Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 

Trend

Command and control (C2) frameworks

Move over Cobalt Strike: Adversaries and testers have more options for command and control (C2) and post-exploitation frameworks than ever.

Pairs With This Song

 

 

 

Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2023. 

Analysis

Commercial and open source C2 and post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Since there’s no universally agreed upon definition that differentiates C2 from post-exploitation frameworks, we chose to analyze both collectively in this section.

Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt Strike. While Cobalt Strike has received a lot of attention and remains Red Canary’s most-observed framework, both red teamers and adversaries have begun to leverage alternative frameworks.

Cobalt Strike and Metasploit continue to be the most popular C2 and post-exploitation frameworks seen in our customers’ environments. Cobalt Strike was the highest-ranking framework, coming in at #8, followed by Metasploit ranking 14th. While they didn’t break into our top 50 for 2022, Brute Ratel, Sliver, and Mythic may continue to gain popularity as adversaries look for alternative frameworks, so they’re worth keeping an eye on.

Brute Ratel

Brute Ratel is a commercial post-exploitation framework with implants that can take many forms, including executables, service binaries, DLLs, and PowerShell scripts. It is capable of moving laterally via Server Message Block (SMB), escalating privileges, and creating processes to inject itself into for defense evasion. Qbot was observed delivering Brute Ratel in 2022.

Sliver

Sliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell. It supports several protocols for C2 including HTTP, WireGuard, and DNS. TA551 reportedly used Sliver in 2021, and in 2022 Team Cymru observed at least two distinct campaigns using it. In 2022, adversaries also took advantage of Sliver’s support for macOS.

Mythic

Mythic is an open source post-exploitation framework that has a variety of agents and supports multiple protocols for C2 including TCP, HTTPM, DNS, and SMB. Two popular agents are Apfell and Apollo. Apfell is a JavaScript for Automation script for OSX. Apollo is a .NET Windows agent which by default can create and inject into Rundll32. It also has the ability to execute PowerShell commands. It supports using Mimikatz for lateral movement and credential dumping. Like Sliver, Team Cymru was able to tie some Mythic servers to adversaries in the wild.

Post-exploitation and C2 frameworks share objectives even if their implementations differ. At a minimum they automate popular methods of achieving execution and communication. These tools attempt to emulate common adversary behaviors so that detections put in place for post-exploitation frameworks can also flag other malicious behavior. Post-exploitation frameworks are often deployed in the later stages of an attack after an initial loader or dropper, so quickly remediating these stages can prevent the deployment of a post-exploitation framework.

Detection opportunities

Many post-exploitation frameworks spawn common Windows processes such as rundll32.exe and inject into them. Looking for processes with incorrect or no command-line arguments or unexpected network connections can uncover malicious activity.

process == 'rundll32.exe'
&&
command == (“”)*
&&
has_network_connection

*Note: Empty quotations (“”) denote an empty command line

Additionally, many frameworks allow for the execution of PowerShell. Unexpected PowerShell processes or PowerShell DLL loads can also be a sign of a post-exploitation framework.

process == ('regsvr32.exe' || 'rundll32.exe' || 'wscript.exe' || 'mshta.exe' || 'cscript.exe' || 'msxsl.exe')
&&
modload_property_includes ('system.management.automation.dll' || 'system.management.automation.ni.dll')

Testing

Like many of the trends in this report, it’s difficult to offer holistic testing guidance about something so broad as post exploitation tools. However, T1059.001: PowerShell, T1047: Windows Management Instrumentation, T1003.001: LSASS Memory, and T1055: Process Injection are good starting points for testing against post-exploitation and other malicious tools.

 
 
Back to Top