Command and Control Tiers
Designing a robust command and control infrastructure involves creating multiple layers of command and control. This can be described as tiers. Each tier offers a level of capability and covertness. The idea of using multiple tiers is the same as not putting all your eggs in one basket. If c2 is detected and blocked, having a backup allows operations to continue. C2 tiers generally fall into three categories: Interactive, Short-Haul, and Long-Haul. These are sometimes labeled as Tier I, 2, or 3. There is nothing unique to each tier other than how they are used.
The use of redirectors is independent of the command and control tiers.
General Rules to Maintain Multiple Tiers
- Maintain discipline in each tier and only use each tier for its intended purpose
- Only pass or establish new sessions down. Long Haul can only pass to Short Haul or interactive. Short can pass to Interactive. Interactive can only pass to other interactive sessions.
- Use a different profile for each tier: Communication type, ports, protocols, callback times, etc.
- Slow down callback time when not in use
Of course, there are exceptions to these rules; a Red Team must be flexible to achieve goals. If a rule is violated, be aware of the exposure risks before performing an action. For example, a long haul server dies after it was initially established. A short or interactive tier may be needed to re-establish the long haul.
Tiers and Their Uses
Interactive (Tier 3)
- Used for general commands, enumeration, scanning, data exfiltration, etc.
- This tier has the most interaction and is at the greatest risk of exposure
- Plan to lose access from communication failure, agent failure, or Blue Team actions
- Run enough interactive sessions to maintain access. Although interactive, this doesn’t mean blasting the client with packets. Use good judgment to minimize interaction just enough to perform an action.
Short Haul (Tier 2)
Used as a backup to re-establish interactive sessions
Use covert communications that blend in with the target
Slow callback times. Callback times in the 1 24 hours is common
Long Haul (Tier 1)
Same as Short Haul, but even lower and slower
Slow callback times, Callback times in the 24+ hours range is common
Designing a command and control infrastructure
Designing a C2 infrastructure is one of the most critical tasks when planning a Red Team engagement. C2 infrastructure planning involves choosing the number and type of C2, whether to use IP addresses or domain names, C2 protocols and how or if to use redirectors. The decision of each is directly related to a Red Team’s goals.
If a team is engaging a target in a full-scale Red Team operation, stealth and covert channels will be a good choice
Typical C2 design for a full-scale Red Team operation
3 C2 Servers with an interactive tier, short-haul server, and long haul server o Multiple redirectors o, 1, or 2 carefully chosen Domain names for each IP address (preferably with history and categorization)
- Direct communication between the target and C2 does not occur. All traffic pivots through a redirection server.
- Using common protocols on standard ports to blend (HTTP(S) or DNS) o Communications are encrypted
If a team is emulating a specific threat or trying to stimulate a Blue team’s response, stealth may not be as important.
Typical c2 design for emulating an adversary designed to stimulate Blue Team operation
- I or 2 C2 servers. All tiers are used for interaction with the target
- Redirectors are not in use
- lP addresses are used instead of domain names. The target and C2 directly communicate
- Use of common protocols on standard or non-standard ports (HTTP(S))
- Communications may or may not be encrypted
- Interactive, Short, and Long haul with 1—2 Interactive tiers redirectors accelerate Team stimulation
- Multiple Domain names with history and categorization
- IP addresses used
- Use of common protocols — HITP(S) / DNS a Use of common protocols — HITP(S) / DNS
- Encrypted traffic
- Valid SSL Certificates a (https://letsencryptorg/)
You can also check our previous post about what Command & Control Redirectors are.
Secure Your Organization’s Mind with Securemind.se