Knowledge Bank
  • ๐Ÿ”ญAbout Us
    • ๐Ÿ‘‹Welcome to Securescape!
  • ๐Ÿ‘ถFundamentals
    • ๐Ÿ–ฅ๏ธOperating Systems (WIP)
      • Introduction to Operating Systems
      • Processes and Process Management
        • ๐Ÿ“ Processes
        • ๐ŸงตThreads
        • ๐Ÿ“…Scheduling
      • Memory Management
        • Virtual Memory Management
      • Storage Management
      • I/O Management
    • ๐ŸงLinux (WIP)
      • Introduction to Linux
      • Linux System Management
    • โšกProgramming (WIP)
      • ๐Ÿ”—Assembly
      • ๐Ÿ’ชC(++/#)
      • ๐ŸPython
      • ๐Ÿ‘‘Nim
      • ๐Ÿ”จBash
        • Introduction to Bash Scripting
        • Variables, Loops, and Port Scanner
    • ๐ŸšฉNetworking (WIP)
      • ๐Ÿ“ถNetworking 101
        • ๐Ÿ•ธ๏ธNetworking Basics
        • ๐Ÿ›‘Protocols
        • ๐Ÿง“IPv4
        • ๐Ÿง’IPv6
      • ๐ŸชกPacket Tracer
        • Interface
        • Connections
        • Creating Networks
        • Virtual LANS & Trunks
      • ๐Ÿ•ธ๏ธSubnetting
      • ๐Ÿ•ต๏ธNetwork Security
    • โœ๏ธReport Writing (WIP)
      • ๐Ÿ”Research Skills
      • ๐Ÿ—๏ธStructuring a Report
      • ๐Ÿ—ƒ๏ธCreating Templates
  • ๐Ÿฆ‚General Security
    • ๐Ÿ—’๏ธMethodologies
      • ๐Ÿ‡ญ๐Ÿ‡ฐOSSTMM
      • ๐ŸOWASP
        • Web Security Testing Guide
        • Mobile Security Testing Guide
      • ๐Ÿฆ…NIST
      • ๐ŸฅขPTES
      • โ›“๏ธCyber Killchain
    • ๐Ÿ”Binary Exploitation
      • ir0nstone's Binary Exploitation Notes
    • ๐ŸŽฉCheat Sheets
      • Enumeration
        • Network Scan
        • Vulnerability Scan
        • Web Scan
      • Exploitation
        • Page 1
        • Payloads & Shells
      • Post Exploitation
        • Lay of The Land
        • Persistence
        • Data Exfiltration
        • Pivoting
      • Command & Control
      • Disassembly
        • โ˜ข๏ธRadare2
        • ๐ŸฅœGDB
      • CEH Cheatsheet
  • โš”๏ธOffensive Security
    • ๐Ÿ’กHardware Exploitation
      • Intro to Hardware
    • ๐ŸฅทRed Team
      • ๐Ÿฆ Malware Development
        • Crow Malware Development
        • ๐ŸชกC# Malware
      • ๐ŸญOffensive Development
        • ๐Ÿ”งOffensive DevOps
          • ๐Ÿท๏ธGitLab
            • GitLab Setup
            • Simple Calculator Project
            • Making our CI/CD Pipeline
            • Build Artifacts
          • ๐ŸŒ†TeamCity
            • TeamCity Setup
            • Creating TeamCity Projects
            • Obfuscating Payloads
          • ๐ŸทJenkins (WIP)
            • Jenkins Setup
            • Creating Pipelines
            • Managing Projects
            • API Interaction
        • ๐Ÿ—๏ธInfrastructure Development (WIP)
          • ๐ŸŽฎCommand & Control Infrastructure
            • ๐Ÿค–Command & Control Anatomy
              • Command & Control Frameworks
              • โ“‚๏ธMetasploit Framework
                • Installing Metasploit
                • Metasploit Basics
                • Advanced Features
                • Metasploit Documentation
              • ๐ŸฒMythic Framework
                • Installing Mythic
                • Malleable Command & Control
                • All About Agents
