🤖Command & Control Anatomy

Introduction

A Command and Control (C2) Framework is a server which handles connections to and from an agent. The basic functionality of an agent is that it pulls commands from the server, and executes it on the victim's machine. Agents utilise a number of protocols and encryption algorithms in order to communicate with the server.

Terminology

Term	Definition
C2 Server / Team Server	Handler to manage connections, tasks, and functionality between itself and the agent. Can also allow multiplayer operations with other operators
Agent/Grunt/Beacon/etc.	A (usually) small program that listens for tasks from the server, then executes them on a host/victim machine
Loader	A wrapper program that hides the agent's true motives via encryption or the deployment of evasive techniques, before executing the agent's
Callback	A connection request to the server - either to receive a task, or to check-in (new agents check-in to get registered for further tasking)
OPSEC	Operational Security (OPSEC) is how much sensitive information you are able to mask or hide from your rivals (Blue Teams, employees, server/hosting providers, and other threat actors). This can include WHOIS records, C2 server location, passwords, framework used, the back-end technology, locations, etc. Your operations within the target network is also considered sensitive, and great care must be taken to not get discovered by the employees or third parties
Sleep	How long an agent waits before calling back to the server
Jitter	Adds randomness to the sleep value, the higher the jitter rate, the more random the connection is (advisable to have them in odd numbers like 67%)
Short Haul	Short haul beacons/servers are used for quick interactions with the agent. Usually, the sleep time for these beacons will be low (0-30 seconds) Due to the short callback times, these agents can be detected in longer operations as they are more prone to execute OPSEC unsafe commands, or get picked up by threat hunting solutions via traffic analysis
Long Haul	Long haul beacons/servers are reserved as a backup to our short haul channels, and are usually used in longer operations since their call back times can be a lot longer (30 mins+)
Redirector	Redirectors move traffic from the target environment, and sends it to our team server Rules can be added to the redirector to check if it is coming from our agent, or if it's a web scanner/person trying to access the site More information in Traffic Redirection
Malleable C2	Customisable command and control profiles which allows the operator to blend in with existing/"normal" network signatures, change agent behaviour, or server/listener functionality

Term

Definition

C2 Server / Team Server

Handler to manage connections, tasks, and functionality between itself and the agent. Can also allow multiplayer operations with other operators

Agent/Grunt/Beacon/etc.

A (usually) small program that listens for tasks from the server, then executes them on a host/victim machine

Loader

A wrapper program that hides the agent's true motives via encryption or the deployment of evasive techniques, before executing the agent's

Callback

A connection request to the server - either to receive a task, or to check-in (new agents check-in to get registered for further tasking)

OPSEC

Operational Security (OPSEC) is how much sensitive information you are able to mask or hide from your rivals (Blue Teams, employees, server/hosting providers, and other threat actors). This can include WHOIS records, C2 server location, passwords, framework used, the back-end technology, locations, etc. Your operations within the target network is also considered sensitive, and great care must be taken to not get discovered by the employees or third parties

Sleep

How long an agent waits before calling back to the server

Jitter

Adds randomness to the sleep value, the higher the jitter rate, the more random the connection is (advisable to have them in odd numbers like 67%)

Short Haul

Short haul beacons/servers are used for quick interactions with the agent. Usually, the sleep time for these beacons will be low (0-30 seconds) Due to the short callback times, these agents can be detected in longer operations as they are more prone to execute OPSEC unsafe commands, or get picked up by threat hunting solutions via traffic analysis

Long Haul

Long haul beacons/servers are reserved as a backup to our short haul channels, and are usually used in longer operations since their call back times can be a lot longer (30 mins+)

Redirector

Redirectors move traffic from the target environment, and sends it to our team server Rules can be added to the redirector to check if it is coming from our agent, or if it's a web scanner/person trying to access the site More information in Traffic Redirection

Malleable C2

Customisable command and control profiles which allows the operator to blend in with existing/"normal" network signatures, change agent behaviour, or server/listener functionality

Protocols

This is not an exhaustive list - check out the MITRE ATT&CK Framework for more

Protocol	Description	OPSEC Concerns
HTTP/S	The most common type of communication due to its reliability and malleability when connecting to a target externally	HTTP uses clear-text communication which can easily be seen by others HTTPS works well unless if you're using self-signed certificates which will get flagged as suspicious
DNS	DNS communication utilises TXT records to transfer data. Whilst it can take a long time to transport large data such as images or files, DNS is reliable and useful for long haul communication	DNS traffic can be inspected and blocked by IPS systems if the endpoint/domain is deemed to be new, or suspicious within the environment Large amounts of text via DNS can also be seen as suspicious
SMB	A common favourite to use within Windows environments, SMB communicates through the use of named pipes, which allows lateral movement without the fear of being stopped by external firewalls (443/80 being blocked)	Not all processes create named pipe which might be picked out as suspicious by Intrusion Prevention Systems (IPS) and other security products
TCP	TCP communicates in a Peer-to-Peer (P2P) fashion. Due to the way it initiates and verifies connectivity, TCP is a reliable method to communicate between beacon to beacon or beacon to server	Since the connection is consistent and persistent, TCP can be identified easily in a network traffic capture which makes it a very use-case specific protocol to implement

Protocol

Description

OPSEC Concerns

HTTP/S

The most common type of communication due to its reliability and malleability when connecting to a target externally

HTTP uses clear-text communication which can easily be seen by others HTTPS works well unless if you're using self-signed certificates which will get flagged as suspicious

DNS

DNS communication utilises TXT records to transfer data. Whilst it can take a long time to transport large data such as images or files, DNS is reliable and useful for long haul communication

DNS traffic can be inspected and blocked by IPS systems if the endpoint/domain is deemed to be new, or suspicious within the environment Large amounts of text via DNS can also be seen as suspicious

SMB

A common favourite to use within Windows environments, SMB communicates through the use of named pipes, which allows lateral movement without the fear of being stopped by external firewalls (443/80 being blocked)

Not all processes create named pipe which might be picked out as suspicious by Intrusion Prevention Systems (IPS) and other security products

TCP

TCP communicates in a Peer-to-Peer (P2P) fashion. Due to the way it initiates and verifies connectivity, TCP is a reliable method to communicate between beacon to beacon or beacon to server

Since the connection is consistent and persistent, TCP can be identified easily in a network traffic capture which makes it a very use-case specific protocol to implement

PreviousCommand & Control Infrastructure NextCommand & Control Frameworks

Last updated 1 month ago