What is a C2?
A Command & Control (C2 or C&C) is the infrastructure an attacker uses to control their agents deployed on compromised systems. It is the brain of the offensive operation: without a C2, an attacker cannot maintain access, run commands, or exfiltrate data.
The attacker / agent / C2 model
In any offensive operation, three elements coexist:
| Element | Role | Examples |
|---|---|---|
| Attacker (operator) | Sends orders, receives results | Red teamer, pentester |
| C2 server (teamserver) | Receives agent connections, relays orders | Metasploit, Cobalt Strike, Sliver |
| Agent (beacon / implant) | Runs on the compromised target, executes commands | Meterpreter, Beacon, custom implant |
Why a C2 and not just a reverse shell?
A basic reverse shell (bash -i >& /dev/tcp/...) is fragile:
- It dies on the slightest network interruption
- It does not support multiple operators simultaneously
- It does not encrypt communications
- It is trivial to detect (raw TCP connection)
A professional C2 provides:
| Feature | What it provides |
|---|---|
| Encrypted communications (TLS, HTTPS) | Evades IDS/IPS that inspect traffic |
| Sleep / jitter | The agent wakes up randomly → less detectable |
| Multi-sessions | Manage dozens of agents from a single interface |
| Built-in pivoting | Hop into internal networks that are not exposed |
| Post-exploitation modules | Keylogger, screenshot, dump credentials, privilege escalation |
| Persistence | Survives reboots via registry, services, scheduled tasks |
The most well-known C2s
| C2 | License | Agent | Used by |
|---|---|---|---|
| Metasploit Framework | Open source | Meterpreter | Pentesters, CTF |
| Cobalt Strike | Commercial (5,000$/year) | Beacon | Red teams, APTs (cracked versions) |
| Sliver | Open source (BishopFox) | Go implant | Modern red teams |
| Havoc | Open source | Demon | Advanced red teams |
| Brute Ratel C4 | Commercial | Badger | Red teams, APT groups |
C2 communication protocols
An agent must communicate with its server without getting detected. Modern C2s support multiple protocols to mimic legitimate traffic:
| Protocol | Advantage | Drawback |
|---|---|---|
| HTTPS | Works almost everywhere, natively encrypted | Inspected by corporate proxies |
| DNS | Rarely filtered, traverses firewalls | Very low bandwidth |
| SMB (named pipe) | Internal lateral movement, no external traffic | Limited to internal networks |
| HTTP via CDN | Traffic looks legitimate (Cloudflare, AWS) | More complex configuration |
C2 in the attack cycle (Kill Chain)
C2 happens after the initial compromise:
Reconnaissance → Weaponization → Delivery → Exploitation
→ Installation (agent deployed) → C2 (communication) → Actions on Objectives
C2 phases include:
- Lateral movement: reach other machines from the agent
- Privilege escalation: move from user to SYSTEM/root
- Exfiltration: extract sensitive data
- Persistence: survive reboots
Flashcards
What is the difference between a reverse shell and a C2 agent?
What is 'sleep/jitter' in a C2?
Why is DNS used as a C2 channel despite its low bandwidth?
Which Kill Chain phase corresponds to the use of C2?
Question 1 — What are the trade-offs between responsiveness and stealth (sleep/jitter) in a C2?
Next Lesson
You now understand C2 fundamentals. The next lesson covers C2 architecture in detail: listeners, agents, and how a teamserver coordinates command and control.
Next: C2 Architecture — Listener, Agent, Teamserver