KAOS RED TEAM

Custom C2
Framework

Our red team operates with kaosh— a proprietary Command & Control framework built from scratch in Rust. No off-the-shelf tools, no known signatures, no public IOCs.

Full GUI dashboard for managing beacons, listeners, credentials, network topology, implant generation, and post-exploitation — all from the browser.

WHY WE BUILT IT

Public C2s have public signatures

Every commercial and open-source C2 has been reverse-engineered, signatured, and added to detection content. To deliver a real adversary emulation, the tooling itself has to be unique.

No public signatures

Every commercial and open-source C2 — Cobalt Strike, Sliver, Havoc, Mythic, Brute Ratel — has detection rules in every major EDR. Our framework has never been submitted to VirusTotal or any malware repo.

Zero shared code

Beacon and team server are written from scratch in Rust. No CRT artifacts, no .NET dependencies, no PowerShell. Implants compile to ~80KB statically linked binaries with no external runtime.

Custom Malleable C2

Per-engagement C2 profiles that mimic legitimate SaaS traffic patterns — Slack, Teams, Office 365, GitHub. Configurable HTTP headers, URI structures, and JSON payload shapes per profile.

Continuous evasion R&D

Our team tests every release against CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black, and Cortex XDR. Detection capability changes drive evasion updates within days.

Engagement Workflow

From scoping to reporting — how we run a red team engagement with kaosh.

01

Engagement Scoping

We define rules of engagement, target systems, success criteria, and TTPs to emulate. C2 profiles are tailored to your environment's traffic baseline.

02

Custom Build

Per-engagement implants compiled with unique encryption keys, traffic profile, and module set. No two engagements share binary artifacts.

03

Live Operations

Our operators run the engagement from the kaosh dashboard — beacon management, lateral movement, credential capture, and post-exploitation in real time.

04

Reporting & Detection

Full attack timeline mapped to MITRE ATT&CK with reproduction steps, EDR telemetry analysis, and prioritized remediation guidance for your blue team.

OPERATOR CONSOLE

One pane of glass for the entire engagement

Browser-based dashboard. Filter beacons by status, OS, project, sleep interval, or tags. Multi-select for batch operations. Per-beacon tabs for shell, file browser, screenshots, keylogger, and module execution.

  • Live beacon status with check-in heartbeat
  • Per-project isolation for multi-engagement teams
  • Inline tagging for adversary tracking and reporting
  • Full xterm.js terminal with output history & search
PER-BEACON ACTIONS

Every operation a real adversary needs, one click away

Each kaosh beacon exposes the full post-exploitation surface from a single browser tab — eight categories of native operations, all without spawning external processes.

Interactive Console

  • ·Live shell with output history
  • ·Run command (CMD / PowerShell / sh)
  • ·Execute .NET assemblies in-memory
  • ·Inline AMSI / ETW patching

File Operations

  • ·Browse remote filesystem
  • ·Upload, download, mv, rm, mkdir
  • ·Search by name and content
  • ·Streaming transfer with resume

Surveillance

  • ·Screenshot capture (multi-monitor)
  • ·Keylogger (per-process targeted)
  • ·Clipboard monitor
  • ·Audio / webcam capture

Process & Token

  • ·Process inject (PoolParty, EarlyBird, NtMapView)
  • ·Token steal / make / impersonate
  • ·Migrate, suspend, kill
  • ·Privilege enumeration

Credential Capture

  • ·LSA secrets, SAM, DPAPI
  • ·Browser credentials and cookies
  • ·SCCM / KeePass / SSH keys
  • ·Kerberos ticket extraction (TGT/TGS)

Lateral Movement

  • ·PsExec, WMI, WinRM, DCOM, SCM, RPC
  • ·Pass-the-Hash, Pass-the-Ticket
  • ·RBCD, Shadow Credentials, S4U
  • ·Inline child beacon spawn

Persistence

  • ·Registry Run keys, Services, Scheduled Tasks
  • ·COM hijack, DLL hijack, IFEO
  • ·WMI event subscription
  • ·Scheduled task with custom trigger

Pivoting

  • ·SOCKS5 proxy via beacon (auth + IPv6)
  • ·Reverse port forward
  • ·SMB and TCP P2P pivot beacons
  • ·Multi-hop chained routing

Operator Capabilities

Twelve dedicated workspaces in the dashboard — every part of a modern red team engagement covered.

01

Beacon Management

Real-time view of all active beacons. Hostname, IP, user, OS, process, sleep interval, jitter, and last check-in. One-click interaction per beacon.

02

Listener Configuration

Deploy HTTPS, DNS, TCP and SMB listeners with per-listener TLS, malleable C2 profile, and project scoping for multi-engagement isolation.

03

Implant Builder

Generate custom beacons with configurable evasion profile, transport, and module set. Cross-compile for Windows, Linux, and macOS from one UI.

