Skip to content

C2 and agent communication protocol

This document describes TLV structures exchanged between C2 and Tuoni agent. There are currently two ways to get them to the agent:

  • patch them into the payload file (exe, dll, shellcode) so they are handled right after execution
  • send them over listener connection.

Top Level TLV Parent (TLV[1]) map

ID TYPE DESCRIPTION
0x01 PARENT Shellcode
0x03 PARENT Built-in command
0x04 PARENT Command result
0x05 PARENT Agent command control
0x0C PARENT Agent configuration
0x11 PARENT Agent metadata
0x12 PARENT Encrypted metadata
0x13 PARENT Encrypted data

Table Of Contents


Structures

Shellcode TLV structure

  • ID: 0x01
    TYPE: PARENT
    VALUE: structure contains executable shellcode and metadata
    • ID: 0x01
      TYPE: BYTE
      required: YES
      VALUE: Shellcode type [ 0x01 for listener | 0x02 for command ]
    • ID: 0x02
      TYPE: PARENT
      required: no
      VALUE: shellcode execution policy [same process | new process | existing process]
    • ID: 0x03
      TYPE: BLOB
      required: YES
      VALUE: shellcode
    • ID: 0x04
      TYPE: UNDEFINED
      required: no
      VALUE: Configuration for communication with shellcode
    • ID: 0x05
      TYPE: BLOB
      required: no
      VALUE: Configuration sent to shellcode
    • ID: 0x06
      TYPE: UNDEFINED
      required: no
      VALUE: Shellcode type TLV[1.1] specific configuration - for example command ID for command shellcode

Shellcode TLV structure - Listener

TLV[1.1] == 0x01

  • ID: 0x01
    TYPE: PARENT
    VALUE: structure contains executable shellcode and metadata
    • ID: 0x01
      TYPE: BYTE
      required: YES
      VALUE: 0x01
    • ID: 0x02
      TYPE: PARENT
      required: no
      VALUE: shellcode execution policy [same process | new process | existing process]
    • ID: 0x03
      TYPE: BLOB
      required: YES
      VALUE: shellcode
    • ID: 0x04
      TYPE: UNDEFINED
      required: YES
      VALUE: Configuration for communication with shellcode.
    • ID: 0x05
      TYPE: BLOB
      required: YES
      VALUE: Configuration sent to shellcode. Should contain instructions how shellcode should talk with listener

Shellcode TLV structure - Command

TLV[1.1] == 0x2

  • ID: 0x01
    TYPE: BYTE
    VALUE: structure contains executable shellcode and metadata
    • ID: 0x01
      TYPE: BYTE
      required: YES
      VALUE: 0x02
    • ID: 0x02
      TYPE: PARENT
      required: no
      VALUE: shellcode execution policy [same process | new process | existing process]
    • ID: 0x03
      TYPE: BLOB
      required: YES
      VALUE: shellcode
    • ID: 0x04
      TYPE: UNDEFINED
      required: no
      VALUE: Configuration for communication with shellcode.
    • ID: 0x05
      TYPE: BLOB
      required: YES
      VALUE: Configuration sent to shellcode
    • ID: 0x06
      TYPE: INT32|PARENT
      required: YES
      VALUE: Command ID|??? + Command ID

Built-in command TLV structure

  • ID: 0x03
    TYPE: PARENT
    VALUE: structure contains built-in command and metadata
    • ID: 0x01
      TYPE: INT32|PARENT
      required: YES
      VALUE: Task ID, required for results relations|TLV
    • ID: 0x02
      TYPE: INT32
      required: YES
      VALUE: Command control code - determining what type of functionality it triggers - for example 0x01 is "DIE" command for the Agent
    • ID: 0x03
      TYPE: UNDEFINED
      required: no
      VALUE: Configuration for command

Command result TLV structure

  • ID: 0x04
    TYPE: PARENT
    VALUE: structure contains result data
    • ID: 0x01
      TYPE: INT32
      required: YES
      VALUE: ID of the task
    • ID: 0x02
      TYPE: BLOB
      required: YES
      VALUE: Result data
    • ID: 0x03
      TYPE: BYTE
      required: no
      VALUE: Status of the result :[ 0x00 = failed | 0x01 = ongoing | 0x02 = success]
    • ID: 0x04
      TYPE: BLOB
      required: no
      VALUE: Error data

Agent command control TLV structure

  • ID: 0x05
    TYPE: PARENT
    VALUE: structure contains settings to control running command in agent
    • ID: 0x01
      TYPE: INT32
      required: YES
      VALUE: ID of the command to be controlled in the agent
    • ID: 0x02
      TYPE: BYTE
      required: YES
      VALUE: Type of the command (task) manipulation - 0x01 means that there is new data (next value) provided for the command, 0xDD means that this task should be canceled/stopped
    • ID: 0x03
      TYPE: UNDEFINED
      required: no
      VALUE: Configuration for manipulation, depends on the previous type (if TLV[1.2]==0x01, then this will contain data relayed to the command shellcode

