🤖Command & Control Anatomy
Introduction
A Command and Control (C2) Framework is a server which handles connections to and from an agent. The basic functionality of an agent is that it pulls commands from the server, and executes it on the victim's machine. Agents utilise a number of protocols and encryption algorithms in order to communicate with the server.
Terminology
Term | Definition |
---|---|
C2 Server / Team Server | Handler to manage connections, tasks, and functionality between itself and the agent. Can also allow multiplayer operations with other operators |
Agent/Grunt/Beacon/etc. | A (usually) small program that listens for tasks from the server, then executes them on a host/victim machine |
Loader | A wrapper program that hides the agent's true motives via encryption or the deployment of evasive techniques, before executing the agent's |
Callback | A connection request to the server - either to receive a task, or to check-in (new agents check-in to get registered for further tasking) |
OPSEC | Operational Security (OPSEC) is how much sensitive information you are able to mask or hide from your rivals (Blue Teams, employees, server/hosting providers, and other threat actors). This can include WHOIS records, C2 server location, passwords, framework used, the back-end technology, locations, etc. Your operations within the target network is also considered sensitive, and great care must be taken to not get discovered by the employees or third parties |
Sleep | How long an agent waits before calling back to the server |
Jitter | Adds randomness to the sleep value, the higher the jitter rate, the more random the connection is (advisable to have them in odd numbers like 67%) |
Short Haul | Short haul beacons/servers are used for quick interactions with the agent. Usually, the sleep time for these beacons will be low (0-30 seconds) Due to the short callback times, these agents can be detected in longer operations as they are more prone to execute OPSEC unsafe commands, or get picked up by threat hunting solutions via traffic analysis |
Long Haul | Long haul beacons/servers are reserved as a backup to our short haul channels, and are usually used in longer operations since their call back times can be a lot longer (30 mins+) |
Redirector | Redirectors move traffic from the target environment, and sends it to our team server Rules can be added to the redirector to check if it is coming from our agent, or if it's a web scanner/person trying to access the site More information in Traffic Redirection |
Malleable C2 | Customisable command and control profiles which allows the operator to blend in with existing/"normal" network signatures, change agent behaviour, or server/listener functionality |
Protocols
This is not an exhaustive list - check out the MITRE ATT&CK Framework for more
Protocol | Description | OPSEC Concerns |
---|---|---|
HTTP/S | The most common type of communication due to its reliability and malleability when connecting to a target externally | HTTP uses clear-text communication which can easily be seen by others HTTPS works well unless if you're using self-signed certificates which will get flagged as suspicious |
DNS | DNS communication utilises TXT records to transfer data. Whilst it can take a long time to transport large data such as images or files, DNS is reliable and useful for long haul communication | DNS traffic can be inspected and blocked by IPS systems if the endpoint/domain is deemed to be new, or suspicious within the environment Large amounts of text via DNS can also be seen as suspicious |
SMB | A common favourite to use within Windows environments, SMB communicates through the use of named pipes, which allows lateral movement without the fear of being stopped by external firewalls (443/80 being blocked) | Not all processes create named pipe which might be picked out as suspicious by Intrusion Prevention Systems (IPS) and other security products |
TCP | TCP communicates in a Peer-to-Peer (P2P) fashion. Due to the way it initiates and verifies connectivity, TCP is a reliable method to communicate between beacon to beacon or beacon to server | Since the connection is consistent and persistent, TCP can be identified easily in a network traffic capture which makes it a very use-case specific protocol to implement |
Last updated