Infosec Institute -
C2 frameworks — the abbreviation to the Command and Control (C&C) infrastructure — are how red teamers and pentesters can control compromised machines during security assessments.
Although implemented on other models (P2P or out of band), C2 frameworks are typically designed under a client-server architecture and used to communicate with systems via a network connection. These kinds of systems mimic benign network traffic to avoid detection and bypass network security appliances. Many techniques can be used to establish command and control based on different levels of stealth depending on the victim’s network, structure, and defenses (MITRE ATT&CK). In detail, MITRE presents 16 distinct C2 techniques grouped into several sub-techniques and observed in past cyber incidents.
From the auditor’s perspective, when an initial foothold is established, that point can move laterally through the internal network, using the C2 capabilities and jumping to other vulnerable or misconfigured network points. As expected, the first compromised machine is a valuable target. It is typically used as a pivot to access more sensitive network parts such as file servers and domain controllers.
As C2 is a bi-directional application, sensitive information can be easily exfiltrated from the environment. In the last few months, several cyberattacks were