Attackers often use command and control (often referred to as C2 or CnC) systems to send commands and instructions to compromised systems. The C2 can be the attacker’s system (for example, desktop, laptop) or a dedicated virtual or physical server. A C2 creates a covert channel with the compromised system. A covert channel is an adversarial technique that allows the attacker to transfer information objects between processes or systems that, according to a security policy, are not supposed to be allowed to communicate.
Attackers often use virtual machines in a cloud service or even use other compromised systems as C2 servers. Even services such as Twitter, Dropbox, and Photobucket have been used for C2 tasks. The C2 communication can be as simple as maintaining a timed beacon, or “heartbeat,” to launch additional attacks or for data exfiltration.
Many different techniques and utilities can be used to create a C2.
socat#
A C2 utility that can be used to create multiple reverse shells (see http://www.dest-unreach.org/socat ↗)
wsc2#
A Python-based C2 utility that uses WebSockets (see https://github.com/Arno0x/WSC2 ↗)
WMImplant#
A PowerShell-based tool that leverages WMI to create a C2 channel (see https://github.com/ChrisTruncer/WMImplant ↗)
DropboxC2 (DBC2)#
A C2 utility that uses Dropbox (see https://github.com/Arno0x/DBC2 ↗)
TrevorC2#
A Python-based C2 utility created by Dave Kennedy of TrustedSec (see https://github.com/trustedsec/trevorc2 ↗)
Twittor#
A C2 utility that uses Twitter direct messages for command and control (see https://github.com/PaulSec/twittor ↗)
DNSCat2#
A DNS-based C2 utility that supports encryption and that has been used by malware, threat actors, and pen testers (see https://github.com/iagox86/dnscat2 ↗)