The origin of session sharing in C2 infrastructure
Learn how session sharing feature became a norm in command and control infrastructure.
If you are into offensive cybersecurity, you would have likely worked with a Command and Control (C2) tool in your career. It doesn’t matter which tool was that. Today, most well-known C2 tools ship with a feature known as session sharing.
Red Team Notes
Session sharing enable multiple red team operators in a red team to share sessions to pwned hosts and conduct post exploitation activities.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
This eliminates the need for each red team operator to create their own session to the pwned host. Imagine the noise it would create if 50+ sessions were to be opened to pwned hosts.
Do you know how and why that feature came into being? It was first implemented in Armitage, one of the first GUI based C2 tool, by it’s creator Rapheal Mudge. Rapheal later transitioned to other projects and gave us Cobalt Strike, the most commonly used C2 tool across the industry.
Rapheal explained in a 2013 talk, Dirty Red Team Tricks, why he implemented session sharing in Armitage. Instead of summarizing here, I’ll let Raphael explain it in his own words. So do watch the video below. Raphael also covered some neat red team tradecraft in this talk from Derby Con.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.