SlideShare a Scribd company logo

C2 Matrix A Comparison of Command and Control Frameworks

Jorge Orchilles
Jorge Orchilles

Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls. The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs. It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls. The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format. Google Sheet (Golden Source): https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0 Website: https://www.thec2matrix.com/matrix https://ask.thec2matrix.com/ Follow on Twitter for updates: https://twitter.com/c2_matrix

Technology
1 of 20
#C2MATRIXA COMPARISON OF C2 FRAMEWORKS @JORGEORCHILLES PRESENTED BY
C2 MATRIX SPEAKER Leads the offensive security team at large financial Published author with industry contributions including: • Common Vulnerability Scoring System (CVSSv3.1) • Threat-led penetration testing framework (GFMA) • SANS Certified Instructor • Author of SEC564: Red Team Exercises and Adversary Emulation • ISSA fellow • Board of the ISSA South Florida since 2010 • AuthorofWindows7AdministratorsReference JORGE ORCHILLES @JORGEORCHILLES /IN/JORGEORCHILLES/
 Python2 server; *nix and windows agents  Automatically configures lightweight agents with listener  C2 via http or https (proxy aware) as beacons  Cryptographically secure communication (regardless of TLS)  Rapid deployment of post-exploitation modules, with a variety of module types: powersploit, powerbreach, powerup, powerview  Reliable, consistent, not many bugs; operational security!  Thank you! @Harmj0y | @sixdub | @enigma0x3 rvrsh3ll | @killswitch_gui | @xorrior EMPIRE WAS THE BEST… @JORGEORCHILLES
”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have b ”the projects time has passed and newer frameworks with better capabilities have been released” ects time has passed and newer frameworks with better capabilities have been released” passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” HELP! OH no! SOS! What do we do!? HELP! OH no! SOS! What do we do!? BUT NOW… "The project's time has passed and newer frameworks with better capabilities have been released. So it is time to say farewell to EMPIRE" @JORGEORCHILLES
THE MISSION Choose the best modern, replacement for Empire. One that is reliable, consistent, user-friendly and that meets these requirements @JORGEORCHILLES
OUR REQUIREMENTS 62 % @JORGEORCHILLES  Operationally secure  Multiple C2 channels  Multiple agents/payloads  Custom profiles  Domain fronting capable  Proxy aware  Internal pivoting  Multi-user  Community involvement
THERE ARE A LOT OF DIFFERENT FRAMEWORKS 30 TO BE EXACT @JORGEORCHILLES
APFELL C3 CALDERA COBALT STRIKE COVENANT EMPIRE EVILOSX FACTION C2 FLYINGAFALSEFLAG GODOH IBOMBSHELL INNUENDO KOADICC3 MACSHELLSWIFT MERLIN NUAGES POSHC2 POSHC2_PYTHON POWERHUB PRISMATICA PUPY QUASARRAT RED TEAM TOOLKIT REDVIPER SCYTHE SILENT TRINITY SLIVER THROWBACK TREVOR C2 VOODOO FRAMEWORKS A SPECIAL THANK YOU TO ALL CONTRIBUTING DEVELOPERS!!!! @JORGEORCHILLES
Phase 1  Evaluate and document all C2 frameworks  Focus on communication channel and C2 features Phase 2 Post exploitation features, lateral movement, ATT&CK mapping Phase 3? You tell us SETTING PARAMETERS PHASES IF YOU WILL, OR WE WILL RUN OUT OF TIME @JORGEORCHILLES
INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT DRIVE- BY COMPROMISE APPLESCRIPT .BASH_PROFULE AND .BASHRC ACCESS TOKEN MANIPULATION ACCESS TOKEN MANIPULATION ACCOUNT MANIPULATION ACCOUNT DISCOVERY APPLESCRIPT AUDIO CAPTURE COMMONLY USED PORT AUTOMATED EXFILTRATION DATA DESTRUCTION EXPLOIT PUBLIC- FACING APPLICATION CMSTP ACCESIBILITY FEATURES ACCESIBILITY FEATURES BITS JOBS BASH HISTORY APPLICATION WINDOW DISCOVERY APPLICATION DEPLOYMENT SOFTWARE AUTOMATED COLLECTION COMMUINICTION THROUGH REMOVABLE DATA DATA COMPRESSED DATA ENCRYPTED FOR IMPACT EXTERNAL REMOTE SERVICES COMMAND-LINE INTERFACE ACCOUNT MANIPULATION APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER BOOKMARK DISCOVERY DISTRUBETED COMPONENT OBJECT MODEL CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT HARDWARE ADDITIONS COMPILED HTML FILE APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL BYPASS USER CREDENTIAL DUMPING DOMAIN TRUST