{"id":14638166,"url":"https://github.com/darmado/Atomic-Red-Team-C2","last_synced_at":"2025-09-07T06:32:53.272Z","repository":{"id":49632129,"uuid":"315417215","full_name":"darmado/Atomic-Red-Team-C2","owner":"darmado","description":"ARTi-C2  is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR.","archived":false,"fork":false,"pushed_at":"2025-08-30T08:17:28.000Z","size":16616,"stargazers_count":178,"open_issues_count":14,"forks_count":23,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-30T10:12:23.206Z","etag":null,"topics":["csharp","dotnet","mitre-attack","offensive-security","post-exploitation","powershell-scripts","purple-team","purpleteam","python3","red-teams","redteam"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darmado.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"docs/NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-11-23T19:19:40.000Z","updated_at":"2025-08-11T08:08:35.000Z","dependencies_parsed_at":"2024-09-10T02:55:34.171Z","dependency_job_id":"4ed3da88-9f86-4893-823b-3e96eb74460e","html_url":"https://github.com/darmado/Atomic-Red-Team-C2","commit_stats":null,"previous_names":["darmado/atomic-red-team-c2","blackbotsecurity/atomic-red-team-intelligence-c2"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/darmado/Atomic-Red-Team-C2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darmado%2FAtomic-Red-Team-C2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darmado%2FAtomic-Red-Team-C2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darmado%2FAtomic-Red-Team-C2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darmado%2FAtomic-Red-Team-C2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darmado","download_url":"https://codeload.github.com/darmado/Atomic-Red-Team-C2/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darmado%2FAtomic-Red-Team-C2/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274005341,"owners_count":25205934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-07T02:00:09.463Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csharp","dotnet","mitre-attack","offensive-security","post-exploitation","powershell-scripts","purple-team","purpleteam","python3","red-teams","redteam"],"created_at":"2024-09-10T02:01:48.289Z","updated_at":"2025-09-07T06:32:51.450Z","avatar_url":"https://github.com/darmado.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"\n## DESCRIPTION\n\nARTC2 is a modern execution framework that helps security teams scale attack scenario execution from single and multi-breach point targets. It intends to produce actionable attack intel that improves the effectiveness of security products and incident response.\n\n## OS-SUPPORT\n\n- Windows OS\n\n\n## CAPABILITIES\n\nARTC2 Core features and capabilities are sourced from SILENTTRINITY, and atomic tests executed through Boo are from [ATOMIC-RED-TEAM](https://github.com/redcanaryco/atomic-red-team). All other feature enhancements were built to ensure operational trade-craft, agility, scalability, and rapid execution are not compromised.\n\n\n| CAPABILITY | DESCRIPTION |\n| ------ | ------ |\n| **Rapid Deployment** | Automate and scale testing efforts from single and multi-target breach points located in different regional environments\n| **Modern Command \u0026 Control** | *Implant and Server Comms:* Uses SILENTRINITY's ECDHE Encrypted C2 Communication capabilities to encrypt C2 traffic over HTTPS. \u003c/br\u003e*Client and Server Comms*: Uses Asyncio, WebSockets, and a prompt-toolkit CLI. Notable features include: *- Implant location tagging: Helpful when managing signals and breakpoints in different regions. NGROK integration* - Great for staging payloads and deploying them with ngrok URLs \n| **Standard Signature Header** | JSON `PID: , Date(UTC), IsHighIntegrity, HostName, CurrentUser , IsUserAdmin, IPv4, IPv6`\n| **JSON Logging Support** | Streamline, ingest, decode, and analyze evidence with your ELK stack or any Analytics platform ready to parse JSON.