Command & Control Anatomy

C2 Server / Team Server

Handler to manage connections, tasks, and functionality between itself and the agent. Can also allow multiplayer operations with other operators

Agent/Grunt/Beacon/etc.

A (usually) small program that listens for tasks from the server, then executes them on a host/victim machine

Loader

A wrapper program that hides the agent's true motives via encryption or the deployment of evasive techniques, before executing the agent's shellcode

Callback

A connection request to the server - either to receive a task, or to check-in (new agents check-in to get registered for further tasking)

OPSEC

Operational Security (OPSEC) is how much sensitive information you are able to mask or hide from your rivals (Blue Teams, employees, server/hosting providers, and other threat actors). This can include WHOIS records, C2 server location, passwords, framework used, the back-end technology, locations, etc. Your operations within the target network is also considered sensitive, and great care must be taken to not get discovered by the employees or third parties

Sleep

How long an agent waits before calling back to the server

Jitter

Adds randomness to the sleep value, the higher the jitter rate, the more random the connection is (advisable to have them in odd numbers like 67%)

Short Haul

Short haul beacons/servers are used for quick interactions with the agent. Usually, the sleep time for these beacons will be low (0-30 seconds) Due to the short callback times, these agents can be detected in longer operations as they are more prone to execute OPSEC unsafe commands, or get picked up by threat hunting solutions via traffic analysis

Long Haul

Long haul beacons/servers are reserved as a backup to our short haul channels, and are usually used in longer operations since their call back times can be a lot longer (30 mins+)

Redirector

Malleable C2

Customisable command and control profiles which allows the operator to blend in with existing/"normal" network signatures, change agent behaviour, or server/listener functionality

HTTP/S

The most common type of communication due to its reliability and malleability when connecting to a target externally

HTTP uses clear-text communication which can easily be seen by others HTTPS works well unless if you're using self-signed certificates which will get flagged as suspicious

DNS

DNS communication utilises TXT records to transfer data. Whilst it can take a long time to transport large data such as images or files, DNS is reliable and useful for long haul communication

DNS traffic can be inspected and blocked by IPS systems if the endpoint/domain is deemed to be new, or suspicious within the environment Large amounts of text via DNS can also be seen as suspicious

SMB

A common favourite to use within Windows environments, SMB communicates through the use of named pipes, which allows lateral movement without the fear of being stopped by external firewalls (443/80 being blocked)

Not all processes create named pipe which might be picked out as suspicious by Intrusion Prevention Systems (IPS) and other security products

TCP

TCP communicates in a Peer-to-Peer (P2P) fashion. Due to the way it initiates and verifies connectivity, TCP is a reliable method to communicate between beacon to beacon or beacon to server

Since the connection is consistent and persistent, TCP can be identified easily in a network traffic capture which makes it a very use-case specific protocol to implement