Command and Control (C2) Utilities

Attackers often use C2 systems to send commands and instructions to compromised systems, the C2 can be the attackers system or a dedicated physical/virtual server. A C2 creates a covert channel with the compromised system, a covert channel allows the attacker to transfer information objects between processes or systems that are not supposed to be allowed to communicate. Attackers often use virtual machines in a cloud service or in other compromised systems as C2 servers. Services like Twitter, DropBox and PhotoBucket have been used for C2.

Many different techniques and utilities can be used to create a C2:

• socat: C2 utility that can be used to create multiple reverse shells

• wsc2: Python based C2 utility that uses WebSockets

• WMImplant: PowerShell-based tool leveraging WMI to create a C2 channel

• DropoxC2 (DBC2): A C2 utility that uses Dropbox

• TrevorC2: Python-based C2 utility created by Dave Kennedy of TrustedSec

• Twittor: C2 utility using Twitter DMs for C2.

• DNSCat2: DNS-based C2 supporting encryption used by threat actors and pentesters.