A C2 framework (Command and Control framework) is software designed to provide a platform for remote command and control of a network of compromised systems.
Typically, a framework includes a server component that is used to manage and control the compromised systems, and an agent component that is installed on the compromised systems to facilitate communication with the server. Features such as reconnaissance, lateral movement, evasion, and upload/download functionalities are common in such frameworks.
C2 frameworks are commonly utilized by malicious actors to manage compromised systems from afar and initiate attacks on specific networks. Additionally, they have gained popularity among offensive security professionals in the realm of adversary emulation and simulation – such as red and purple teaming.
Purple teaming is a collaborative approach to cybersecurity that involves bringing together red team (offensive) and blue team (defensive) capabilities to identify and mitigate vulnerabilities in an organization's security posture. In this context, C2 frameworks can be used in purple teaming engagements in several ways, including:
Overall, C2 frameworks and adversary emulation engagements can serve as a beneficial asset for companies seeking to enhance their security posture and security personnel. By utilizing offensive capabilities within a controlled and collaborative setting, the security personnel can effectively detect and resolve vulnerabilities before they can be exploited by actual malicious actors.
Looking at some of the frameworks from the C2 matrix (C2Matrix - Google Sheets), there were many great projects with many talented individuals and teams. Ultimately, each framework is unique with different development goals and to be used in different scenarios. Deciding on what tools to use in your engagement ultimately depends on the goals and requirements.
These three frameworks discussed below were picked due to being stable, feature-rich, and popular in the infosec community. They provide practitioners with the needed capabilities to perform purple teaming engagements with each being a great option in their respective scenarios and engagement requirements.
Mythic C2 (Best all-rounder and awesome for purple/red team engagements)
“A cross-platform, post-exploit, red teaming framework designed to provide a collaborative and user-friendly interface for operators.”
Mythic is a framework maintained by SpectreOps (link to SO) which has been in the industry since 2018 and used by both threat actors and security professionals in the field. The framework has a unique design where the operator can pick the agent based on the requirements of the engagement. Additionally, there are multiple levels of authorization assignable to users which a lead-operator (administrator) could choose from. The commands used during the engagement can be mapped to the Mitre Att&ck framework to assist in the reporting phase.
The stability and features of the agents make this framework a popular choice for purple teaming engagements as TTP’s can be tested with ease. A popular C#-based agent called Apollo is perfect for testing Windows based environments. There are also other agents (Merlin, Hermes, Athena) available for multi-OS or Linux/Mac specific systems. Custom agents can also be developed by operators and offensive security professionals should the engagement require it.
Empire C2 (Great for windows environments – probably the most popular on the list)
“Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.”
BC-Security’s (link to BCS) fork of Empire is constantly updated with new features and tools to make it easy for operators to perform engagements on Windows environments. The framework has a ton of tools written in PowerShell, C#, and Python to assist operators in multiple scenarios ranging from reconnaissance all the way through to exfiltration and even a ransomware and cryptominer for testing impact. Operators can also run their own custom tools for engagement specific requirements.
The commands issued to the agents are mapped to the Mitre Att&ck framework to so reporting on the engagements would be a bit easier. Operators can also see the number linked to each technique when they view which commands or tools to run. BC-Security uses Empire C2 in their courses and take inspiration from the students for new feature updates.
Fun fact: The original project was featured in the hacking themed video game Watch Dogs 2!
Caldera C2 (Great for training and learning smaller blue teams)
“CALDERA™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.”
Mitre themselves develop and maintain the Caldera C2 project, with the actions from the operators mapped to the Mitre Att&ck framework. Caldera is designed to be extendable and customizable through plugins, many of which are available on the GitHub profile of the organization, with operators being able to create and integrate their own plugins per engagement requirements.
The agent is dynamically compiled with the functionality needed for testing, and it being written in Golang means that the agent can be compiled to run on Windows, Linux, and MacOS systems. Additionally, operators can create adversary profiles with commands and actions that can be used to automate the testing by running commands for the blue team to respond to and hunt.
At the end of the day, it is all about choosing the right tool for the right job, and knowing what is the best method to achieve your goals. The frameworks mentioned in the article were only three of countless other available out there. What makes them great are not only the features and updates, but that all of them have good documentation, really friendly user-experience, and you can trust that it will not let you down during your engagements – not too bad for something that is free and open-source!
Author: G. Botha