killchain-compendium/Post Exploitation/C2.md

Command and Control

• Matrix

• bcsecurity maintains Empire 4

• Empire

• Armitage

• Covenant

• Sliver

• Server

  • Listener

• Payloads/Agents

  • Staged/Dropper
  • Stageless

• Beacons from Agents, disguised through jitter

• Modules

  • Post Exploitation
  • Pivoting

Domain Fronting

• Use a Domain on the C2 server
• User Cloudflare to proxy the request and responses to and from the target
• Use HTTPs for channel encryption

Profiles

• Server evaluates by custom user-agents to identify agents

Types

• Std listener, TCP or UDP
• HTTP/HTTPS, counter FW
• DNS, if internet access of the target is flaky
• SMB, counter network segments

Redirector

• Apache or nginx as reverse proxy in front of the c2 server
• FW is still needed in front of the redirector
• These get burned instead of the c2