04

C2 Profiles

Malleable communication profiles. Customize HTTP URIs, headers, parameters, encoding, jitter, and traffic shape per engagement to blend with the target.

05

Network Map

Interactive topology powered by React Flow. Visual lateral movement paths, pivot chains, and beacon parent-child relationships.

06

Credential Vault

Centralized credentials across all beacons — NTLM hashes, plaintext, Kerberos tickets, certificates, SSH keys. Auto-collected and tagged by source.

07

Task Queue

Async task execution with full output history. Schedule commands across many beacons simultaneously and track status, exit codes, and stderr.

08

Mesh Networking

Peer-to-peer beacons via SMB and TCP for environments without direct egress. Multi-hop routing for deep network penetration.

09

Spray Engine

Coordinated password spraying across discovered identities with configurable lockout-aware throttling and protocol selection (LDAP, Kerberos, SMB, HTTP).

10

Script Engine

Built-in playbook scripting. Define automation that runs across multiple beacons — recon, credential collection, persistence — in one click.

11

Loot Collection

Organized storage for files, screenshots, keylogs, and exfiltrated data. Tagged by beacon, project, timestamp, and operator.

12

Operator Audit

Every operator action is logged immutably. Per-engagement audit trail for client deliverables and dispute resolution.

WALKTHROUGH

See kaosh in action

Six workspaces an operator lives in during an engagement.

Implant Builder

Per-engagement compile with profile, transport and module selection.

Listener Configuration

HTTPS / DNS / TCP / SMB listeners with custom C2 profile binding.

Network Topology Graph

Live attack-path graph — beacons, pivots, AD assets.

Task Queue & Output

Async task scheduling across beacons with full output history.

Credentials Vault

Hashes, tickets, plaintext and certificates auto-organized by source.

Loot Collection

Files, screenshots, keylogs and exfiltrated data tagged by beacon.

BIGGEST GAP IN OTHER C2s

Network attacks, built into the beacon

Cobalt Strike, Sliver, Havoc, Mythic — all of them rely on external tooling tunnelled over SOCKS for Responder, NTLM relay, and coercion. kaosh runs all of it natively from inside the beacon.

POISONING

Inline Responder

LLMNR, NBT-NS, and mDNS poisoning directly from a beacon. Selective response engine to target specific hosts only — no broadcast collateral.

  • Rogue HTTP / SMB / MSSQL / LDAP servers
  • WPAD proxy for browser interception
  • NTLMv1 / NTLMv2 / Extended Security capture
  • Analyze mode for passive observation
RELAY

Inline NTLM Relay

Capture NTLM auth and relay in real time — no separate ntlmrelayx host required. Cross-protocol, signing-bypass aware.

  • SMB → SMB (shares, SAM dump, exec)
  • HTTP → LDAP (RBCD, Shadow Credentials)
  • HTTP → ADCS (ESC8 / ESC11 cert abuse)
  • CVE-2019-1040 unsigned cross-protocol
COERCE

Authentication Coercion

Force authentication from target machines to attacker-controlled listeners. One-command coerce-and-relay attack chains.

  • PrinterBug (MS-RPRN)
  • PetitPotam (MS-EFSRPC)
  • DFSCoerce, ShadowCoerce, MS-EVEN
  • WSPCoerce (Windows Search RPC)
IPV6

IPv6 Takeover (mitm6)

DHCPv6 router advertisement abuse from beacon. Sets attacker as default DNS for IPv6 — bypasses IPv4-only network controls.

  • Rogue DHCPv6 server from beacon
  • Targeted DNS spoofing per host
  • Combined with relay for WPAD / LDAP
  • IPv6 neighbor discovery manipulation

kaosh › coerce printerbug → relay http→ldap shadow-creds → impersonate dc$
One operator command. Coerce, relay, attack — all chained, no SOCKS proxy through external tools.

MALLEABLE C2

Traffic that looks legitimate

Per-engagement profiles in TOML. Mimic Slack, Teams, GitHub, Office 365, or any SaaS your target's baseline already trusts. Configurable headers, URI structure, JSON shape, jitter, sleep masks, and working-hours envelope.

# kaosh malleable profile — slack.toml
name = "slack-c2"
host = "kaos-team.slack.com"

[http.get]
uri = "/api/conversations.history"
method = "POST"
headers = { "Content-Type" = "application/x-www-form-urlencoded" }
body_template = "channel={beacon_id}&ts={timestamp}&token={enc_session}"

[http.post]
uri = "/api/files.upload"
headers = { "Authorization" = "Bearer xoxb-{rotating_token}" }
body_encoding = "multipart"

[jitter]
sleep_seconds = 60
jitter_percent = 30
working_hours = "09:00-18:00 Europe/Madrid"

[evasion]
sleep_mask = "ekko"
call_stack_spoof = true
memory_encrypt = "aes-256-gcm"
NETWORK GRAPH

Real-time attack-path graph

Interactive React Flow topology that auto-updates as the engagement progresses. Beacons, pivot links, captured credentials and discovered identities all live on one graph.

