Skip to content
Site logo Site logo ucch45

Command and Control

When we execute a malware, there are a few common steps that occur.

  • Discovery: A series of commands might run such as ipconfig, whoami, nslookup, net user, etc. to gather information automatically
  • Persistence: Persistence may occur in the form of a service creation, or a scheduled task so that the malware could then survive a reboot.
  • Command & Control: Majority of the malicious binaries perform this step. They establish a C&C session with the target.

Objective:

  • Learn what C2 is
  • Why it is important
  • Some of the tools/frameworks
  • Mythic and how it works

What is Command & Control AKA C2 or C&C?

According to MITRE ATT&CK, Command and Control consists of techniques that adversaries may use to communicate with systems under their control in the victim’s network. The attacker has control over a victim’s computer so that they can perform various actions on it to achieve their actions on objectives(their goal).

Why is establishing a C2 important for an attacker?

Attackers establish C2 to perform additional actions to progress in the attack chain with the intention of reaching their actions on objectives(Credential Access, Lateral Movement, Exfiltration, Execute Ransomware, etc.).

Whatever their objectives may be, in order to do damage in an environment, the attacker must have access into it. One of the more common ways to achieve this access is through a Command & Control channel. MITRE ATT&CK has 18 techniques listed that are used by adversaries to establish a C2 session.

Common tools and frameworks used

There are a lot of tools that are used for establishing a C2 channel. Some of them are:

  • Metasploit: Metasploit by Rapid7 is a very popular tool consisting of many different types of exploits and auxiliaries to probe target machines and determine if they are vulnerable to a particular exploit.
  • Cobalt Strike: Although Cobalt Strike is a product built for adversary simulations by Fortra, this C2 tools is very commonly seen in compromised environments. But because it is very common, the security industry has already come up with ways to detect cobalt strike and defend against it effectively. The DFIR Report is a popular source for this.
  • Sliver: Sliver is an open-source adversary emulation framework created by BishopFox. Sliver offers many different ways to establish a C2 connection such as Mutual TLS, HTTP(S), DNS, or Wireguard. According to BishopFox, it is an open-source alternative to Cobalt Strike.
  • Mythic: Mythic is a C2 framework built with GoLang, Docker, Docker Compose, and a web browser user interface. Operators have the ability to track their payloads and C2 profiles. It helps to resolve questions regarding callbacks for the operator. Mythic uses C2 profiles for agents so it knows how to communicate back to the mythic server. There are 21 total agents that are available as of now.

All of these tools are quite easy to set up and get started with. Which makes it really convenient and really dangerous. For my project, I’ll be using Mythic as my C2 server.

Atomic Red Team and Caldera are two more useful adversary emulation tools worth checking out.



© 2020-2025 Ucchas Muhury