Marrow C2

A full-stack Command & Control framework built for red team operations and security research. This is not a script — it's a complete offensive infrastructure platform with a web dashboard, a compiled agent, a payload binder, and a multi-stage evasion pipeline.

For authorized red team engagements and educational purposes only.

Architecture

text
┌─────────────────────────────────────────────────────────────┐
│                  CONTROLLER (PHP Dashboard)                 │
│  ┌──────────┬──────────┬──────────┬──────────┬───────────┐  │
│  │ Target   │ Task     │ Module   │ Activity │ Builder   │  │
│  │ Manager  │ Queue    │ System   │ Feed     │ Page      │  │
│  └──────────┴──────────┴──────────┴──────────┴───────────┘  │
│              │                                              │
│         MySQL DB (sessions, targets, tasks, results)        │
├─────────────────────────────────────────────────────────────┤
│                     COMMUNICATION LAYER                     │
│                gate.php ←→ sync.php (HTTP/S)                │
│               Blends with normal web traffic                │
├─────────────────────────────────────────────────────────────┤
│                     AGENT (Python → EXE)                    │
│  ┌──────────┬──────────┬──────────┬──────────────────────┐  │
│  │ HWID     │ Check-in │ Module   │ Anti-Analysis        │  │
│  │ Finger-  │ Loop     │ Executor │ Engine               │  │
│  │ printing │          │          │                      │  │
│  └──────────┴──────────┴──────────┴──────────────────────┘  │
├─────────────────────────────────────────────────────────────┤
│                       BINDER (bind.py)                      │
│           Legitimate EXE + Agent → Combined Payload         │
│              Icon extraction, resource injection            │
└─────────────────────────────────────────────────────────────┘

Controller (Web Dashboard)

Stack: PHP 8, MySQL, Tailwind CSS, vanilla JS

The dashboard is a real-time operations center for managing active targets:

Target List: Live heartbeat monitoring with online/offline status indicators, last check-in timestamp, integrity level (admin vs. standard user), and OS fingerprint
Task Queue: Send commands to individual targets or broadcast to all. Each task includes a command type, payload, and expected return format
Activity Feed: Real-time results from executed tasks with timestamps and raw output
Module System: Pre-built post-exploitation modules —
- Screen capture (screenshot current display)
- Process list (enumerate running processes)
- System info (OS, hostname, IP, integrity level)
- Interactive shell (CMD / PowerShell remote execution)
- Keylogger (start/stop/dump keystroke capture)
- Persistence (registry run keys, scheduled tasks)
- Privilege escalation (UAC bypass techniques)
Builder: Generate new agent payloads with customized check-in intervals, C2 server addresses, and evasion flags

Agent (`payload/agent.py`)

Compiled to OneDriveUpdater.exe via PyInstaller — the file name and icon are chosen to blend with legitimate Microsoft update processes.

Core Capabilities:

HWID-based fingerprinting: Each target is uniquely identified by hardware ID
HTTP(S) check-in: Configurable intervals (default 30s), blends with normal web traffic patterns
Integrity level detection: Automatically determines if running as admin or standard user, adjusts available modules accordingly
Multi-interpreter execution: Python, PowerShell, CMD — the agent chooses the best execution method based on the command type
Session persistence: Survives reboots via registry run keys or scheduled tasks

Evasion Pipeline

This is the part that teaches you the most about how real malware works — and how to detect it:

AMSI Patching: The agent patches the Anti-Malware Scan Interface in memory to bypass PowerShell script block logging. This prevents Windows Defender from scanning the PowerShell commands the agent executes.

Dynamic Memory Invocation: Payloads are loaded directly into memory without touching disk, avoiding static file-based detection by antivirus engines.

Anti-Analysis Engine: Before executing any payload, the agent checks the environment:

python
# Anti-analysis check — detect monitoring tools and virtual machines
ANALYSIS_TOOLS = [
    "procmon.exe", "wireshark.exe", "x64dbg.exe",
    "processhacker.exe", "fiddler.exe", "ollydbg.exe",
    "ida64.exe", "ghidra.exe", "dnspy.exe"
]

def is_analyzed():
    for proc in psutil.process_iter(['name']):
        if proc.info['name'].lower() in ANALYSIS_TOOLS:
            return True
    # VM detection via WMI — catch sandbox environments
    wmi = subprocess.check_output(
        'wmic computersystem get model', shell=True
    ).decode()
    return any(vm in wmi.lower() for vm in ['virtual', 'vmware', 'vbox', 'qemu'])

Living-off-the-Land: Post-exploitation uses built-in Windows binaries (PowerShell, certutil, wmic) instead of dropping custom tools — reducing the forensic footprint.

Traffic Blending: C2 communications use standard HTTPS POST requests with JSON payloads that mimic legitimate API calls. No custom protocols, no unusual ports.

Payload Binder

bind.py combines the compiled agent with a legitimate executable so the payload masquerades as normal software:

Extracts the icon from the legitimate EXE
Injects the icon into the agent EXE
Creates a launcher that runs both the legitimate program and the agent simultaneously
The user sees the expected application open normally while the agent runs silently in the background

Project Structure

marrow-c2/
├── api/            # Agent communication endpoints
│   ├── gate.php        # Initial check-in and registration
│   └── sync.php        # Task polling and result submission
├── includes/       # PHP classes
│   ├── Database.php    # PDO wrapper with prepared statements
│   ├── Target.php      # Target CRUD operations
│   ├── Task.php        # Task queue management
│   └── Auth.php        # Session-based authentication
├── modules/ui/     # Dashboard module interfaces
├── pages/          # Dashboard views
│   ├── targets.php     # Target list with live status
│   ├── detail.php      # Individual target management
│   ├── modules.php     # Post-exploitation module launcher
│   └── builder.php     # Payload generation
├── payload/        # Agent source
│   └── agent.py        # Core agent with all modules
├── binder/         # Payload binder utility
│   └── bind.py         # EXE combination tool
├── schema.sql      # Full database schema
├── index.php       # Dashboard entry point
└── login.php       # Authentication

What Building This Teaches About Defense

This is the real value of the project. Every component of Marrow C2 has a direct defensive counterpart:

Offensive Technique	Defensive Detection
AMSI patching	Monitor for `AmsiScanBuffer` memory writes
Registry persistence	SIEM alerts on `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` changes
Process enumeration	EDR flags on rapid `psutil.process_iter()` calls
VM detection via WMI	Honeypot VMs that flag process-level WMI queries
HTTP(S) beaconing	Network analysis: detect periodic POST requests to the same endpoint
HWID fingerprinting	Endpoint telemetry: flag processes querying hardware serial numbers

Understanding C2 infrastructure from the inside out is the fastest path to writing effective detection rules. Every SIEM alert, every EDR policy, every firewall rule makes more sense when you've built the thing it's designed to catch.