• Home
  • Explore

TryHackMe | Intro to C2

tryhackme.com/room/introtoc2

1 Users

0 Comments

54 Highlights

0 Notes

Tags

Top Highlights

  • Beacons A Beacon is the process of a C2 Agent calling back to the listener running on a C2 Server.

  • Jitter

  • like “File” jitter or adding junk data to the payload or files being transmitted to make it seem larger than it actually is.

  • This is a preferred method over stageless payloads because a small amount of code needs to be written to retrieve the additional parts of the C2 agent from the C2 server. It also makes it easier to obfuscate code to bypass Anti-Virus programs.

  • 4. Stage 2 is loaded into memory on the Victim Workstation

  • Windows PE files (Executables)

  • PowerShell Scripts Which may contain C# Code and may be compiled and executed with the Add-Type commandlet

  • HTA Files JScript Files Visual Basic Application/Scripts Microsoft Office Documents

  • Cobalt Strike has “Aggressor Scripts”, which are written in the “Aggressor Scripting Language”. PowerShell Empire has support for multiple languages, Metasploit’s Modules are written in Ruby, and many others are written in many other languages.

  • this could be as simple as running SharpHound.ps1 to find paths of lateral movement, or it could be as complex as dumping LSASS and parsing credentials in memory

  • making it easier to access restricted network segments within the C2 Framework.

  • you may be able to open up an “SMB Beacon”, which can enable a machine to act as a proxy via the SMB protocol. This may allow machines in a restricted network segment to communicate with your C2 server.

  • Domain Fronting

  • Red Teamers can abuse this to make it appear that a workstation or server is communicating with a known, trusted IP Address. Geolocation results will show wherever the nearest Cloudflare server is, and the IP Address will show as ownership to Cloudflare.

  • 1. The C2 Operator has a domain that proxies all requests through Cloudflare.

  • C2 Profiles

  • "NGINX Reverse Proxy", "Apache Mod_Proxy/Mod_Rewrite",  "Malleable HTTP C2 Profiles"

  • Whereas if a normal user queried the HTTP Server, they might see a generic webpage. This is all dependent on your configuration.

  • Because HTTPS requests are encrypted, extracting specific headers (ex: X-C2-Server, or Host) may be impossible. By using C2 Profiles, we may be able to hide our C2 server from the prying eyes of a Security Analyst.

  • one feature Cobalt Strike offers that most other C2 frameworks do not is the ability to open a VPN tunnel from a beacon. This can be a fantastic feature if a Proxy does not work well in your specific situation.

Ready to highlight and find good content?

Glasp is a social web highlighter that people can highlight and organize quotes and thoughts from the web, and access other like-minded people’s learning.

AboutPrivacyTerms

© 2023 Glasp Inc. All rights reserved.