Command and Control (C2) Frameworks

Introduction

Command and Control (C2) frameworks are software platforms used during red team operations and penetration testing to maintain communication with compromised systems and control deployed payloads. They provide infrastructure for post-exploitation activities including lateral movement, persistence, and data exfiltration.

C2 Server Components

Command and Control Servers

C2 servers are the central management systems that control compromised hosts within a target network.

• Function: Centralized point for issuing commands and receiving data from compromised systems

• Features:

  • Web-based management interfaces
  • Multi-user collaboration capabilities
  • Logging and auditing functionality
  • Campaign management
  • Data visualization and reporting

• Popular C2 Frameworks:

  • Cobalt Strike - Commercial framework with extensive features
  • Empire - PowerShell-based post-exploitation framework
  • Covenant - .NET-based C2 with a web interface
  • Metasploit - Popular open-source exploitation framework with C2 capabilities
  • Sliver - Cross-platform adversary emulation framework
  • Mythic - Collaborative, multi-platform C2 framework
  • Havoc - Modern C2 framework focused on evasion
  • SILENTTRINITY - Python and .NET-based post-exploitation framework
  • Merlin - Cross-platform HTTP/2-based C2

Agents/Payloads

Agents (also called implants or payloads) are the malicious code deployed on target systems that establish communication with the C2 server.

• Function: Execute commands, gather information, and maintain access on compromised hosts

• Characteristics:

  • Small footprint to avoid detection
  • Encrypted communications
  • Various execution techniques (in-memory, reflective loading, etc.)
  • Configurable behavior (sleep times, persistence mechanisms)

• Common Capabilities:

  • Command execution
  • File transfer
  • Screenshot capture
  • Keylogging
  • Process injection
  • Credential harvesting
  • Lateral movement primitives

Listeners

Listeners are server components that await incoming connections from agents.

• Function: Accept initial or ongoing connections from deployed agents

• Types:

  • HTTP/HTTPS listeners - Web-based communications
  • DNS listeners - Communication via DNS queries
  • SMB listeners - Named pipe communications
  • TCP listeners - Raw socket connections
  • Custom protocol listeners

• Implementation:

  • Can be deployed on various ports and protocols
  • Often support encryption and authentication
  • May include traffic shaping for evasion

Beacons

Beacons are a type of agent that connect back to the C2 server at configurable intervals.

• Function: Establish intermittent communication with C2 server to reduce detection

• Behavior:

  • Sleep between check-ins (can range from seconds to days)
  • Can use jitter (random variation in sleep time)
  • Asynchronous command execution
  • Low-and-slow communication patterns

• Types:

  • HTTP/S beacons - Web traffic-based
  • DNS beacons - Use DNS queries for communication
  • SMB beacons - Use named pipes for peer-to-peer communication
  • TCP beacons - Direct socket connections

Payload Delivery and Communication

Payload Types

Different types of payloads designed for specific environments or requirements.

• Staged Payloads:

  • Initial small “stager” code that downloads the full payload
  • Useful when initial access has size restrictions
  • Example: Metasploit’s staged payloads (windows/meterpreter/reverse_https)

• Stageless Payloads:

  • Complete payload in one package
  • More reliable but larger size
  • Example: Metasploit’s stageless payloads (windows/meterpreter_reverse_https)

• Environment-Specific Payloads:

  • PowerShell-based payloads
  • Python-based payloads
  • .NET/C# payloads
  • JScript/VBScript payloads
  • Native (C/C++) payloads

Payload Formats

Different output formats for payloads to suit various delivery methods.

• Executable Formats:

  • EXE - Windows executable
  • DLL - Dynamic Link Library
  • MSI - Microsoft Installer package
  • Service executables

• Script Formats:

  • PowerShell (.ps1)
  • Batch files (.bat/.cmd)
  • VBScript (.vbs)
  • JScript (.js)
  • HTA (.hta) - HTML applications

• Office Document Formats:

  • Word macros (.docm)
  • Excel macros (.xlsm)
  • Embedded OLE objects

• Web Formats:

  • JavaScript
  • WebAssembly
  • HTML/CSS-based

• Shellcode Formats:

  • Raw binary
  • Hex-encoded
  • Base64-encoded
  • Position-independent code (PIC)

Evasion and Resilience Techniques

Domain Fronting

Domain fronting is a technique that disguises C2 traffic as traffic to popular high-reputation domains.

• Function: Hide C2 communications by routing them through trusted services

• Mechanism:

  • Uses disparities between HTTP layers:
    • TLS SNI indicates legitimate domain
    • HTTP Host header contains actual C2 destination
  • Traffic appears to go to trusted services (CDNs like Azure, Cloudflare, etc.)

• Benefits:

  • Bypasses domain filtering/blocking
  • Difficult to distinguish from legitimate traffic
  • Leverages trust of popular domains

• Limitations:

  • Many CDN providers now detect and block this technique
  • Requires compatible CDN infrastructure

Redirectors

Intermediate servers that forward traffic between agents and C2 servers.

• Function: Add an additional layer between compromised hosts and C2 infrastructure

• Types:

  • Simple redirectors - Basic traffic forwarding (socat, netcat)
  • Apache/Nginx redirectors - Web server configurations
  • Domain redirectors - DNS-based redirection
  • Content-aware redirectors - Inspect and filter traffic

• Benefits:

  • Hide true C2 server IP addresses
  • Filter invalid traffic before reaching C2 server
  • Distribute C2 infrastructure
  • Provide fallback mechanisms
  • Can transform traffic characteristics

• Implementation:

  • Set up on cloud providers or intermediary infrastructure
  • Often configured with specific rules to only forward legitimate traffic
  • Can implement authentication/validation checks

C2 Communications Profiles

Communications profiles define how C2 traffic appears on the network.

• HTTP/S Profiles:

  • Mimics legitimate web browsing traffic
  • Customizable headers, cookies, and parameters
  • Can emulate specific browsers or applications

• DNS Profiles:

  • Encodes commands in DNS queries
  • Uses various record types (TXT, A, AAAA, MX)
  • Low-bandwidth but difficult to block entirely

• Custom Application Profiles:

  • Mimics specific applications (Slack, Teams, etc.)
  • Adopts legitimate protocols and behaviors
  • Blends in with normal business traffic

Operational Considerations

Infrastructure Setup

• Server Hosting:

  • Cloud providers (AWS, Azure, DigitalOcean)
  • VPS providers with privacy focus
  • Self-hosted infrastructure
  • Bulletproof hosting

• Operational Security:

  • Attribution protection
  • Segregation of infrastructure
  • Monitoring for detection attempts
  • Regular rotation of infrastructure

Detection Evasion

• Timing Techniques:

  • Variable sleep times
  • Working hours operation
  • Geolocation-based triggering

• Traffic Manipulation:

  • Encrypting and encoding communications
  • Custom traffic patterns to avoid signatures
  • Protocol obfuscation
  • Mimicking legitimate application traffic

Common Tools and Features

• Data Collection:

  • Keylogging and screenshot capabilities
  • Browser data harvesting
  • Credential access
  • System inventory

• Lateral Movement:

  • Pass-the-hash techniques
  • Remote execution capabilities
  • Credential harvesting and reuse
  • Session hijacking

• Persistence Methods:

  • Registry modifications
  • Scheduled tasks
  • Service installation
  • WMI event subscriptions
  • Application shimming

Popular C2 Frameworks Comparison