killchain-compendium/post_exploitation/docs/c2.md

1.0 KiB

Command and Control

Domain Fronting

  • Use a Domain on the C2 server
  • User Cloudflare to proxy the request and responses to and from the target
  • Use HTTPs for channel encryption

Profiles

  • Server evaluates by custom user-agents to identify agents

Types

  • Std listener, TCP or UDP
  • HTTP/HTTPS, counter FW
  • DNS, if internet access of the target is flaky
  • SMB, counter network segments

Redirector

  • Apache or nginx as reverse proxy in front of the c2 server
  • FW is still needed in front of the redirector
  • These get burned instead of the c2