C2 Frameworks
C2 Frameworks (Post Exploitation Frameworks) are the command and control tools used for managing connections to compromised assets. Offensive testers can use these for research and testing of their environment's defenses against popular tools used by threat actors.
These are NOT to be used in a malicious capacity and are for testing purposes only. Seriously, dont be that person.
Command and Control Basics
The implant is the payload component of an exploit, which will be executed on the victim’s computer. Once an implant is running on the target system, it will attempt to call back to the C2 server periodically to check for new commands.
The C2 servers that communicate with the implants on a victim system vary in complexity and functionality, but the basic functionality allows the attacker to queue up commands for the implant to execute. The C2 server commands typically deal with two areas: the implant configuration, and interacting with the infected host.
The C2 servers that communicate with the implants on a victim system vary in complexity and functionality, but the basic functionality allows the attacker to queue up commands for the implant to execute. The C2 server commands typically deal with two areas: the implant configuration, and interacting with the infected host. Examples of this are changing the beacon timings and exfiltrating the Windows SAM file. Commands can be queued up with most C2 servers, allowing actions to be carried out at specific times; this could help to blend into network traffic at peak times, or to communicate when the security team have left work.
The C2 servers are typically configured to appear as if they’re running common services, such as HTTP or DNS. This helps the communications to appear like legitimate traffic, which will assist in avoiding detection if tools such as Snort or RSA's Netwitness are deployed and monitoring the victim’s network.
To further obfuscate network communications, most implants support domain fronting. Domain fronting is a technique that embeds the communications within a content delivery network (CDN). This results in the destination for traffic appearing to be trusted CDN networks like Cloudfront, Google, and Cloudflare. Using domain fronting, it is possible to quickly change CDNs if the Blue Team identify and block a particular CDN (although, this can be a challenge as it may block legitimate traffic).
Advanced Penetration Testing: C2 Basics and Essentials - pg. 19
Advanced Penetration Testing: C2 Advanced Attack Management - pg. 45
Advanced Penetration Testing: Creating a covert C2 Solution - pg. 112
Software for Adversary Simulations and Red Team Operations
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. This is my framework of choice.
This tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.
Other Frameworks
https://www.thec2matrix.com/matrix - Find All the popular C2 Frameworks
Remote Management Shells/RATs
Tor C2
A C2 server can be provisioned as a node within the Tor network and force the compromised host to connect to Tor when it comes online.
Last updated