As I started reading on Command and Control (C2) Infrastructure, I realized that it will take more than 1 hour (why 1 hour?) to study this topic. So I decided to spread it out over multiple days.

In previous posts, I covered basics of Command and Control (C2) and operations security (OPSEC). One area where these two combine is setting up secure C2 Infrastructure. There are multiple ways this can be done. However, before delving into that lets understand what is C2 infrastructure and its core components.

C2 infrastructure refers to all parts and pieces that make up the command and control setup for a red team operation. A typical secure C2 infrastructure is made up of following components:

• C2 Server - This is a machine where the C2 server software is deployed. It is the brain of the command and control setup. It handles everything from setting up listeners for agents, generating payloads, hosting payloads, tracking agents, keeping logs etc. Some C2 servers are also capable of generating reports based on the information gathered and activities performed during the operation.

• C2 Client - Do not confuse this with the C2 Agent. This is the interface through which red team operators interact with the C2 server. It can be provided in form of a thick client, a command line interface (CLI) or a web-based interface. If it’s a thick client or a CLI, it is deployed on the red team operator’s machine. If it’s a web-based interface, it is typically hosted on the same server as the C2 server and red team operators access it via a browser. The C2 server usually implements some form of authentication to verify incoming clients.

• C2 Agent - This is a small piece of software, either in form of an executable or a script, that is deployed on hosts in the target environment to enable communication between the C2 server and compromised hosts. It is responsible for executing tasks assigned by the C2 server and report the output. It is also capable of downloading and executing additional tools on the host via techniques such as reflective DLL injection, process hollowing etc. It is also referred to as beacon or grunt or implant. It is a good practice to implement an authentication mechanism for C2 Agents to authenticate the C2 Server.

• C2 Redirector - Redirector refers to anything that can be deployed as a front to the C2 server and is capable of transferring encrypted traffic to and from the C2 server. The most common implementation of redirector is in form of a cloud hosted virtual machine that runs a web server. Redirector helps in securing the C2 server by hiding the presence of the C2 server, such that the C2 server is never exposed to the internet. It is considered expendable component of the C2 setup, meaning if it gets detected, it is easy to spin up new ones.

• Domain Name - The IP address of the C2 redirector will be mapped to this domain name. This domain name will be part of all web requests originating from the C2 Agent to the C2 Redirector. Ideally, the domain name should be chosen such that it mixes well with other traffic traversing through the target organisation network. Certain indicators like domain name life, registration history should also be kept in mind when selecting the domain name.

• SSL Certificate - This is a certificate issued by a well-known Certificated Authority. The CN should be set to the domain name being used for the redirector. This is installed on the C2 server instead of the redirector. This way decryption of web requests will happen on the C2 server instead of the redirector.

Red Team Notes
- C2 Infrastructure - Parts and pieces that make up the C2 setup.
- Core C2 Components - Server, Client, Agent, Redirector, Domain Name and SSL Certificate.
- Client can be in form of a thick client, a CLI or a web-interface. Do not confuse a client with an agent.
- C2 agent is small in size but packs multiple capabilities such as command execution, downloading and executing tools, acting as listener for chained agents, uploading data, taking screenshots  etc.
- Redirector helps in securing the C2 setup. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.