Agent configuration TLV structure

  • ID: 0x0C
    TYPE: PARENT
    VALUE: structure contains settings for agent (none of the values inside are mandatory, they just replace existing ones if they are there)
    • ID: 0x01
      TYPE: BLOB
      required: no
      VALUE: Public key to use, [NOT IMPLEMENTED BY C2 YET]
    • ID: 0x02
      TYPE: BLOB
      required: no
      VALUE: GUID of the public key used, [NOT IMPLEMENTED BY AGENT OR C2 YET]

Relayed Data Structures

Agent metadata TLV structure

  • ID: 0x11
    TYPE: PARENT
    VALUE: structure contains metadata about the agent
    • ID: 0x01
      TYPE: GUID
      required: YES
      VALUE: GUID of the agent
    • ID: 0x02
      TYPE: UNDEFINED
      required: no
      VALUE: Username of the agent process
    • ID: 0x03
      TYPE: UNDEFINED
      required: no
      VALUE: Process name of the agent process
    • ID: 0x04
      TYPE: INT32
      required: no
      VALUE: PID of the agent process
    • ID: 0x05
      TYPE: UNDEFINED
      required: no
      VALUE: Working directory of the agent
    • ID: 0x06
      TYPE: INT32
      required: YES
      VALUE: OS type
    • ID: 0x07
      TYPE: INT32
      required: no
      VALUE: Major version of the Windows
    • ID: 0x08
      TYPE: INT32
      required: no
      VALUE: Minor version of the Windows
    • ID: 0x09
      TYPE: STR_ASCII
      required: no
      VALUE: IPv4 addresses of the agent machine
    • ID: 0x0A
      TYPE: STR_ASCII
      required: no
      VALUE: host name of the agent machine
    • ID: 0x0B
      TYPE: BYTE
      required: no
      VALUE: Architecture of the process(0=x86, 1=x64)
    • ID: 0x0C
      TYPE: BYTE
      required: no
      VALUE: Architecture of the OS(0=x86, 1=x64)
    • ID: 0x0D
      TYPE: INT32
      required: no
      VALUE: Agent OS ANSI codepage
    • ID: 0x10
      TYPE: BLOB
      required: YES
      VALUE: 16 bytes AES key for encryption

Agent Metadata TLV structure: Windows

  • ID: 0x11
    TYPE: PARENT
    VALUE: structure contains metadata about the agent
    • ID: 0x01
      TYPE: GUID
      required: YES
      VALUE: GUID of the agent
    • ID: 0x02
      TYPE: STR_UTF16LE
      required: no
      VALUE: Username of the agent process
    • ID: 0x03
      TYPE: STR_UTF16LE
      required: no
      VALUE: Process name of the agent process
    • ID: 0x04
      TYPE: INT32
      required: no
      VALUE: PID of the agent process
    • ID: 0x05
      TYPE: STR_UTF16LE <<< ???
      required: no
      VALUE: Working directory of the agent
    • ID: 0x06
      TYPE: INT32
      required: YES
      VALUE: 0x01
    • ID: 0x07
      TYPE: INT32
      required: no
      VALUE: Major version of the Windows
    • ID: 0x08
      TYPE: INT32
      required: no
      VALUE: Minor version of the Windows
    • ID: 0x09
      TYPE: STR_ASCII
      required: no
      VALUE: IPv4 addresses of the agent machine
    • ID: 0x0A
      TYPE: STR_ASCII
      required: no
      VALUE: host name of the agent machine
    • ID: 0x10
      TYPE: BLOB
      required: YES
      VALUE: 16 bytes AES key for encryption

Encrypted metadata TLV structure

  • ID: 0x12
    TYPE: PARENT
    VALUE: structure contains encrypted metadata
    • ID: 0x01
      TYPE: BYTE
      required: YES
      VALUE: Is metadata encrypted [ no = 0x00 | yes = 0x01 ]
    • ID: 0x02
      TYPE: GUID
      required: no
      VALUE: Encryption key GUID
    • ID: 0x03
      TYPE: PARENT
      required: no
      VALUE: Encryption configuration (not used yet)
    • ID: 0x10
      TYPE: BLOB
      required: no VALUE: Encrypted metadata TLV

Encrypted data TLV structure

(in both direction between C2 and Agent core)

  • ID: 0x13
    TYPE: PARENT
    VALUE: structure contains encrypted data
    • ID: 0x01
      TYPE: BYTE
      required: YES
      VALUE: Is data encrypted [ no = 0x00 | yes = 0x01 ]
    • ID: 0x03
      TYPE: PARENT
      required: no
      VALUE: Encryption configuration (not used yet)
    • ID: 0x04
      TYPE: BLOB
      required: no
      VALUE: IV value, if not present then null IV is used
    • ID: 0x10
      TYPE: BLOB
      required: no
      VALUE: Encrypted data