Building a realistic Command-and-Control (C2) infrastructure for authorized red teaming involves creating a multi-tiered, secure, and stealthy setup that mimics real-world adversary behavior. It requires separating the backend team server from the internet-exposed redirectors, using encrypted communication, and employing domain-fronting or reputable domains to blend with legitimate traffic.
Core Architectural Components
A realistic C2 infrastructure should include the following, as described in:
- Team Server (Backend): The core server that manages agents/implants. It should never be directly exposed to the internet.
- Redirectors (Frontend): Low-cost VPS (e.g., DigitalOcean, AWS) running Nginx or Apache, acting as proxies to hide the Team Server IP.
- Domain Names: Use reputable, aged, and properly categorized domains (e.g., for security or IT services).
- Agents/Implants: Lightweight, custom-compiled payloads that communicate with the redirector.
Step-by-Step Implementation Guide
- Select a C2 Framework: Choose a modern framework, such as Sliver, Havoc, or Mythic.
- Set Up Redirectors (Nginx): Configure Nginx to proxy traffic to the backend team server. Use Let's Encrypt for valid SSL certificates.
- Tip: Set up redirection rules to forward traffic for specific paths (e.g.,
/api/v2/auth) to the C2 server, while redirecting all other traffic to a legitimate site (e.g., Microsoft).
- Secure the Infrastructure:
- Use SSH tunnels or VPNs (WireGuard, Tailscale) for communication between the redirector and the team server.
- Implement firewall rules (IPTables/UFW) on the redirector to only allow necessary traffic.
- Configure Payload/Agent Traffic:
- HTTPS: Always use HTTPS to blend with standard web traffic.
- Jitter: Configure random sleep intervals (e.g., 10s sleep, 30% jitter) to avoid detection of regular beaconing patterns.
- User-Agent: Use realistic User-Agent strings (e.g., modern browser profiles).
- Domain Fronting & Reputation: Use Cloudflare to proxy traffic, and ensure the domain is categorized properly to bypass web filters.
Operational Security (OPSEC) Considerations
- Protocol Diversity: Use multiple protocols (DNS over HTTPS, HTTP/S) for fallback.
- Isolation: Use a dedicated VPS for each engagement and separate team servers from redirectors.
- Behavioral Mimicry: Use "long-haul" servers for low-and-slow communication and separate "fast-call" servers for interactive, post-exploitation activity.
- Payload Obfuscation: Utilize tools like
donut for shellcode generation and encrypt payloads to evade EDR/AV, as noted in.
Example Tools
- Frameworks: Sliver, Havoc, Mythic, Cobalt Strike.
- Proxies: Nginx, Apache.
- Infrastructure: Terraform (for automation), Docker (for containerization).
