> For the complete documentation index, see [llms.txt](https://exploit-pack.gitbook.io/exploit-pack-manual-pages/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/the-watchdog.md).

# The Watchdog

We have noticed in many post-exploitation frameworks that persistence access is a recurring weakness. The issue remains by design in their single-process execution model.\
\
This could become a real problem if the target (victim) process is terminated due to a crash, service restart, or defensive interaction, resulting in recovery, if even possible, depending on external persistence mechanisms or manual redeployment.\
\
This problem is technically solved in Control Pack C2. And the approach we adopted is a dual-process supervision model, which we called "The Watchdog", and this is how it works:\
\
1\. First, Stage 2 must be enabled:

<figure><img src="/files/Q8MWrl177hcNmEBdp1Cw" alt=""><figcaption></figcaption></figure>

2. Then, deploy the Watchdog. An execution thread with the Control Pack agent is injected in real-time into a legitimate running service

<figure><img src="/files/NFS7EwlHdWKryq5oIBqX" alt=""><figcaption></figcaption></figure>

\
3\. An independent thread is then spawned (The Watchdog), linking the same process structure and monitoring the agent’s execution state:\
\- Mutual supervision between: Control Pack Agent <-> Watchdog\
\- Automatic re-establishment if either side terminates or is terminated\
\- Logging capabilities during runtime and unhooking/direct syscalling still apply while the execution remains active.

<figure><img src="/files/RIzUXMkCl8b4WGsei3fz" alt=""><figcaption></figcaption></figure>

\
Revenge: If a protection process, such as an AV or EDR (userland), successfully kills the agent thread, the watchdog fights back: It lists the process tree and active files of the offending process, killing the tree and injecting itself, when possible, as a new watchdog into the offending process, effectively running behind enemy lines.<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/the-watchdog.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.