# The Watchdog

We have noticed in many post-exploitation frameworks that persistence access is a recurring weakness. The issue remains by design in their single-process execution model.\
\
This could become a real problem if the target (victim) process is terminated due to a crash, service restart, or defensive interaction, resulting in recovery, if even possible, depending on external persistence mechanisms or manual redeployment.\
\
This problem is technically solved in Control Pack C2. And the approach we adopted is a dual-process supervision model, which we called "The Watchdog", and this is how it works:\
\
1\. First, Stage 2 must be enabled:

<figure><img src="/files/Q8MWrl177hcNmEBdp1Cw" alt=""><figcaption></figcaption></figure>

2. Then, deploy the Watchdog. An execution thread with the Control Pack agent is injected in real-time into a legitimate running service

<figure><img src="/files/NFS7EwlHdWKryq5oIBqX" alt=""><figcaption></figcaption></figure>

\
3\. An independent thread is then spawned (The Watchdog), linking the same process structure and monitoring the agent’s execution state:\
\- Mutual supervision between: Control Pack Agent <-> Watchdog\
\- Automatic re-establishment if either side terminates or is terminated\
\- Logging capabilities during runtime and unhooking/direct syscalling still apply while the execution remains active.

<figure><img src="/files/RIzUXMkCl8b4WGsei3fz" alt=""><figcaption></figcaption></figure>

\
Revenge: If a protection process, such as an AV or EDR (userland), successfully kills the agent thread, the watchdog fights back: It lists the process tree and active files of the offending process, killing the tree and injecting itself, when possible, as a new watchdog into the offending process, effectively running behind enemy lines.<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/the-watchdog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.