C2 and agent communication protocol
This document describes TLV structures exchanged between C2 and Tuoni agent. There are currently two ways to get
them to the agent:
- patch them into the payload file (exe, dll, shellcode) so they are handled right after execution
- send them over listener connection.
Top Level TLV Parent (TLV[1]) map
| ID | TYPE | DESCRIPTION |
|---|---|---|
| 0x01 | PARENT | Shellcode |
| 0x03 | PARENT | Built-in command |
| 0x04 | PARENT | Command result |
| 0x05 | PARENT | Agent command control |
| 0x0C | PARENT | Agent configuration |
| 0x11 | PARENT | Agent metadata |
| 0x12 | PARENT | Encrypted metadata |
| 0x13 | PARENT | Encrypted data |
Table Of Contents
- 0x01 Shellcode TLV structure
- 0x03 built-in command TLV structure
- 0x04 Command result TLV structure
- 0x05 Agent Command control TLV structure
- 0x0C Agent configuration TLV structure
- 0x11 Agent metadata TLV structure
- 0x12 Encrypted metadata TLV structure
- 0x13 Encrypted data TLV structure
Structures
Shellcode TLV structure
- ID:
0x01
TYPE:PARENT
VALUE: structure contains executable shellcode and metadata- ID:
0x01
TYPE:BYTE
required: YES
VALUE: Shellcode type [0x01forlistener|0x02forcommand] - ID:
0x02
TYPE:PARENT
required: no
VALUE: shellcode execution policy [same process|new process|existing process] - ID:
0x03
TYPE:BLOB
required: YES
VALUE: shellcode - ID:
0x04
TYPE:UNDEFINED
required: no
VALUE: Configuration for communication with shellcode - ID:
0x05
TYPE:BLOB
required: no
VALUE: Configuration sent to shellcode - ID:
0x06
TYPE:UNDEFINED
required: no
VALUE: Shellcode typeTLV[1.1]specific configuration - for example command ID forcommand shellcode
- ID:
Shellcode TLV structure - Listener
TLV[1.1] ==
0x01
- ID:
0x01
TYPE:PARENT
VALUE: structure contains executable shellcode and metadata- ID:
0x01
TYPE:BYTE
required: YES
VALUE:0x01 - ID:
0x02
TYPE:PARENT
required: no
VALUE: shellcode execution policy [same process|new process|existing process] - ID:
0x03
TYPE:BLOB
required: YES
VALUE: shellcode - ID:
0x04
TYPE:UNDEFINED
required: YES
VALUE: Configuration for communication with shellcode. - ID:
0x05
TYPE:BLOB
required: YES
VALUE: Configuration sent to shellcode. Should contain instructions how shellcode should talk with listener
- ID:
Shellcode TLV structure - Command
TLV[1.1] ==
0x2
- ID:
0x01
TYPE:BYTE
VALUE: structure contains executable shellcode and metadata- ID:
0x01
TYPE:BYTE
required: YES
VALUE:0x02 - ID:
0x02
TYPE:PARENT
required: no
VALUE: shellcode execution policy [same process|new process|existing process] - ID:
0x03
TYPE:BLOB
required: YES
VALUE: shellcode - ID:
0x04
TYPE:UNDEFINED
required: no
VALUE: Configuration for communication with shellcode. - ID:
0x05
TYPE:BLOB
required: YES
VALUE: Configuration sent to shellcode - ID:
0x06
TYPE:INT32|PARENT
required: YES
VALUE: Command ID|??? + Command ID
- ID:
Built-in command TLV structure
- ID:
0x03
TYPE:PARENT
VALUE: structure contains built-in command and metadata- ID:
0x01
TYPE:INT32|PARENT
required: YES
VALUE: Task ID, required for results relations|TLV - ID:
0x02
TYPE:INT32
required: YES
VALUE: Command control code - determining what type of functionality it triggers - for example0x01is "DIE" command for the Agent - ID:
0x03
TYPE:UNDEFINED
required: no
VALUE: Configuration for command
- ID:
Command result TLV structure
- ID:
0x04
TYPE:PARENT
VALUE: structure contains result data- ID:
0x01
TYPE:INT32
required: YES
VALUE: ID of the task - ID:
0x02
TYPE:BLOB
required: YES
VALUE: Result data - ID:
0x03
TYPE:BYTE
required: no
VALUE: Status of the result :[ 0x00 = failed | 0x01 = ongoing | 0x02 = success] - ID:
0x04
TYPE:BLOB
required: no
VALUE: Error data
- ID:
Agent command control TLV structure
- ID:
0x05
TYPE:PARENT
VALUE: structure contains settings to control running command in agent- ID:
