com/gorilla/websocket package00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64https://github.com/DeimosC2/DeimosC2
MacC2python 3.8.6 w/aiohttp 32ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261https://github.com/cedowens/MacC2
MacC2python 3.8.2 w/aiohttp 32ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06ebhttps://github.com/cedowens/MacC2
MacShellSwiftpython 3.8.6 socket2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46https://github.com/cedowens/MacShellSwift
MacShellpython 3.8.6 socket2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46https://github.com/cedowens/MacShellSwift
Slivergo 1.15.2 linux/amd642ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883https://github.com/BishopFox/sliver
EvilGinx2go 1.10.4 linux/amd6420d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6https://github.com/kgretzky/evilginx2
Shad0wpython 3.8 flask2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06ebhttps://github.com/bats3c/shad0w
Get2N/A07d19d12d21d21d07c07d19d07d21da5a8ab90bcc6bf8bbc6fbec4bcaa8219
GRAT2 C2python3 http.server2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06ebhttps://github.com/r3nhat/GRAT2
CovenantASP.net core21d14d00000000021c21d14d21d21d1ee8ae98bf3ef941e91529a93ac62b8bhttps://github.com/cobbr/Covenant
SILENTRINITYironpython2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06ebhttps://github.com/byt3bl33d3r/SILENTTRINITY
PoshC2python3 http.server2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261https://github.com/nettitude/PoshC2