Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
The Three Command and Control Tiers

Uday Mittal March 12, 2021

The Three Command and Control Tiers

This post is part of our course Adversary Emulation 101: Mimicking a real-world cyber attack.

A well designed Command and Control (C2) infrastructure is critical to the success of an adversary emulation exercise. During an engagement, established C2 sessions may get disconnected frequently. Whenever this happens, there might be a temptation to re-exploit the target and establish another C2 session. This is not only time consuming but also not recommended during an active engagement. For one, it can put the entire engagement at risk as re-exploitation may lead to unwanted consequences. To avoid this, C2 mechanisms are deployed in a layered (or tiered) manner.

What are the three Command and Control tiers?

C2 mechanisms are generally deployed into following three tiers:

  • Interactive – C2 mechanisms in this tier are used more frequently than others. They are primarily used for issuing commands, enumeration, scanning and data exfiltration. The callback time is usually within minutes. For example, C2 agents deployed on target machines.
  • Short-Haul – C2 mechanisms in this tier are used to re-establish interactive mechanisms. The callback time is within 12-24 hours. For example, a cronjob that downloads the C2 agent and executes it every 12 hours.
  • Long-Haul  – C2 mechanisms in this tier are used to re-establish short-haul mechanisms. The callback time is 24 hours or more. This is the slowest mechanism of all three and should not be used for interactive purposes. For example, a start-up script to create the cronjob mentioned before.

What to keep in mind while deploying multiple C2 tiers?

  • Use a tier for it’s intended purpose only. For example, a short-haul C2 mechanism should not be used to run commands interactively.
  • Use different C2 channels (HTTPS, DNS, SSH, SMB etc.) for different tiers. This will ensure that even if one channel gets blocked an alternate is available to use.
  • Use encryption to avoid detection via network security devices.
  • Minimize C2 callback volume wherever possible. This will help in avoiding unnecessary exposure.
  • Avoid dropping binaries on target machines as this may trigger the anti-malware solution and alert the Blue team.

Other posts in this series

  • What is adversary emulation?
  • Red Team Operations Attack Lifecycle
  • Introduction to MITRE ATT&CK Framework
  • PoshC2: A Red Teamer’s Notes

Related Posts

  • PoshC2: A Red Teamer’s NotesPoshC2: A Red Teamer’s Notes
  • Book Review: How to Hack Like a GHOSTBook Review: How to Hack Like a GHOST
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Adversary Emulation Tagged With: adversary emulation, command and control, poshc2, red team

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands
  • What is Adversary Emulation?
    What is Adversary Emulation?
  • Build Your Career in Cyber Security
    Build Your Career in Cyber Security
  • CISA: Everything You Need to Know
    CISA: Everything You Need to Know
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress