Limits Innovation?

[Deranged0tter]

I really like this idea, and allows for a smoother operation when having to potentially work with different frameworks. However, would this not lead to essentially 1 server design, with different clients and implants? While the implants are the main piece that need to be evasive. Creating a dedicated way for C2 to communicate limits the network traffic to being much more predictable, no?

[rasta-mouse]

However, would this not lead to essentially 1 server design, with different clients and implants?

I don't think it inherently limits server design. Some C2 frameworks like Mythic and Havoc already allow you to write implants to work with their frameworks. It's a good option for people who just want to write their own implants without getting into the weeds of the server-side, but I don't think anyone would say that feature limits server design. It's just an available option - if you want to write your own server from scratch then you can. This specification only details the C2 message structure, it doesn't dictate how the server should be implemented.

Creating a dedicated way for C2 to communicate limits the network traffic to being much more predictable, no?

I don't think this is the case either. The specification is intended to be agnostic to transport concerns. That is to say, an implant will create a C2 message as defined in the spec and encrypt it into a single blob of data. The implant can transport that data over a C2 channel however it likes. Transform it, encode it, split it, whatever. As long as it's reversed before passing to the team server, you're golden. Think along the lines of how Mythic translation layers work.

While the implants are the main piece that need to be evasive.

On this point - the specification does not dictate how an implant should implement its evasive features. For instance, some of the task message have a boolean flag that tells the implant it should attempt to bypass AMSI and/or ETW prior to executing the task, but the implant is free to decided how it wants to do that (memory patching, HWBPs, etc). The specification also does not limit an implant from doing anything extra like sleep obfuscation, stack spoofing, etc.

[Deranged0tter]

I appreciate the response! That all makes sense.