Creating A C2 Framework
Sometimes it's easier to write your own C2
Last updated
Sometimes it's easier to write your own C2
Last updated
There are many open-source and commercial Command and Control (C2) frameworks available to support red teamers in their covert operations, such as Cobalt Strike, Havoc, Meterpreter, Sliver. However, the public availability of these tools often lead to rapid scrutiny and analysis of their behavior and usage. As a result, they tend to be heavily signatured out of the box.
DISCLAIMER: I am not an expert in red-teaming, insights on any inaccuracies in this post are welcome! (i'm a skid)
The following are articles that I have taken reference from that describe the behavior of C2 frameworks, as well as possible detections of an adversary using these tools:
Elastic's detection rules are available on their public repository here, and here. you can reference the detection rules for a specific framework by searching for the framework in their rules!
Malleable C2 is a feature of Cobalt Strike that allows the operator to customize beacon, for example how beacon looks in-memory, how beacon does process injection and how it does post-exploitation jobs.
Malleable C2 can also be used to customize beacon behavior, such as specifying your own DLL loader aka the User-Defined Reflective Loader (UDRL)
Although there are means of customizing beacon to be evasive, due to the widespread recognition and usage of Cobalt Strike (and really, most popular C2 frameworks), the development effort required to maintain evasiveness has grown significantly.
The time and effort taken to customize cobalt beacon to be evasive, demands resources comparable to developing an in-house C2 instead.
At which point, it's probably better to just write your own C2 framework.
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/artifacts-antivirus_artifact-kit-main.htm#_Toc65482773 (cobalt artifact kits, not mentioned in post)