Creating A C2 Framework

There are many open-source and commercial Command and Control (C2) frameworks available to support red teamers in their covert operations, such as Cobalt Strike, Havoc, Meterpreter, Sliver. However, the public availability of these tools often lead to rapid scrutiny and analysis of their behavior and usage. As a result, they tend to be heavily signatured out of the box.

DISCLAIMER: I am not an expert in red-teaming, insights on any inaccuracies in this post are welcome! (i'm a skid)

Detection References

The following are articles that I have taken reference from that describe the behavior of C2 frameworks, as well as possible detections of an adversary using these tools:

Cobalt Strike

1. https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/

2. https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/

3. https://www.mandiant.com/resources/blog/defining-cobalt-strike-components

4. https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

5. https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Havoc

1. https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Havoc.ya

2. https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace

Meterpreter

1. https://www.forensicfocus.com/articles/finding-metasploits-meterpreter-traces-with-memory-forensics/

2. https://www.bussink.net/meterpreter-reverse_http-how-does-it-communicate-between-device-and-the-msf/

3. https://www.bussink.net/meterpreter-how-does-it-communicate-between-device-and-the-msf-part-2/

4. https://www.bussink.net/meterpreter-and-other-c2-can-we-detect-them-part-3/

5. https://www.elastic.co/guide/en/security/current/potential-meterpreter-reverse-shell.html

Sliver

1. https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/

2. https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/

3. https://hut.threathunterz.com/battlefield-intel/articles-and-reports/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide

Elastic's detection rules are available on their public repository here, and here. you can reference the detection rules for a specific framework by searching for the framework in their rules!

1. https://github.com/elastic/protections-artifacts

2. https://github.com/elastic/detection-rules

Malleable C2

Malleable C2 is a feature of Cobalt Strike that allows the operator to customize beacon, for example how beacon looks in-memory, how beacon does process injection and how it does post-exploitation jobs.

Malleable C2 can also be used to customize beacon behavior, such as specifying your own DLL loader aka the User-Defined Reflective Loader (UDRL)

Endless Modification

Although there are means of customizing beacon to be evasive, due to the widespread recognition and usage of Cobalt Strike (and really, most popular C2 frameworks), the development effort required to maintain evasiveness has grown significantly.

The time and effort taken to customize cobalt beacon to be evasive, demands resources comparable to developing an in-house C2 instead.

Custom C2

At which point, it's probably better to just write your own C2 framework.

References

1. https://securityintelligence.com/x-force/defining-cobalt-strike-reflective-loader/

2. https://github.com/boku7/BokuLoader

3. https://github.com/rsmudge/Malleable-C2-Profiles

4. https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/artifacts-antivirus_artifact-kit-main.htm#_Toc65482773 (cobalt artifact kits, not mentioned in post)