In increasingly restrictive corporate environments, deploying and maintaining C2 implants on Windows systems presents unique challenges. Signed execution policies, strict network controls, advanced segmentation, and continuous software behavior monitoring severely limit traditional loading and communication techniques.
This blog explores how to adapt implant development and operational strategies to survive under these conditions. It covers topics such as executing under signature requirements, covert communication within networks under deep inspection, and approaches to maintaining persistence without violating environmental constraints.
Imagine you gain access to a Windows environment configured in a highly restrictive way, which prevents you from loading unsigned implants by enforcing Windows Defender Application Control (WDAC) policies. What would you do in that case?
- Use PowerShell if it is not blocked
If PowerShell is not blocked, you can execute your scripts, keeping in mind that AMSI will analyze them and determine whether the code is malicious or not.
- Use a LOLBin such as MSBuild.exe, which already has numerous detection rules (MSBuild.exe is a legitimate Microsoft Build Engine used to compile and execute project files, but it can be abused as a Living-off-the-Land Binary LOLBin to execute malicious code while blending in with normal system activity). You could try to look for a lesser-known one, but the research would take time and I don’t think it would be the most cost-effective approach.
- DLL Sideloading, if the WDAC configuration allows it—DLL Sideloading is a technique in which an application loads a malicious Dynamic Link Library placed by an attacker instead of the legitimate one, and WDAC, Windows Defender Application Control, is a Windows security feature that restricts which applications and code are allowed to run on a system.
If all else fails, we can use an alternative called Loki C2. It’s a C2 that backcodes applications built with Electron.
But what exactly is an Electron application? You’re probably familiar with applications like Teams, Notion, or Discord. Well, they’re built in Node.js using a framework called Electron (basically HTML, CSS, and JavaScript).
Using this C2 server is very simple, you just need to download the server (.exe) and configure it using an Azure account, as communication will take place through a Blob.
Firstly, the client binary will require two parameters: the SAS Token and the Blob URL.
This will generates a folder with the implant’s contents, ready for use. I personally recommend obfuscating the implant’s contents using any JavaScript obfuscator you know to avoid IOCs. It also generates the Meta Container parameter, which we then copy entirely to the server:
With everything configured, we must choose whether we want to back-store an existing application (e.g., Teams) or download a new application already implanted.
In this case, we opted for the second option. Research has been conducted and discovered that the Mailspring application is vulnerable to this technique.
Therefore, the application was downloaded, and the contents of the resources/app folder were deleted.
That content was replaced by our implant which will be pasted inside resources/app.
Now all that remains is to download the application onto the victim’s device and establish the connection.
As shown in the image, the connection has been successfully established on a computer with MDE installed.
Final Considerations
This technique can be very powerful in some environments because it uses a signed application and communication is established through an Azure domain, which allows execution and connection in very restrictive environments. Various tests have been conducted with most of the top EDRs, and in many of them, the implant works even without obfuscation. Others report certain alerts that can be avoided by obfuscating the implant. Another important point is the option of backloading an application like Teams instead of downloading a new one. Be careful, if this isn’t done precisely, the application can become corrupted and stop working. One more thing that has worked for me is modifying the C2 code and recompiling it, altering the order of the functions and commenting out some that are not needed.
