Faction is a C2 framework for security professionals, providing an easy way to extend and interact with agents. It focuses on providing an easy, stable, and approachable platform for C2 communications through well documented REST and Socket.IO APIs.
Instead of one large monolithic application, Faction is designed loosely around a micro services architecture. Functionality is split into separate services that communicate through message queues. This approach provides several advantages, most important of which is allowing users to quickly be able to learn how the system operates.
Faction consists of four main services:
- API: The API is the how users, agents, and anything else interacts with Faction.
- Core: The Core service handles all user and agent messaging, including processing user commands and handling encrypting/decrypting agent messages.
- Build Servers: Build Servers handle building payloads and modules. They are language specific, allowing Faction to be easily extended to support new languages. Currently Faction supports .NET payloads and modules.
In addition to these services, Faction also relies on RabbitMQ for communication between services and PostgreSQL for data storage.
Watch Demo of Faction
Concepts and Terminology
- Payload: A file or command that is run on a target machine to establish an agent
- Agent: An instance of an Agent Type that is registered and communicating with Faction.
- Agent Type: A kind of agent, for example Marauder
- Modules: Libraries that provide a Faction Agent with additional functionality in the form of commands or transport options.
- Transport: The combination of a Transport Server and Transport Module
- Transport Server: A server that sits between a payload/agent and the Faction API. It manipulates API messages so that they can be routed over different transmission methods or obfuscated (or both)
- Transport Module: A module that allows an agent to talk to a specific kind of Transport Server
Presentation at Troopers 19
After installing Faction, you’ll be presented with the URL, Admin Username, and Password for accessing the console. If you need to access this information later, it is stored in
The first thing you’ll want to do is setup a transport. By default, Faction comes with one transport configured: DIRECT. This transport allows payloads to connect directly to Faction which is fine for testing, but not a great idea for an actual engagement.
Navigate to the Transports tab and click “New Transport”. Provide a description for the Transport and you’ll be given a Transport ID, Access Key Name, and Access Key Secret. The transport you’re configuring should provide documentation on what to do with this information so that it can register with Faction. If you’re using the HTTP Transport, you can find that information here.
Once the Transport is registered, it will show up as an available Transport in Faction
Payloads are run on targets to establish an Agent. They control the initial settings for an agent, such as beacon interval, jitter, transports, and expiration dates. Payloads use the same password to stage an agent, as part of the staging process an agent gets its own password for communications.
On the Payloads tab, you have the option to create a new payload. The following options are required:
- Agent Type: This is the type of agent that the payload will spawn
- Agent Format: This is the format that the payload will be built in
- Agent Transport: This is the initial transport that the payload will use to stage the agent and beacon
- Beacon Interval: The number of seconds between beaconing. This needs to be a whole number.
- Jitter: Introduces randomness into to the beacon interval. This is determined by multiplying the beacon interval by the jitter value, taking the result and adjusting the beacon interval by a random amount up to that result. For example, a beacon interval of 10 seconds with a jitter of 0.2 would beacon randomly between 8 and 12 seconds. Values between 0.0 and 1.0 are accepted.
Once a Payload stages, it becomes an agent. Agents allow you to interact with the target system.
On the Agents tab, click on an agent to interact with it. The console that you presented with allows you to interact with you agent. The following commands will help you get your bearings:
help [command name]
Faction agents are extensible through modules that provide additional commands. To load a module, use the
load [module name] command.
See the Faction Agents page for more details on agents.
You can upload files on the “Files” tab, this is also where files that you upload from agents will show up.
You can reference a file in a command with
f2:files/[filename]. The API will automatically replace this string with the base64 encoded byte array of the given file. Commands like
download will leverage this behavior to write files to disk.
Administrators can create new users for Faction from the settings page, located in the drop-down menu under your account name in the upper right. Users can have one of three different roles:
- Administrator: Allows for the creation of new users
- Operator: Allows for everything except the creation of users
- ReadOnly: Read only access to Faction.