1 Joe Vest, James Tubberville Red Team Development and Operations
Command and Control (C2) Command and Control (C) is a cornerstone to a Red Team’s ability to control and maintain control of a target. C is the influence an attacker has over a compromised computer system. This influence is expressed using a C infrastructure that can issue various tasks and instructions to the remote system. Tools such as PowerShell Empire or Cobalt Strike provide agents or beacons that can be deployed to a target. These tools use an asynchronous means of communication. An agent or beacon polls a C2 server for instructions on a controlled interval. The server is queried fora task. If a task exists, the agent or beacon performs the action and reports the results. If there are no tasks, the agent or beacon goes to sleep for the predefined period of time. C2 fall into three categories. ● Synchronous ● Asynchronous ● On-demand Synchronous C operates in real-time. A constant stream of communications is required to maintain the C channel. Asynchronous C communications offer many benefits to a Red Team over synchronous communications by: ● Controlling when and how often communications are sent - AC agent can poll as quickly as near real-time or may check in once a day, week, or month ● Bypassing firewalls through egress communication - Clients are typically not accessible from outside a network but can reach assets on the internet through outbound communication ● Not requiring a constant, established connection On-demand C is unique and operates only when needed. Communications occur only when triggered by an operator. Tools such as email or web shells can provide excellent on-demand C channels. Choosing your Command and Control (C) mechanisms is a critical step in designing your C plan for an engagement. C2 Channels There are numerous methods for establishing C. Each of these methods use a C Channel for primary communications. While any channel can be used, it is recommended to use a channel that blends in with organizational traffic. Commonly used C channels include: ● HTTP/HTTPS ● DNS ● SMB ● SSH