| \n||\n| **Stageless in Memory Code Execution** | Execute Atomic Red Team tests from an `unmanaged PowerShell process` with low, medium, and high integrity. \n| **Dynamic Attack Formations** | Execute attack chains without recompiling or restart ARTC2. Currently supports three different attack functions. `Attack Chains`, `Attack Profiles`, and `Attack Scenarios`|\n| **Modular Payload Delivery** | ARTC2 leverages [SILENTRINITY's](https://github.com/byt3bl33d3r/SILENTTRINITY) framework uses `unmanaged powershell` and `stageless powershell` stagers to compile and execute Red Team Atomic test payloads in memory,  *\"AS IS\"*  \n| **Operational Management** | Job IDs are included for controller execution and evidence collection. They're great for event  analysis and evidence correlation. `\"job_id\": \"D3l820IWpyi67\"`| **Atomic Updates** | The ART port pipeline is triggered by repo updates at [ATOMIC-RED-TEAM](https://github.com/redcanaryco/atomic-red-team)   \n\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n\n## USE CASES \n- SOCs need to evaluate and improve EDR solutions in minutes\n- Organizations are evaluating different EDR/AV solutions for Windows OS\n\n**Organizations need to:** \n- execute APT group tactics in controlled environments\n- demonstrate the ability to block common attacks from disk and memory\n- execute lightweight atomics remotely\n- benchmark critical risk profiles against MITRE ATT\u0026CK before releasing systems to Corp IT/production\n- execute ransomware tactics mapped to ATT\u0026CK safely\n- keep tight margins between \\(MTTD\\) and \\(MTTR\\) metrics\n- continually improve SOAR workbooks\n- evaluate host security controls between different business units and regions.\n\n\u003c/br\u003e\n\n## LOGGING CAPABILITIES\n\nBy default, ARTIC-C2 logs are written to ARTIC-C2's current working directory in `./logs/`.\nSession logs include:\n\n\u003c/br\u003e\n\n- `utc_timestamp`: UTC timestamp\n- `session`: Target session GUID\n- `job_id`: Unique Job execution ID\n- `ttp_data`: Technique ID\n- `evidence`: Base64 encoded evidence collected from a breach point target\n- `evidence_status`: Status to indicate if the TTP executed was blocked. \n    - 1: TTP was not blocked\n    - 0: TTP was partially blocked or failed to execute\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**EXECUTION SIGNATURE HEADER**\n\nExecution signature headers are used to verify if any defenses block atomics. Sometimes, the atomic commands may not return data in STDOUT. However, if the execution signature header returns header information, then this indicates the source code compiled, loaded into the CLR, and executed on the target breach point. The execution signature header includes:\n\n- `PID`: used during technique execution\n- `Date`: UTC stamp produced from the breach point target\n- `IsHighIntegrity`: Process integrity status\n- `HostName`:  breach point target hostname\n- `CurrentUser`: Current user. Great for tracking when users are impersonated\n- `IsUserAdmin`: Admin status\n- `IPv4`: IPv4 address info\n- `IPv6`: IPv6 address info\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**SAMPLE EXECUTION EVENT LOG**\n\nT1069.001-2 was executed in memory\n\n```\n2021-08-21 07:42:21,146 - {\"utc_timestamp\": \"2021-08-21T07:42:21Z\", \"msg\": \"Technique executed:\", \"controller\": \"Discovery/T1069.001-2\", \"last_updated_by\": \"ARMADO, Inc.\",\n\"ttp_id\": \"T1069.001\", \"ttp_opts\": {\"OutString\": {\"Description\": \"Appends Out-String to the PowerShellCode\", \"Required\": false, \"Value\": true}, \"BypassLogging\": \n{\"Description\": \"Bypasses ScriptBlock and Techniques logging\", \"Required\": false, \"Value\": true}, \"BypassAmsi\": {\"Description\": \"Bypasses AMSI\", \"Required\": false, \"Value\": true}},\n \"decompressed_file\": \"n/a\", \"file_name\": \"n/a\", \"gzip_file\": \"n/a\", \"language\": \"boo\", \"references\": [\"System.Management.Automation\"], \"run_in_thread\": \"n/a\", \"job_id\": \"B5ppBWed5NF6c\"}\n```\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**SAMPLE EVIDENCE COLLECTION LOG**\n\nEvidence was collected from the target breach point after executing T1069.001-2.\n\n```\n2021-08-21 07:42:25,076 - {\"utc_timestamp\": \"2021-08-21T07:42:25Z\", \"session\": \"17ed378a-8cb9-4690-9087-e894c2b1e0a2\", \"job_id\": \"B5ppBWed5NF6c\", \"ttp_data\": \"T1069.001\", \"evidence\": \"IntQSUQ6IDU1NTYsIERhdGUoVVRDKTogMjAyMS0wOC0yMVQwNzo0MjoyNC45MDczMjQ5WiwgSXNIaWdoSW50ZWdyaXR5OiB0cnVlLCBIb3N0TmFtZTogYWQtZGMxLCBDdXJyZW50VXNlcjogZGVlcHJvb3RcXHJ1c3NlbF9oYW5jb2NrLCBJc1VzZXJBZG1pbjogdHJ1ZSwgSVB2NDogWzEwLjEuMC4xMDAsIDE2OS4yNTQuMTM0LjExMV0sIElQdjY6IFtmZTgwOjpkZGUxOjIyYTo3YmEzOmZlMGIlNSwgZmU4MDo6YjhmODpiNDIxOjI3Yzg6ODY2ZiUxMV19XHJcbk5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEZXNjcmlwdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFxyXG4tLS0tICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0tLS0tLS0tLS0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcclxuQ2VydCBQdWJsaXNoZXJzICAgICAgICAgICAgICAgICAgICAgICAgIE1lbWJlcnMgb2YgdGhpcyBncm91cCBhcmUgcGVybWl0dGVkIHRvIHB1Ymxpc2ggY2VydGlmaWNhdGVzIHRvIHRoZSBkaXJlY3RvcnkgICAgXHJcblJBUyBhbmQgSUFTIFNlcnZlcnMgICAgICAgICAgICAgICAgICAgICBTZXJ2ZXJzIGluIHRoaXMgZ3JvdXAgY2FuIGFjY2VzcyByZW1vdGUgYWNjZXNzIHByb3BlcnRpZXMgb2YgdXNlcnMgICAgICAgICAgICAgIFxyXG5BbGxvd2VkIFJPREMgUGFzc3dvcmQgUmVwbGljYXRpb24gR3JvdXAgTWVtYmVycyBpbiB0aGlzIGdyb3VwIGNhbiBoYXZlIHRoZWlyIHBhc3N3b3JkcyByZXBsaWNhdGVkIHRvIGFsbCByZWFkLW9ubHkgZG8uLi5cclxuRGVuaWVkIFJPREMgUGFzc3dvcmQgUmVwbGljYXRpb24gR3JvdXAgIE1lbWJlcnMgaW4gdGhpcyBncm91cCBjYW5ub3QgaGF2ZSB0aGVpciBwYXNzd29yZHMgcmVwbGljYXRlZCB0byBhbnkgcmVhZC1vbmx5Li4uXHJcbiI=\",\n\"evidence_status\": \"1\"}\n```\n\n\u003cbr/\u003e\n\u003cbr/\u003e\n\n**SAMPLE HEADER SIGNATURE**\n\n```\n\"{PID: 5556, Date(UTC): 2020-01-02T06:55:47Z, IsHighIntegrity: true, HostName: ad-dc1, CurrentUser: artic\\\\c2operator, IsUserAdmin: true,\nIPv4: [10.1.0.100, 169.254.134.111], IPv6: [fe80::dde1:22a:7ba3:fe0b%5, fe80::b8f8:b421:27c8:866f%11]}\n```\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**SAMPLE BASE64 DECODED EVIDENCE LOG**\n\n```\n\"{PID: 5556, Date(UTC): 2021-08-21T07:42:24.9073249Z, IsHighIntegrity: true, HostName: ad-dc1, CurrentUser: deeproot\\\\russel_hancock, IsUserAdmin: true,\nIPv4: [10.1.0.100, 169.254.134.111], IPv6: [fe80::dde1:22a:7ba3:fe0b%5, fe80::b8f8:b421:27c8:866f%11]}\nName                                    Description\n----                                    -----------\nCert Publishers                         Members of this group are permitted to publish certificates to the directory\nRAS and IAS Servers                     Servers in this group can access remote access properties of users\nAllowed RODC Password Replication Group Members in this group can have their passwords replicated to all read-only do...\nDenied RODC Password Replication Group  Members in this group cannot have their passwords replicated to any read-only...\n\"\n```\n\n## GENERAL REQUIREMENTS\n\n#### Listeners\n\nBy default, listeners bind to the system's interface with HTTPS:443 and HTTP:80. They must be accessible from the assumed breach point target. Set your Callback URLs in the `:\u003e listeners` context before generating any stager. \n\n\u003c/br\u003e\n\u003c/br\u003e\n\n\n### BASIC INSTALL\n\n1. `git clone https://github.com/ARMADOinc/Atomic-Red-Team-intel-C2.git`\n2. `cd ./Atomic-Red-Team-intel-C2`\n3. `./install.sh install`\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n\n**DEPLOYMENT OPTIONS**\n\nARTIC-C2 enables flexible deployment models to suit all atomic test case execution requirements. While there are a few client-side console dependencies relative to caching, the client console is not required to run on the same system as the team server. Soon, we'll package and release a dedicated client.\n\n**NOTE:** The examples below assume ARTIC-C2 will start from the same instance.\n\n**Start WSS on the default port and produce an ad-hoc log**\n- server: `artic2.py wss 127.0.0.1 Art1.c25rvr \u003e\u003e /var/log/artic2.log \u0026`\n- client: `artic2.py client wss://operator:Art1.c25rvr@127.0.0.1:5000`\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**Start WSS on the default port in the foreground**\n- server: `artic2.py wss 127.0.0.1 Art1.c25rvr`\n- client: `artic2.py client wss://operator:Art1.c25rvr@127.0.0.1:5000`\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n**Start WSS on port 5443, bind to 10.0.0.43, produce adhoc log and connect two clients**\n- server: `artic2.py wss 10.0.0.43:5443 Art1.c25rvr \u003e\u003e /var/log/artic2.log \u0026`\n- client1: `artic2.py client wss://operator1:Art1.c25rvr@10.0.0.43:5443`\n- client2: `artic2.py client wss://operator2:Art1.c25rvr@10.0.0.43:5443`\n\n\u003c/br\u003e\n\u003c/br\u003e\n\n### DOCUMENTATION:\n\n- In progress. \n\n\u003c/br\u003e\n\n\n\u003c/br\u003e\n\n## CREDITS \u0026 ACKNOWLEDGEMENTS \n\n- Marcello Salvati [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) and all [SILENTRINITY](https://github.com/byt3bl33d3r/SILENTTRINITY) c2 project contributors\n- [Red Canary](https://github.com/redcanaryco) and all [ATOMIC RED TEAM](https://github.com/redcanaryco/atomic-red-team) project contributors\n- [Atomic Red Team Community](https://slack.atomicredteam.io/)  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarmado%2FAtomic-Red-Team-C2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarmado%2FAtomic-Red-Team-C2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarmado%2FAtomic-Red-Team-C2/lists"}