Recent Notes

See 117 more →

Command & Control (C2)

Created: Updated: 4 min read

Overview

Command and Control or C2 framework is a platform to control and manage compromised systems remotely. Act as a central hub, where it can manage hundred of compromised systems in a target network.

A typical C2 framework consists of 3 parts:

  • C2 Server
  • C2 Client
  • C2 Agent

The C2 server is the command center, the client is the interface used by the attacker, and the agent is the software installed on the compromised systems to facilitate communication.

graph TD
  Operator[[Operator]] --> C2_Client[[C2 Client]]
  C2_Client -->|Sends Commands| C2_Server[[C2 Server]]
  C2_Server -->|Controls| C2_Agent[[C2 Agent]]
  C2_Agent -->|Beacons Back| C2_Server
  C2_Agent -->|Executes on| Compromised_Host[[Compromised Host]]

  Operator -->|Generates| Payload[[Malware Payload]]
  Payload -->|Deploys| C2_Agent
  C2_Agent -->|Exfiltrates Data| C2_Server
  C2_Server -->|Stores Data| Exfil_DB[[Exfiltration Database]]

  classDef red fill:#ffcccc,stroke:#ff0000;
  classDef blue fill:#cce5ff,stroke:#0066cc;
  classDef green fill:#ccffcc,stroke:#009900;
  class Operator,C2_Client,Payload red;
  class C2_Server,Exfil_DB blue;
  class C2_Agent,Compromised_Host green;

C2 Framework

C2 Server

The central command center, the head of the operations. From this, the attacker performs everything, from issuing commands, managing connections, to storing logs.

The C2 servers can be hosted in a few different ways:

  • Dedicated infrastructure: This could be self-hosted servers or virtual private servers (VPS).
  • Cloud services: A smart way to hide, by blending in with normal traffic on platforms like AWS or Azure.
  • Compromised servers: A good OPSEC practice, by using someone else’s infrastructure to avoid being traced.

Main usage of C2 server:

  • It manages all connections to compromised systems.
  • Sends commands and payloads for different purposes, like data theft, lateral movement, or deploying additional malware.
  • Acts as the communication hub, a centralized center for multiple infected systems.

C2 Client

Similar to any normal application, in order to interact with C2 server, the attacker needs a client. C2 client is essentially the dashboard or interface where they run the attack.

C2 client capabilities:

  • Issue commands: It can tell infected systems to collect files, execute tasks, or spread malware.
  • Automate tasks: Many modern C2 tools allow automation, saving attackers time on repetitive activities.
  • Monitor in real time: Attackers get live updates on what’s happening across compromised systems.
  • Customize attacks: Many C2 frameworks let attackers write scripts or add plugins to adapt to specific targets.

This interface makes the job simpler and more efficient for the attackers.

C2 Agent

A piece of software installed on the compromised systems. It is what establishes the connection between the infected device to the C2 server and carries out the attacker’s commands.

Key features:

  • First contact: Once the agent being executed, it makes a “call back” to the C2 server. Depends on the type of C2 framework, different supported communication channels can be used.
  • Execution: The agent waits for instructions and then executes commands—whether it’s stealing files, running scripts, or moving through the network.
  • Staying hidden: Agents are designed to be stealthy. They often mimic legitimate processes (like “svchost.exe”) or use fileless malware techniques to stay under the radar. Some can be setup to run at a specific time to avoid being tracked.

Popular C2 Frameworks

  • Open-source
    • Havoc: Havoc is a modern, malleable post-exploitation command and control framework made for penetration testers, red teams, and blue teams.
    • Sliver C2: Sliver is a powerful command and control (C2) framework designed to provide advanced capabilities for covertly managing and controlling remote systems.
  • Commercial
    • Cobalt Strike: a commercial adversary simulation and red team operations platform widely used in the security industry. Known for its flexibility and powerful features, Cobalt Strike is a favorite among professionals for simulating advanced threats and managing compromised systems.
    • Brute Ratel C4: a commercial red team and adversary simulation platform that can automate the execution of adversary tactics, techniques, and procedures (TTPs). Brute Ratel C4 is designed to mimic real-world attacks, providing a realistic and challenging environment for testing defenses.

Graph View

Recent Notes

Backlinks