The Watchdog

We have noticed in many post-exploitation frameworks that persistence access is a recurring weakness. The issue remains by design in their single-process execution model. This becomes a real problem if the target (victim) process is terminated due to a crash, service restart, or defensive interaction, resulting in recovery, if even possible, depending on external persistence mechanisms or manual redeployment. This problem is technically solved in Control Pack C2. And the approach we adopted is a dual-process supervision model, which we called "the Watchdog", and this is how it works: 1. First, Stage 2 must be enabled:

1. Then, deploy the Watchdog. An execution thread with the Control Pack agent is injected in real-time into a legitimate running service

3. An independent thread is then spawned (the watchdog), linking the same process structure and monitoring the agent’s execution state. - Mutual supervision between: Control Pack Agent <-> Watchdog - Automatic re-establishment if either side terminates or is terminated - Logging capabilities during runtime and unhooking/direct syscalling still apply while the execution remains active.

Revenge: If a protection process, such as an AV or EDR (userland), successfully kills the agent thread, the watchdog fights back: It lists the process tree and active files of the offending process, killing the tree and injecting itself, when possible, as a new watchdog into the offending process, effectively running behind enemy lines.