  • BloodHound-compatible AD enumeration

    SharpHound-style collection from any beacon — users, ACLs, GPOs, trusts, certificate templates.

  • Attack-path overlay

    Shortest paths to Domain Admin, Tier 0 assets, and high-value targets visualized on the graph.

  • Live beacon links

    Parent-child beacon relationships, SMB/TCP P2P routes, SOCKS chains all rendered.

  • Click-to-pivot

    Click any compromised host on the graph to spawn a child beacon, dump creds, or run a module.

Engagement Types

kaosh adapts to the engagement model — whether you need a full red team, a focused detection validation, or a recurring program.

Red Team Engagement

4–6 weeks

Full-scope adversary emulation against your production environment. From initial access through objectives — kaosh runs the whole engagement under realistic OPSEC.

Threat-Specific Emulation

3–5 weeks

Mimic a specific APT or ransomware group. Configure malleable C2 to match their published TTPs and IOCs, validate detection content built for that actor.

Purple Team Exercise

2–3 weeks

Collaborative engagement with your blue team in the room. Run techniques live, walk through the EDR telemetry side-by-side, tune detection logic on the spot.

Active Directory Assessment

2–4 weeks

AD-focused engagement. BloodHound collection, ADCS audit, Kerberos delegation review, automated attack-path execution against compromised paths.

Continuous Adversary Emulation

Quarterly

Recurring engagement program. New TTPs, new C2 profiles, and updated implants every quarter — measure detection drift and improvement over time.

Detection Engineering Validation

1–2 weeks

Validate specific detection content. We execute targeted techniques per your hypothesis and report what fired, what was missed, and what was logged but not alerted.

How kaosh compares

Side by side with the most widely used commercial and open-source frameworks.

CapabilitykaoshCobalt StrikeSliver
Public signaturesNoneHeavyHeavy
Submitted to VTNeverYesYes
Implant languageRustC/C++Go
Implant size~80 KB~250 KB~7 MB
Per-engagement keysYesNoYes
Malleable C2YesYesLimited
BOF supportYesYesYes
P2P mesh (SMB+TCP)YesYesTCP only
NTLM relay built-inYesExternalExternal
Browser context hijackYesNoYes
License modelService only$5,900/yrOpen source

Comparison based on public documentation as of 2026. Implant size measured for default HTTPS profile, Windows x64 release build.

BUILT-IN MODULES

Every TTP, natively integrated

Each module is a standalone Rust crate — load only what the engagement requires. No external dependencies, no .NET, no PowerShell. BOFs from the Cobalt Strike ecosystem load directly when needed.

KerberosKerberoasting, AS-REP roast, ticket ops, S4U, RBCD
NTLM RelayCapture and relay NTLM auth (LDAP, SMB, HTTP)
Credential DumpSAM, LSA, DPAPI, browser, SCCM, KeePass
AD EnumerationUsers, groups, GPOs, trusts, ACLs (BloodHound-compatible)
Lateral MovementPsExec, WMI, WinRM, DCOM, SCM, RPC
ResponderLLMNR / NBT-NS / mDNS poisoning
mitm6IPv6 DHCPv6 takeover for relay attacks
PersistenceRegistry, services, scheduled tasks, COM, DLL hijack
MSSQLxp_cmdshell, linked servers, impersonation
Network ReconPort scan, service enum, subnet discovery
Evasion EngineSleep mask, call stack spoof, memory encryption
BOF LoaderCS-compatible Beacon Object Files execution
Process InjectPoolParty, NtMapView, EarlyBird, Self-Loader
Browser HijackCookie steal, U2F bypass, geo-IP bypass

Technical Specs

LanguageRust (beacon + server)
CryptoX25519 + AES-256-GCM + HKDF
DatabaseSQLite (embedded, zero config)
DashboardNext.js + React + xterm.js
TargetsWindows, Linux, macOS
ChannelsHTTPS, DNS, TCP, SMB (P2P)
Implant Size~80 KB (statically linked)
BOF CompatCobalt Strike BOF (.o) loader

Red Team C2 — FAQ

Common questions about kaosh and our red team engagements.

Trusted by

VeoliaSalto SystemsTendamTousProsegurCCOOACSAAdamoLogistiumPrevengestKOS GroupeUnivMiCasinoSMUMinsaitUFINETMoraBancBluri

Test your defenses against a real adversary

If your EDR can't detect kaosh, we'll show you exactly why — and how to fix it. Our red team uses this framework on every engagement.

Talk to SalesSee Pricing