Introduction:
Command and Control infrastructure, also known as C&C or C2, is typically a collection of tools and techniques that are used to maintain communication to a compromised device within a target network. Ultimately, the primary objective of a C2 server is to establish and maintain a communication channel with a compromised device, allowing a threat actor to remotely control your computer over the internet.
C2 not only establishes communication channels but also functions as a framework equipped with various mechanisms and tools. These tools enable a threat actor to upload files, execute commands or malware, establish persistence, pivot within a compromised network, and much more.
Beyond these capabilities, C2 also allows centralised control over hundreds of devices, making it a powerful platform for coordinating widespread operations across a compromised network.
While C2 is commonly utilised by cybercriminals, it also plays a crucial role in penetration testing, allowing cyber security professionals to simulate these real-world threats effectively.
C2 Infrastructure Example:
To provide more context on what C2 infrastructure looks like, the following diagram illustrates a basic version of how a threat actor would typically set up their C2 infrastructure.
On the left side, we have the victim’s internal network (Blue) with a compromised device residing within it. On the opposite side, we have the threat actor’s network (Red), which contains the key components that make up the C2 infrastructure. The black lines represent the communication channels that have been established over the internet and to the C2 infrastructure:
The Redirector Node:
A redirector node is a system that serves a dual role within a C2 infrastructure setup.
- The first role is straightforward, it is responsible for directing communications from a compromised system to the C2 server, allowing a threat actor to issue commands to the compromised device.
- It also serves as a buffer or a protective layer, that masks or hides the C2 server from direct communication with the internet.
A redirector can be any common internet-facing service or system, such as a website, mail server, or DNS server, and can leverage multiple protocols like HTTP or ICMP to establish communication channels with a compromised device.
Threat actors often disguise these servers as legitimate or innocuous to conceal their true purpose, as these systems are usually the first point of contact. Significant effort may be invested in making these systems appear harmless to mislead investigators or IT security teams if these communication channels are scrutinised.
It is important to understand that C2 infrastructure can include multiple redirectors that malware or C2 channels communicate with. This approach complicates investigation efforts, as malware may switch redirectors randomly or periodically, making it harder for security teams to track and isolate the communication paths.
Additionally, by using multiple redirectors, threat actors not only obscure the true purpose of these communication but also ensure continuity by providing alternative communication paths if a redirector were to be discovered and taken offline or blocked
Command & Control (C2) Server:
The Command & Control (C2) server is the core of the operation and the heart of the C2 infrastructure. C2 servers manage connections with compromised devices and serve as the interface between the threat actor and those devices. These systems are also designed to allow threat actors to monitor and log incoming connections and automate actions across several hundred devices.
These servers can also house the C2 software or framework, where malware and other tools are stored, allowing the threat actor to issue commands and install malicious software on compromised devices. While this is only a subset of the functionalities that C2 servers offer, they are capable of much more, providing a wide range of tools and capabilities that extend the threat actor’s control and reach.
Again, C2 infrastructure can include multiple C2 servers either to maintain continuity during an operation or may serve a specific operational need.
Command & Control (C2) Frameworks:
You might be thinking, ‘Surely, this software is only available in the dark corners of the internet and must be expensive or dangerous to obtain.’ The reality, however, is quite different.
In many cases, some of the most notable C2 software used by threat actors can be easily found online and is often completely free, requiring nothing more than a simple download to install. Some of these frameworks are very easy to set up, and in some instances, they even come with pre-compiled malware or scripts that can be readily deployed to establish C2 communications with targeted devices.
As an example, the following lists some notable C2 software that penetration testers and threat actors use within their operations:
Cobalt Strike: Cobalt Strike is a paid C2 framework that enables an attacker to deploy an agent called ‘Beacon’ on a victim’s machine. This agent offers a wide range of functionalities, including, but not limited to, command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, port scanning, and lateral movement. Cobalt Strike supports C2 and staging over multiple protocols, including HTTP, HTTPS, DNS, SMB named pipes, as well as forward and reverse TCP.
Empire C2: Empire C2 is an free and open-source Command and Control (C2) framework that is widely used for post-exploitation activities by cybersecurity professional and threat actors. Empire provides users with a comprehensive set of tools for managing compromised hosts and executing complex attack chains. Similarly to Cobalt Strike, supports C2 and staging over multiple protocols, including HTTP, HTTPS, DNS, SMB named pipes, as well as forward and reverse TCP.
Metasploit: Metasploit is a well-known open-source penetration testing framework that includes powerful C2 (Command and Control) capabilities. While Metasploit is primarily recognised for its extensive exploit library and automation of exploitation tasks, it also offers features that enable threat actors and security professionals to manage compromised systems effectively. The most used payload in Metasploit is Meterpreter and it supports multiple communication channels, including HTTP, HTTPS, and TCP.
While these are some of the most commonly used C2 frameworks, it’s important to note that there are over a hundred different variants available on the internet. Each framework comes in different flavors and often specialised for specific platforms such as Linux, Windows, or Android etc. They may also vary in terms of accessibility, with some being open-source and freely available, while others require the purchase of a license for use by individuals or organisations.
Utilising C2 for Good:
Command and Control (C2) systems play a significant role in both offensive and defensive cybersecurity operations. Often associated with cybercriminal activity, C2 systems are used to establish and maintain communication with compromised devices, enabling attackers to control systems remotely and coordinate complex operations. However, beyond their malicious use, C2 systems are tools that are leveraged by cybersecurity professionals.
In the realm of penetration testing, C2 frameworks allow security experts to conduct realistic adversary simulations. By leveraging the same tools, techniques, and procedures (TTPs) used by real attackers, cybersecurity professionals can mimic sophisticated threats, such as those posed by advanced persistent threats (APTs). These simulations are designed to test an organisation’s defences revealing weaknesses that might otherwise go unnoticed.
By employing C2 systems in controlled attack-simulations, penetration testers can evaluate an organisation’s resilience against these high-level threats. This process not only helps identify vulnerabilities but also provides valuable insights into how an organisation’s security measures hold up under the pressure of a simulated, real-world attack. Ultimately, the use of C2 in these scenarios is essential for helping organisations strengthen their defences and stay ahead of evolving cyber threats.
Written by: Marco Bruinenberg
