Once authenticated, the EpiRootkit can receive commands from the C2 server, execute them on the victim machine, and return the results.

Receiving Commands

  1. Command Message (COMMAND):
    • The C2 server sends commands to an authenticated EpiRootkit client using a COMMAND message.
    • Format: A JSON object, encrypted using AES-256-GCM.
        {
  "type": "COMMAND",
  "id": "unique_command_id_string", // e.g., a timestamp
  "data": "command_string_to_execute" // e.g., "ls -la /tmp" or "whoami"
}
    • The id is a unique identifier generated by the C2 server for tracking the command.
    • The data field contains the raw command string that the EpiRootkit should execute.

Executing Commands

  • The EpiRootkit is responsible for parsing the data field and executing the command on the victim system.
  • It needs to capture:
    • Standard Output (stdout) of the command.
    • Standard Error (stderr) of the command.
    • The exit status (or exit code) of the command.

Returning Results

  1. Command Result Message (COMMAND_RESULT):

    • After executing the command, the EpiRootkit must send the results back to the C2 server using a COMMAND_RESULT message.
    • Format: A JSON object, encrypted using AES-256-GCM.
        {
  "type": "COMMAND_RESULT",
  "commandId": "unique_command_id_string", // Must match the id from the received COMMAND message
  "status": "success" or "error", // Indicates overall success or failure of execution
  "output": "combined_stdout_and_stderr_or_error_message",
  // Optional: separate stdout/stderr if desired, but C2 currently expects a single 'output' field.
  // "stdout": "standard_output_string", 
  // "stderr": "standard_error_string",
  "exitCode": 0 // The integer exit code of the command
}
    • commandId: Crucially, this must be the same id that was received in the original COMMAND message from the C2 server. This allows the C2 to correlate results with sent commands.
    • status: A string indicating if the command execution was generally successful or encountered an error (e.g., command not found).
    • output: A string containing the output from the command. As per subject.md requirements, this should include both stdout and stderr. The C2 server currently processes this as a single string but can be adapted if the rootkit sends separate stdout/stderr fields.
    • exitCode: The numerical exit status of the executed command.

  2. C2 Server Processing:

    • The C2 server receives the COMMAND_RESULT message.
    • It decrypts and parses the message.
    • It emits a command:result_received event, which is logged to the C2 CLI, displaying the commandId, status, and output associated with the client’s alias.

Properly formatting and returning the COMMAND_RESULT is essential for the operator to see the outcome of their remotely executed commands.

Edit this page