⚠️ Pracivo Security Lab — Post-exploitation techniques for authorized penetration testing. Persistence, exfiltration, pivoting, LOLBins, C2 frameworks.
> C2 Frameworks Overview
COMMAND & CONTROL
# C2 (Command & Control) frameworks manage compromised machines
# Used by red teams and real attackers
# 1. COBALT STRIKE (commercial, industry standard)
# Most feature-rich, used by nation-state APTs and pentesters
# Key features: Beacon agent, malleable C2 profiles, BOF (Beacon Object Files)
# Cost: $3,500/year (cracked versions widely abused)
# Artifacts: .cobaltstrike.beacon* files, default port 50050
# 2. SLIVER (open source, Microsoft/CISA recommended alternative)
# Modern replacement for Cobalt Strike
# Supports: Mutual TLS, HTTP/S, DNS, WireGuard C2
# Implants: cross-platform (Windows/Linux/macOS)
# github.com/BishopFox/sliver
# 3. HAVOC (open source, modern)
# Features: Demon agent, collaborative team server, rich UI
# Supports: SMB pivoting, BOF, process injection
# github.com/HavocFramework/Havoc
# 4. METASPLOIT (free, see /metasploit page)
# Most widely used for learning and basic ops
# 5. EMPIRE / STARKILLER (open source)
# PowerShell/Python agents, modular post-exploitation
# Good for AD attacks and lateral movement
# C2 DETECTION (blue team):
# - Beacon traffic: regular HTTP/S requests at fixed intervals
# - JA3 fingerprinting: Cobalt Strike has known JA3 hashes
# - DNS: long subdomain queries = DNS C2
# - User-Agent anomalies: hardcoded UA strings
# - Certificate: self-signed certs with CS default values
# - Sysmon Event ID 3: network connections from unusual processes
# MALLEABLE C2 PROFILES (Cobalt Strike):
# Customize C2 traffic to look like legitimate services
# Mimick: Google Analytics, Office 365, Dropbox API traffic
# https://github.com/rsmudge/Malleable-C2-Profiles