0x01
TYPE:INT32
required: YES
VALUE: ID of the command to be controlled in the agent - ID:
0x02
TYPE:BYTE
required: YES
VALUE: Type of the command (task) manipulation -0x01means that there is new data (next value) provided for the command,0xDDmeans that this task should be canceled/stopped - ID:
0x03
TYPE:UNDEFINED
required: no
VALUE: Configuration for manipulation, depends on the previous type (if TLV[1.2]==0x01, then this will contain data relayed to the command shellcode
- ID:
Agent configuration TLV structure
- ID:
0x0C
TYPE:PARENT
VALUE: structure contains settings for agent (none of the values inside are mandatory, they just replace existing ones if they are there)- ID:
0x01
TYPE:BLOB
required: no
VALUE: Public key to use, [NOT IMPLEMENTED BY C2 YET] - ID:
0x02
TYPE:BLOB
required: no
VALUE: GUID of the public key used, [NOT IMPLEMENTED BY AGENT OR C2 YET]
- ID:
Relayed Data Structures
Agent metadata TLV structure
- ID:
0x11
TYPE:PARENT
VALUE: structure contains metadata about the agent- ID:
0x01
TYPE:GUID
required: YES
VALUE: GUID of the agent - ID:
0x02
TYPE:UNDEFINED
required: no
VALUE: Username of the agent process - ID:
0x03
TYPE:UNDEFINED
required: no
VALUE: Process name of the agent process - ID:
0x04
TYPE:INT32
required: no
VALUE: PID of the agent process - ID:
0x05
TYPE:UNDEFINED
required: no
VALUE: Working directory of the agent - ID:
0x06
TYPE:INT32
required: YES
VALUE: OS type - ID:
0x07
TYPE:INT32
required: no
VALUE: Major version of the Windows - ID:
0x08
TYPE:INT32
required: no
VALUE: Minor version of the Windows - ID:
0x09
TYPE:STR_ASCII
required: no
VALUE: IPv4 addresses of the agent machine - ID:
0x0A
TYPE:STR_ASCII
required: no
VALUE: host name of the agent machine - ID:
0x0B
TYPE:BYTE
required: no
VALUE: Architecture of the process(0=x86, 1=x64) - ID:
0x0C
TYPE:BYTE
required: no
VALUE: Architecture of the OS(0=x86, 1=x64) - ID:
0x0D
TYPE:INT32
required: no
VALUE: Agent OS ANSI codepage - ID:
0x10
TYPE:BLOB
required: YES
VALUE: 16 bytes AES key for encryption
- ID:
Agent Metadata TLV structure: Windows
- ID:
0x11
TYPE:PARENT
VALUE: structure contains metadata about the agent- ID:
0x01
TYPE:GUID
required: YES
VALUE: GUID of the agent - ID:
0x02
TYPE:STR_UTF16LE
required: no
VALUE: Username of the agent process - ID:
0x03
TYPE:STR_UTF16LE
required: no
VALUE: Process name of the agent process - ID:
0x04
TYPE:INT32
required: no
VALUE: PID of the agent process - ID:
0x05
TYPE:STR_UTF16LE<<< ???
required: no
VALUE: Working directory of the agent - ID:
0x06
TYPE:INT32
required: YES
VALUE: 0x01 - ID:
0x07
TYPE:INT32
required: no
VALUE: Major version of the Windows - ID:
0x08
TYPE:INT32
required: no
VALUE: Minor version of the Windows - ID:
0x09
TYPE:STR_ASCII
required: no
VALUE: IPv4 addresses of the agent machine - ID:
0x0A
TYPE:STR_ASCII
required: no
VALUE: host name of the agent machine - ID:
0x10
TYPE:BLOB
required: YES
VALUE: 16 bytes AES key for encryption
- ID:
Encrypted metadata TLV structure
- ID:
0x12
TYPE:PARENT
VALUE: structure contains encrypted metadata- ID:
0x01
TYPE:BYTE
required: YES
VALUE: Is metadata encrypted[ no = 0x00 | yes = 0x01 ] - ID:
0x02
TYPE:GUID
required: no
VALUE: Encryption key GUID - ID:
0x03
TYPE:PARENT
required: no
VALUE: Encryption configuration (not used yet) - ID:
0x10
TYPE:BLOB
required: no VALUE: Encrypted metadata TLV
- ID:
Encrypted data TLV structure
(in both direction between C2 and Agent core)
- ID:
0x13
TYPE:PARENT
VALUE: structure contains encrypted data- ID:
0x01
TYPE:BYTE
required: YES
VALUE: Is data encrypted[ no = 0x00 | yes = 0x01 ] - ID:
0x03
TYPE:PARENT
required: no
VALUE: Encryption configuration (not used yet) - ID:
0x04
TYPE:BLOB
required: no
VALUE: IV value, if not present then null IV is used - ID:
0x10
TYPE:BLOB
required: no
VALUE: Encrypted data
- ID: