-
Notifications
You must be signed in to change notification settings - Fork 275
home
Threat actors are increasingly being seen to use innovative and covert command and control (C2) channels as part of their campaigns. For security providers to provide representative simulations they must also develop equivalent capability. Custom Command and Control (C3) is MWR's solution to this problem, and provides three notable contributions:
-
The introduction of a framework for the rapid prototyping of new C2 channels, which seamlessly integrates with Cobalt Strike.
-
The ability of "implants" (NodeRelays in C3 terminology) that use this framework to dynamically adapt and use alternative C2 channels in order to support covert activity and hinder the efforts of security monitoring teams.
-
The ability of C3 relays to be chained together to allow arbitrary C2 channel usage at multiple levels.
The current implementation of C3 is designed to work with the external C2 interface within Cobalt Strike. In brief, this interface allows Cobalt Strike traffic to effectively be "man-in-the-middled" and re-routed over arbitrary mediums, rather than simply relying on the HTTP(S) and DNS C2 channels supported within Cobalt Strike itself. If you would like more information on external C2, it is highly recommended that you read Raphael Mudge's whitepaper introducing the functionality.