                • Services
                • Mythic Documentation
            • ๐ŸšฅTraffic Redirection
              • Nginx
              • Amazon Web Services
              • Microsoft Azure
              • Google Cloud Platform
              • Cloudflare Workers
            • ๐ŸฅทCovert Infrastructure
              • Ensuring Resiliency
              • Traffic Masking
              • Network Rules
          • ๐ŸŽฃPhishing Infrastructure
            • ๐Ÿ“งEmail Anatomy
            • ๐ŸŸPhishing Infrastructure Setup
            • ๐ŸššPayload Delivery
            • ๐ŸšฉRemoving Red Flags
          • ๐Ÿช„Infrastructure as Code
            • ๐Ÿ๏ธTerraform
              • Interacting with Docker
              • Going to the Cloud
              • Hybrid Deployment
            • ๐ŸงŠPulumi
            • ๐ŸŽผAnsible
          • โš™๏ธInfrastructure Automation
            • ๐ŸฆดStructuring our Project
            • ๐ŸญAutomating Server Setups
            • ๐ŸŽผOrchestrating our Infrastructure
            • ๐Ÿ”งCI/CD Integration
      • ๐Ÿ™๏ธActive Directory (WIP)
        • Active Directory Overview
        • Authentication
        • AD Lab
      • Red Team Operations - Joas Santos
  • ๐Ÿ›ก๏ธDefensive Security
  • ๐Ÿ“ปSoftware Defined Radios
    • โš ๏ธDisclaimer
    • ๐Ÿ“กBaofeng
      • Programming
  • ๐Ÿง‘โ€๐Ÿ”ฌHome Lab
    • ๐Ÿ’จVirtualisation
      • ๐Ÿ”ธProxmox
  • ๐ŸCapture The Flag
    • ๐ŸงŠHackTheBox
      • ๐Ÿ‘พCyber Apocalypse
        • Cyber Apocalypse 2023
    • ๐ŸคTryHackMe
      • ๐ŸŽ„Advent of Code
      • ๐ŸšชRooms
        • ๐ŸฅBasic Pentesting
        • ๐Ÿ‘จโ€๐Ÿ’ปBlog
      • ๐Ÿ‘ŸPaths
    • ๐Ÿณ๏ธCompetitions
      • Nahamcon
        • Nahamcon 2023
          • Binary Exploitation
            • Open Sesame
      • ๐Ÿ‘๏ธIris CTF
  • ๐ŸฆบDRAFTS
    • GS
      • ๐Ÿ“ฑMobile Application Security
      • ๐Ÿ‘จโ€๐Ÿ”ฌReverse Engineering
      • ๐ŸŒWeb Application Security
      • ๐Ÿ“ŒInformation Security
      • ๐Ÿ”’Cryptography
      • ๐ŸคซOperational Security
    • DS
      • ๐Ÿง Threat Intelligence
        • ๐ŸฆŒELK Stack
          • ๐ŸคธElasticsearch
          • ๐Ÿ•๏ธKibana
          • ๐ŸฆคSELKS
        • ๐Ÿš“Yara
      • ๐ŸนThreat Hunting
      • ๐ŸงฌMalware Analysis
        • Fundamentals
      • ๐Ÿ”ฌForensics
        • ๐Ÿ“ถNetwork Forensics
          • ๐ŸฆˆWireshark
          • ๐ŸฅŸTCP Dump
        • ๐Ÿ’พMemory Forensics
          • โšกVolatility
        • ๐Ÿ’ฝDisk Forensics
          • ๐Ÿ•Autopsy
        • ๐ŸชŸWindows Forensics
        • ๐ŸงLinux Forensics
      • ๐ŸŒฒSecurity Operations
        • Intrusion Detection & Prevention
          • ๐Ÿ›Splunk
            • Splunk Basics
            • Integrating Suricata with Splunk
          • ๐Ÿ—Suricata
            • Intro to Suricata
          • ๐ŸฝSnort
            • Snort Basics
        • Security Information and Event Management (SIEM)
        • Security Orchestration, Automation and Response (SOAR)
    • HL
      • ๐Ÿ–ฅ๏ธHardware
    • OS
      • ๐Ÿ“ถNetwork Exploitation
      • ๐ŸŒฉ๏ธCloud Exploitation
Powered by GitBook
On this page
  • Introduction
  • Terminology
  • Protocols

Was this helpful?

Edit on GitHub
  1. Offensive Security
  2. Red Team
  3. Offensive Development
  4. Infrastructure Development (WIP)
  5. Command & Control Infrastructure

Command & Control Anatomy

PreviousCommand & Control InfrastructureNextCommand & Control Frameworks

Last updated 9 months ago

Was this helpful?

Introduction

A Command and Control (C2) Framework is a server which handles connections to and from an agent. The basic functionality of an agent is that it pulls commands from the server, and executes it on the victim's machine. Agents utilise a number of protocols and encryption algorithms in order to communicate with the server.

Terminology

Term
Definition

C2 Server / Team Server

Handler to manage connections, tasks, and functionality between itself and the agent. Can also allow multiplayer operations with other operators

Agent/Grunt/Beacon/etc.

A (usually) small program that listens for tasks from the server, then executes them on a host/victim machine

Loader

A wrapper program that hides the agent's true motives via encryption or the deployment of evasive techniques, before executing the agent's

Callback

A connection request to the server - either to receive a task, or to check-in (new agents check-in to get registered for further tasking)

OPSEC

Operational Security (OPSEC) is how much sensitive information you are able to mask or hide from your rivals (Blue Teams, employees, server/hosting providers, and other threat actors). This can include WHOIS records, C2 server location, passwords, framework used, the back-end technology, locations, etc. Your operations within the target network is also considered sensitive, and great care must be taken to not get discovered by the employees or third parties

Sleep

How long an agent waits before calling back to the server

Jitter

Adds randomness to the sleep value, the higher the jitter rate, the more random the connection is (advisable to have them in odd numbers like 67%)

Short Haul

Short haul beacons/servers are used for quick interactions with the agent. Usually, the sleep time for these beacons will be low (0-30 seconds) Due to the short callback times, these agents can be detected in longer operations as they are more prone to execute OPSEC unsafe commands, or get picked up by threat hunting solutions via traffic analysis

Long Haul

Long haul beacons/servers are reserved as a backup to our short haul channels, and are usually used in longer operations since their call back times can be a lot longer (30 mins+)

Redirector

Malleable C2

Customisable command and control profiles which allows the operator to blend in with existing/"normal" network signatures, change agent behaviour, or server/listener functionality

Protocols

This is not an exhaustive list - check out the for more

Protocol
Description
OPSEC Concerns

HTTP/S

The most common type of communication due to its reliability and malleability when connecting to a target externally

HTTP uses clear-text communication which can easily be seen by others HTTPS works well unless if you're using self-signed certificates which will get flagged as suspicious

DNS

DNS communication utilises TXT records to transfer data. Whilst it can take a long time to transport large data such as images or files, DNS is reliable and useful for long haul communication

DNS traffic can be inspected and blocked by IPS systems if the endpoint/domain is deemed to be new, or suspicious within the environment Large amounts of text via DNS can also be seen as suspicious

SMB

A common favourite to use within Windows environments, SMB communicates through the use of named pipes, which allows lateral movement without the fear of being stopped by external firewalls (443/80 being blocked)

Not all processes create named pipe which might be picked out as suspicious by Intrusion Prevention Systems (IPS) and other security products

TCP

TCP communicates in a Peer-to-Peer (P2P) fashion. Due to the way it initiates and verifies connectivity, TCP is a reliable method to communicate between beacon to beacon or beacon to server

Since the connection is consistent and persistent, TCP can be identified easily in a network traffic capture which makes it a very use-case specific protocol to implement

Redirectors move traffic from the target environment, and sends it to our team server Rules can be added to the redirector to check if it is coming from our agent, or if it's a web scanner/person trying to access the site More information in

โš”๏ธ
๐Ÿฅท
๐Ÿญ
๐Ÿ—๏ธ
๐ŸŽฎ
๐Ÿค–
MITRE ATT&CK Framework
Traffic Redirection