Custom Command and Control: A framework for rapid prototyping of custom C2 channels
C3 (Custom Command and Control) is a tool that allows Red Teams to rapidly develop and utilize esoteric command and control channels (C2). It’s a framework that extends another red team tooling, such as the commercial Cobalt Strike (CS) product via ExternalC2, which is supported at release. It allows the Red Team to concern themselves only with the C2 they want to implement; relying on the robustness of C3 and the CS tooling to take care of the rest. This efficiency and reliability enable Red Teams to operate safely in critical client environments (by assuring a professional level of stability and security); whilst allowing for safe experimentation and rapid deployment of customized Tactics, Techniques and Procedures (TTPs). Thus, empowering Red Teams to emulate and simulate an adaptive real-world attacker.
The following terms explain some of the underlying building blocks and associated terminology which form a C3 network:
- Relays – An executable to be launched on a compromised host. Relays communicate through Interfaces either between one another or back to the gateway.
- Gateway – A special relay that controls one C3 network. A C3 network cannot operate without an operational gateway. The gateway is the bridge back to the attacker’s infrastructure from Relays. The Gateway is also responsible for communicating back to a third-party C2 server (such as Cobalt Strike’s Teamserver).
- Channels – An agreed scheme for relays to pass data between each other. For example Slack’s API.
- Gateway Return Channel (GRC) – The configured channel that a relay will use to send data back to the gateway. Note that the GRC may be a route through another relay.
- Interfaces – A high-level name given to anything that facilitates the sending and receiving of data within a C3 network.
- Routes – An intended path of communication across relays back to the gateway.
- Peripheral – A third-party implant of a command and control framework. Peripherals talk to their native controllers via a ‘Controller’. For example, Cobalt Strike’s SMB beacon.
- Connector – An integration with a third-party command and control framework. For instance, the ‘External C2’ interface exposed by Cobalt Strike’s Teamserver through the externalc2_start command.
Copyright (c) 2018-2019, MWR Infosecurity
All rights reserved.