cedowens / C2-JARM

A list of JARM hashes for different ssl implementations used by some C2/red team tools.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

C2-JARM

A list of JARM hashes for different ssl implementations used by some C2 tools. Also adding other useful red team tools that use ssl (ex: EvilGinx2). Though I work on the red team side, I thought this would be a good thing to gather both to help blue teams who have the appropriate visibility with additional indicators for identifying C2 activity as well as to help other red teamers understand another method that can be used to detect their C2, depending on how it is set up.

For more info on JARM hashing, check out the work by the Salesforce security team on their JARM github link here: https://github.com/salesforce/jarm

This is a neat way to fingerprint ssl servers by the software implementation. This alone would not be sufficient to detect C2 in a high fidelity manner, but JARM hashes coupled with other high value indicators would certainly be of value. This also highlights the need for red teams to ensure their C2 infra is not exposed for public access.

I plan to add more to this list over time. Feel free to contribute!!

C2/RED TEAM TOOL SSL IMPLEMENTATION TESTED JARM HASH LINK TO TOOL
Mythic python 3 w/aiohttp 3 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/its-a-feature/Mythic
Metasploit ssl listener ruby 2.7.0p0 07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d https://github.com/rapid7/metasploit-framework
Metasploit ssl listener ruby 07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823 https://github.com/rapid7/metasploit-framework
Cobalt Strike Java 11 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 https://www.cobaltstrike.com/
Merlin go 1.15.2 linux/amd64 29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38 https://github.com/Ne0nd0g/merlin
Deimos go 1.15.2 linux/amd64 with github.com/gorilla/websocket package 00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64 https://github.com/DeimosC2/DeimosC2
MacC2 python 3.8.6 w/aiohttp 3 2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261 https://github.com/cedowens/MacC2
MacC2 python 3.8.2 w/aiohttp 3 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/cedowens/MacC2
MacShellSwift python 3.8.6 socket 2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46 https://github.com/cedowens/MacShellSwift
MacShell python 3.8.6 socket 2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46 https://github.com/cedowens/MacShellSwift
Sliver go 1.15.2 linux/amd64 2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883 https://github.com/BishopFox/sliver
EvilGinx2 go 1.10.4 linux/amd64 20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6 https://github.com/kgretzky/evilginx2
Shad0w python 3.8 flask 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/bats3c/shad0w
Get2 N/A 07d19d12d21d21d07c07d19d07d21da5a8ab90bcc6bf8bbc6fbec4bcaa8219
GRAT2 C2 python3 http.server 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/r3nhat/GRAT2
Covenant ASP.net core 21d14d00000000021c21d14d21d21d1ee8ae98bf3ef941e91529a93ac62b8b https://github.com/cobbr/Covenant
SILENTRINITY ironpython 2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb https://github.com/byt3bl33d3r/SILENTTRINITY
PoshC2 python3 http.server 2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261 https://github.com/nettitude/PoshC2

About

A list of JARM hashes for different ssl implementations used by some C2/red team tools.