Olivia
Online
Realm
@Realm_C2
Cross platform red team tool with a focus on automation and reliability.
Joined March 2023
28 Following
171 Followers
43 Posts
STONK ๐
Coming soon to a red team operation near you!
Beacon notifications! ๐ Stay up to date on hosts lost and gained.
Leaving your c2 to use SSH, MSF, nmap - HUGE pain.
Why not just use them from the browser!
Since realm's network proxy is all server side we were able to build other things like SSH into the backend and in go connect the sockets.
Structured data at the click of a button! ๐คฉ
New file hosting feature! ๐
Host files and share them for a duration or with a specific number of downloads.
Or use them directly in the imix agent.
New bandwidth benchmark - wheels on the bus cocomelon.
RDP over new socks proxy! ๐ค
Next step playing counter strike ๐ฎ
๐ค
### Top-Line Findings
1. **The C2 ecosystem is far less diverse than it appears.** While there are 30+ "different" frameworks, the underlying technique implementations converge on a small number of canonical code patterns, many traceable to specific open-source authors or blog posts.
2. **Three source projects account for the majority of reused code:**
- **TrustedSec's COFFLoader** โ the ancestor of nearly every open-source BOF loader
- **PowerSploit** (by @harmj0y, @mattifestation, @obscuresec) โ Get-Keystrokes, Invoke-Mimikatz, PowerView, and persistence modules are shipped verbatim by Empire, PoshC2, PowerHub, Amnesiac, and Shad0w
- **Kevin Robertson's Invoke-WMIExec/Invoke-SMBExec** โ the dominant PowerShell implementations for WMI and SMB lateral movement, bundled by Empire, PoshC2, PowerHub, and SilentTrinity
3. **A single detection rule can catch multiple frameworks.** Because many C2s share identical implementation code:
- One detection for the PowerSploit `Get-Keystrokes` GetAsyncKeyState polling loop catches Empire, PoshC2, and any framework that bundles PowerSploit
- One detection for the TrustedSec COFFLoader relocation pattern catches Apollo, Loki, Sliver (extension), and derivatives
- One detection for the .NET `ManagementScope` WMI pattern catches Apollo, Covenant, NimboC2, SilentTrinity, and DeimoC2
4. **Genuinely novel frameworks are rare.** Of the 30 analyzed:
- **4 frameworks** (Sliver, Havoc, Realm, TripleCross) demonstrate significant code originality
- **6 frameworks** show moderate originality (Wyrm, AdaptixC2, Emp3r0r, Merlin, NimPlant, GC2)
- **20 frameworks** rely heavily on shared code from the three source projects above, or implement techniques using the same well-known recipes
5. **HTTP C2 communications show the most behavioral convergence.** Three jitter formula families, shared User-Agent strings (the IE11 UA appears in Empire, Nuages, and Covenant), and common URL path patterns create fingerprinting opportunities.
### Top-Line Findings
1. **The C2 ecosystem is far less diverse than it appears.** While there are 30+ "different" frameworks, the underlying technique implementations converge on a small number of canonical code patterns, many traceable to specific open-source authors or blog posts.
2. **Three source projects account for the majority of reused code:**
- **TrustedSec's COFFLoader** โ the ancestor of nearly every open-source BOF loader
- **PowerSploit** (by @harmj0y, @mattifestation, @obscuresec) โ Get-Keystrokes, Invoke-Mimikatz, PowerView, and persistence modules are shipped verbatim by Empire, PoshC2, PowerHub, Amnesiac, and Shad0w
- **Kevin Robertson's Invoke-WMIExec/Invoke-SMBExec** โ the dominant PowerShell implementations for WMI and SMB lateral movement, bundled by Empire, PoshC2, PowerHub, and SilentTrinity
3. **A single detection rule can catch multiple frameworks.** Because many C2s share identical implementation code:
- One detection for the PowerSploit `Get-Keystrokes` GetAsyncKeyState polling loop catches Empire, PoshC2, and any framework that bundles PowerSploit
- One detection for the TrustedSec COFFLoader relocation pattern catches Apollo, Loki, Sliver (extension), and derivatives
- One detection for the .NET `ManagementScope` WMI pattern catches Apollo, Covenant, NimboC2, SilentTrinity, and DeimoC2
4. **Genuinely novel frameworks are rare.** Of the 30 analyzed:
- **4 frameworks** (Sliver, Havoc, Realm, TripleCross) demonstrate significant code originality
- **6 frameworks** show moderate originality (Wyrm, AdaptixC2, Emp3r0r, Merlin, NimPlant, GC2)
- **20 frameworks** rely heavily on shared code from the three source projects above, or implement techniques using the same well-known recipes
5. **HTTP C2 communications show the most behavioral convergence.** Three jitter formula families, shared User-Agent strings (the IE11 UA appears in Empire, Nuages, and Covenant), and common URL path patterns create fingerprinting opportunities.
@C2Workbench Hey! Thatโs us ๐๐
The install instructions look a little complicated - we usually recommend the steps in the README to get started locally or terraform apply for production.
Excited to share a sneak peek of Eldritch v2!
Weโve been rebuilding our automation language from scratch to make it stealthier and more modular. Try it out now!
https://t.co/X1cmPtPhkk
Realm now has global filters!
Filters can be applied to most views and stick with you throughout the experience making it easier to work with the same set of beacons or tasks.
And TLS will be available eventually... ๐
https://t.co/vbtW3j1tzw
We've started a blog to document some of the design decisions we make throughout the development process! ๐
Our first posts highlights the new redirectors features and the challenges that app layer crypto posed.
Realm app layer crypto is here! ๐
Agents can be built with a server public key.
Transports leverage an ephemeral diffie-hellman key-exchange and xchacha for message encryption.
It's been a long time coming but it's finally here!
https://t.co/lt94x32ZJR
Vibe coding @Realm_C2 from inside the metaverse - too much hype ๐คฏ
RIP my movie in the background.
@badsectorlabs For you? Of course! ๐
https://t.co/SLbHiTfX22
Weโre now on Discord!
Join the cult ๐
https://t.co/NC4XPEfANW
I had the privilege to red team @NationalCCDC this weekend. I had a great time and got to let AI control @Realm_C2 for the first ever AI powered service take down. ๐
Realm MCP connector!
Last Seen Users on Sotwe
Maria
Seen from Italy
zxbondage
Seen from Netherlands
เธฃเธฑเธเธชเธดเธเธเธฑเธเนเธเน๐๐ฆ
Seen from Thailand
Luna
Seen from Pakistan
ุงุจู ุนูุงุก
Seen from Italy
erinู
Seen from Indonesia
Hobi STW
Seen from Indonesia
tek mi
Seen from Turkey
Swinger Tรผrkiye Buluลma Platformu
Seen from Turkey
miu
Seen from Oman
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.2M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers