Recent Notes

See 185 more →

Command & Control (C2)

Created: Updated: 4 min read

Overview

Command and Control or C2 framework is a platform to control and manage compromised systems remotely. Act as a central hub, where it can manage hundred of compromised systems in a target network.

Predominantly, C2 servers are used by the red team. It is a focused, goal-oriented security testing approach to achieve specific objectives. The objectives closely follow the Cyber Kill Chain.

Attack LifecycleDescription
Reconnaissancestarts with gathering as much information as possible about the target. It can be active reconnaissance (actively interacting with the target) or passive reconnaissance. Such recon can include active scanning, gathering information about the victim’s hosts/identity or the network, and searching through the open and deep web.
Weaponizationcharacterizing the process of the development of the payload allowing foothold access.
Deliveryconstitutes a stage when one has found a way of transferring the payload onto the target.
Exploitationthe step where one executes the payload onto the target.
Installationthe step during which the adversary establishes initial control over the target
Command and Control (C2)constitutes a step wherein one has established a connection from the target to the command and control server.
Actions on Objectivesthe step where one starts carrying out the intended goals, whether data theft or exfiltration.

A typical C2 framework consists of 3 parts:

  • C2 Server
  • C2 Client
  • C2 Agent

The C2 server is the command center, the client is the interface used by the attacker, and the agent is the software installed on the compromised systems to facilitate communication.

graph TD
  Operator[[Operator]] --> C2_Client[[C2 Client]]
  C2_Client -->|Sends Commands| C2_Server[[C2 Server]]
  C2_Server -->|Controls| C2_Agent[[C2 Agent]]
  C2_Agent -->|Beacons Back| C2_Server
  C2_Agent -->|Executes on| Compromised_Host[[Compromised Host]]

  Operator -->|Generates| Payload[[Malware Payload]]
  Payload -->|Deploys| C2_Agent
  C2_Agent -->|Exfiltrates Data| C2_Server
  C2_Server -->|Stores Data| Exfil_DB[[Exfiltration Database]]

C2 Framework

C2 Server

The central command center, the head of the operations. From this, the attacker performs everything, from issuing commands, managing connections, to storing logs.

The C2 servers can be hosted in a few different ways:

  • Dedicated infrastructure: This could be self-hosted servers or virtual private servers (VPS).
  • Cloud services: A smart way to hide, by blending in with normal traffic on platforms like AWS or Azure.
  • Compromised servers: A good OPSEC practice, by using someone else’s infrastructure to avoid being traced.

Main usage of C2 server:

  • It manages all connections to compromised systems.
  • Sends commands and payloads for different purposes, like data theft, lateral movement, or deploying additional malware.
  • Acts as the communication hub, a centralized center for multiple infected systems.

C2 Client

Similar to any normal application, in order to interact with C2 server, the attacker needs a client. C2 client is essentially the dashboard or interface where they run the attack.

C2 client capabilities:

  • Issue commands: It can tell infected systems to collect files, execute tasks, or spread malware.
  • Automate tasks: Many modern C2 tools allow automation, saving attackers time on repetitive activities.
  • Monitor in real time: Attackers get live updates on what’s happening across compromised systems.
  • Customize attacks: Many C2 frameworks let attackers write scripts or add plugins to adapt to specific targets.

This interface makes the job simpler and more efficient for the attackers.

C2 Agent

A piece of software installed on the compromised systems. It is what establishes the connection between the infected device to the C2 server and carries out the attacker’s commands.

Key features:

  • First contact: Once the agent being executed, it makes a “call back” to the C2 server. Depends on the type of C2 framework, different supported communication channels can be used.
  • Execution: The agent waits for instructions and then executes commands—whether it’s stealing files, running scripts, or moving through the network.
  • Staying hidden: Agents are designed to be stealthy. They often mimic legitimate processes (like “svchost.exe”) or use fileless malware techniques to stay under the radar. Some can be setup to run at a specific time to avoid being tracked.

Popular C2 Frameworks

  • Open-source:
    • Havoc: Havoc is a modern, malleable post-exploitation command and control framework made for penetration testers, red teams, and blue teams.
    • Sliver C2: Sliver is a powerful command and control (C2) framework designed to provide advanced capabilities for covertly managing and controlling remote systems.
  • Commercial:
    • Cobalt Strike: a commercial adversary simulation and red team operations platform widely used in the security industry. Known for its flexibility and powerful features, Cobalt Strike is a favorite among professionals for simulating advanced threats and managing compromised systems.
    • Brute Ratel C4: a commercial red team and adversary simulation platform that can automate the execution of adversary tactics, techniques, and procedures (TTPs). Brute Ratel C4 is designed to mimic real-world attacks, providing a realistic and challenging environment for testing defenses.

Graph View

Recent Notes

See 188 more →

Backlinks