Our red team operates with kaosh— a proprietary Command & Control framework built from scratch in Rust. No off-the-shelf tools, no known signatures, no public IOCs.
Full GUI dashboard for managing beacons, listeners, credentials, network topology, implant generation, and post-exploitation — all from the browser.
Every commercial and open-source C2 has been reverse-engineered, signatured, and added to detection content. To deliver a real adversary emulation, the tooling itself has to be unique.
Every commercial and open-source C2 — Cobalt Strike, Sliver, Havoc, Mythic, Brute Ratel — has detection rules in every major EDR. Our framework has never been submitted to VirusTotal or any malware repo.
Beacon and team server are written from scratch in Rust. No CRT artifacts, no .NET dependencies, no PowerShell. Implants compile to ~80KB statically linked binaries with no external runtime.
Per-engagement C2 profiles that mimic legitimate SaaS traffic patterns — Slack, Teams, Office 365, GitHub. Configurable HTTP headers, URI structures, and JSON payload shapes per profile.
Our team tests every release against CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black, and Cortex XDR. Detection capability changes drive evasion updates within days.
From scoping to reporting — how we run a red team engagement with kaosh.
We define rules of engagement, target systems, success criteria, and TTPs to emulate. C2 profiles are tailored to your environment's traffic baseline.
Per-engagement implants compiled with unique encryption keys, traffic profile, and module set. No two engagements share binary artifacts.
Our operators run the engagement from the kaosh dashboard — beacon management, lateral movement, credential capture, and post-exploitation in real time.
Full attack timeline mapped to MITRE ATT&CK with reproduction steps, EDR telemetry analysis, and prioritized remediation guidance for your blue team.
Browser-based dashboard. Filter beacons by status, OS, project, sleep interval, or tags. Multi-select for batch operations. Per-beacon tabs for shell, file browser, screenshots, keylogger, and module execution.
Each kaosh beacon exposes the full post-exploitation surface from a single browser tab — eight categories of native operations, all without spawning external processes.
Twelve dedicated workspaces in the dashboard — every part of a modern red team engagement covered.
Real-time view of all active beacons. Hostname, IP, user, OS, process, sleep interval, jitter, and last check-in. One-click interaction per beacon.
Deploy HTTPS, DNS, TCP and SMB listeners with per-listener TLS, malleable C2 profile, and project scoping for multi-engagement isolation.
Generate custom beacons with configurable evasion profile, transport, and module set. Cross-compile for Windows, Linux, and macOS from one UI.
Malleable communication profiles. Customize HTTP URIs, headers, parameters, encoding, jitter, and traffic shape per engagement to blend with the target.
Interactive topology powered by React Flow. Visual lateral movement paths, pivot chains, and beacon parent-child relationships.
Centralized credentials across all beacons — NTLM hashes, plaintext, Kerberos tickets, certificates, SSH keys. Auto-collected and tagged by source.
Async task execution with full output history. Schedule commands across many beacons simultaneously and track status, exit codes, and stderr.
Peer-to-peer beacons via SMB and TCP for environments without direct egress. Multi-hop routing for deep network penetration.
Coordinated password spraying across discovered identities with configurable lockout-aware throttling and protocol selection (LDAP, Kerberos, SMB, HTTP).
Built-in playbook scripting. Define automation that runs across multiple beacons — recon, credential collection, persistence — in one click.
Organized storage for files, screenshots, keylogs, and exfiltrated data. Tagged by beacon, project, timestamp, and operator.
Every operator action is logged immutably. Per-engagement audit trail for client deliverables and dispute resolution.
Per-engagement profiles in TOML. Mimic Slack, Teams, GitHub, Office 365, or any SaaS your target's baseline already trusts. Configurable headers, URI structure, JSON shape, jitter, sleep masks, and working-hours envelope.
# kaosh malleable profile — slack.toml
name = "slack-c2"
host = "kaos-team.slack.com"
[http.get]
uri = "/api/conversations.history"
method = "POST"
headers = { "Content-Type" = "application/x-www-form-urlencoded" }
body_template = "channel={beacon_id}&ts={timestamp}&token={enc_session}"
[http.post]
uri = "/api/files.upload"
headers = { "Authorization" = "Bearer xoxb-{rotating_token}" }
body_encoding = "multipart"
[jitter]
sleep_seconds = 60
jitter_percent = 30
working_hours = "09:00-18:00 Europe/Madrid"
[evasion]
sleep_mask = "ekko"
call_stack_spoof = true
memory_encrypt = "aes-256-gcm"Interactive React Flow topology that auto-updates as the engagement progresses. Beacons, pivot links, captured credentials and discovered identities all live on one graph.
SharpHound-style collection from any beacon — users, ACLs, GPOs, trusts, certificate templates.
Shortest paths to Domain Admin, Tier 0 assets, and high-value targets visualized on the graph.
Parent-child beacon relationships, SMB/TCP P2P routes, SOCKS chains all rendered.
Click any compromised host on the graph to spawn a child beacon, dump creds, or run a module.
kaosh adapts to the engagement model — whether you need a full red team, a focused detection validation, or a recurring program.
Full-scope adversary emulation against your production environment. From initial access through objectives — kaosh runs the whole engagement under realistic OPSEC.
Mimic a specific APT or ransomware group. Configure malleable C2 to match their published TTPs and IOCs, validate detection content built for that actor.
Collaborative engagement with your blue team in the room. Run techniques live, walk through the EDR telemetry side-by-side, tune detection logic on the spot.
AD-focused engagement. BloodHound collection, ADCS audit, Kerberos delegation review, automated attack-path execution against compromised paths.
Recurring engagement program. New TTPs, new C2 profiles, and updated implants every quarter — measure detection drift and improvement over time.
Validate specific detection content. We execute targeted techniques per your hypothesis and report what fired, what was missed, and what was logged but not alerted.
Side by side with the most widely used commercial and open-source frameworks.
Comparison based on public documentation as of 2026. Implant size measured for default HTTPS profile, Windows x64 release build.
Each module is a standalone Rust crate — load only what the engagement requires. No external dependencies, no .NET, no PowerShell. BOFs from the Cobalt Strike ecosystem load directly when needed.
Common questions about kaosh and our red team engagements.
If your EDR can't detect kaosh, we'll show you exactly why — and how to fix it. Our red team uses this framework on every engagement.