Intro to C2 - HackMD

# Intro to C2 ## Command and Control Framework * Command and Control (C2) Infrastructure are a set of programs used to communicate with a victim machine. This is comparable to a reverse shell, but is generally more advanced and often communicate via common network protocols, like HTTP, HTTPS and DNS. * In order to better understand what a C2 framework is at most basic level,think of a netcat listener(the C2 server)that is capable of handling mamy reverse shells calling back at once (C2 Agents). * Its a server but for reverse shells, unlike Netcat,almost all C2 frameworks require special payload generator. ### Command and Control Structure #### C2 Server * The C2 Server serves as a hub for agents to call back to. * Agents will periodically reach out to the C2 server and wait dor the operator's commands. #### Agents/Payloads * An Agent is program generated by the C2 framework that calls back to a listener on a C2 server. Most of the time,this agent enables special functionality compared to a standard reverse shell. * It's important to know that agents can be highly configurable,with adjustments on the timing of how often C2 Agents beacon out to a Listener on a C2 Server and much more. #### Listeners * A listener is an application running on the C2 server that waits for a call back over a specific port or protocol. Some examplesare DNS,HTTP and HTTPS. #### Beacons * A beacon is the process of a C2 Agent calling back to the listener running on a C2 Server #### Payload Types * Much like a regular Reverse Shell,there are two primary types of payloads that you may be able to use in your C2 Framework: Staged and Stageless payloads. ##### Stageless Payloads * they contain the full C2 agent and will call back to the C2 server and begin beaconing immediately ![](https://i.imgur.com/5nhMyrb.png) * The steps for establishing C2 beaconing with a Stageless payload are as follows: 1. The Victim downloads and executes the Dropper 2. The beaconing to the C2 server begins ##### Staged Payloads * Staged payloads requirea callback to the C2 server to download additional parts of the C2 agent. ![](https://i.imgur.com/l6fjuTh.png) * The steps for establishing C2 beaconing with a Staged payload are as follows: 1. The victim downloads and executes the Dropper 2. The Dropper calls back to the C2 server for stage 2 3. The C2 server sends Stage 2 back to the victim Workstation 4. Stage 2 is loaded into memeory on the Victim Workstation 5. C2 Beaconing Initializes,and the Red Teamer/Threat Actors can engage with the Victim on the C2 Server. ###### Payload Formats * Windows PE files (Executables) are not the only way to execute code on system. Some C2 Frameworks support payloads in various other formats, for Example > PowerShell Scripts ***Which may contain C# Code and may be compiled and executed with the Add-Type commandlet*** > HTA files > JScript Files > Visual Basic Application/Scripts > Microsoft Office Documents ##### Modules * Modules are core compnent of any C2 Framework; They add the ability to make agents and the C2 server more flexible. * Depending on the framework, scripts must be written in different languages. ###### Post Exploitation Modules * Post exploitation modules that deal with anything after the initial point of compromise. ###### Pivoting Modules * One of the last major components of a C2 Framework is its pivoting modules, making it easier to access restricted network segments within the C2 Framework.