DISCOVERY EXPLOITATION OF REMOTE SERVICES DATA STAGE CUSTOM COMMAND AND CONTROL PROTOCOL DATA TRANSFER SIZE LIMIT DISK CONTENT WIPE REPLICATION THROUGH REMOVABLE MEDIA CONTORL PANEL ITEMS APPINIT DLLS APPLICATION SHIMMIMG CMSTP CREDENTIALS IN FILES FILE AND DIRECTORY DISCOVERY LOGON SCRIPT DATA FROM INFORMATION REPOSITORIES CUSTOM CRYPTOGRAPHIC PROTOCOL EXFILTRATION OVER ALTERNATIVE PROTOCOL DISK STRUCTURE WIPE SPEARPHISHING ATTACHMENT DYNAMIC DATA EXCHANGE APPLICATION SHIMMING BYPASS USER ACCOUNT CONTROL CLEAR COMMAND HISTORY CREDENTIALS IN REGISTRY NETWORK SERVICE SCANNING PASS THE HASH DATA FROM LOCAL SYSTEM DATA ENCODING EXFILTRATION OVER COMMAND AND CONTROL CHANNEL ENDPOINT DENIAL OF SERVICE SPEARPHISHING LINK EXECUTION THROUGH API AUTHENTICATION PACKAGE DLL SEARCH ORDER HIJACKING CODE SIGNING EXPLOITATION FOR CREDENTIAL ACCESS NETWORK SHARE DISCOVERY PASS THE TICKET DATA FROM NETWORK SHARE DRIVE DATA OBFUSCATION EXFILTRATION OVER OTHER NETWORK MEDIUM FIRMWARE CORRUPTION FOCUSONCOMMANDANDCONTROL @JORGEORCHILLES
CHANNELS  TCP (DIRECT)  HTTP - PROXY AWARE - DOMAIN FRONTING - CUSTOM PROFILE  HTTP2  HTTP3  DNS  DOH  ICMP  FTP  IMAP @JORGEORCHILLES
Consistent connections are poor opsec - Meterpreter - Koadic (http long poll) Beacons are better - Jitter makes pattern matching a little harder Working hours Kill date BEACONS & JITTER @JORGEORCHILLES
C2 PROFILES @JORGEORCHILLES
USER INTERFACE Command Line Interface Graphical User Interface Web API Multi-Player: the “Team” part of “Red Team” ANDROID AGENTS @JORGEORCHILLES
OPERATIONAL SECURITY Key exchange regardless of TLS − Encrypted Key Exchange − aPAKE OPAQUE − ECDHE − mTLS − AES Warning for bad OPSEC Know your IOCs! − Sysmon − Wireshark/tcpdump @JORGEORCHILLES
TESTING INFRASTRUCTURE C2 MATRIX LAB PFSENSE VICTIMS ATTACKERS WINDOWS @JORGEORCHILLES
DEMO TIME www.thec2matrix.com
OTHER REFERENCES Similar work James Tubberville post on threatexpress.com: - https://threatexpress.com/blogs/2019/c2-agent-comparison Alex Rodriguez from Secure Ideas: - https://hackmd.io/EhFjuYHESIGhFQXFQ6duTQ?View The Golden Age of C2 by Matthew Toussain on YouTube: - https://www.youtube.com/watch?v=DjChyUrbZd8 @JORGEORCHILLES
@JORGEORCHILLES @brysonbort @Adam_Mashinchi @cabbagesalad2 @seanqsun @P1nkFlam1ngo17 @0sm0s1z @Ne0nd0g @its_a_feature_ @byt3bl33d3r @daveaitel
@JORGEORCHILLES #c2matrix www.thec2matrix.com

Recommended

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 

Recommended

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hackingVi Tính Hoàng Nam
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentenigma0x3
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 

More Related Content

What's hot

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentenigma0x3
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 

What's hot (20)

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deployment
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 

Similar to C2 Matrix A Comparison of Command and Control Frameworks

How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Testing libraries for fun & profit. Beware: Increased productivity ahead
Testing libraries for fun & profit. Beware: Increased productivity aheadTesting libraries for fun & profit. Beware: Increased productivity ahead
Testing libraries for fun & profit. Beware: Increased productivity aheadIxchel Ruiz
 
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Patrick Chanezon
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
Devoxx university - Kafka de haut en bas
Devoxx university - Kafka de haut en basDevoxx university - Kafka de haut en bas
Devoxx university - Kafka de haut en basFlorent Ramiere
 
Microservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsMicroservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsAraf Karsh Hamid
 
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...Henning Jacobs
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...Nikolaos Georgantas
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with DockerPatrick Chanezon
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Cloud for Game Developers – Myth or Real Scenarios?
Cloud for Game Developers – Myth or Real Scenarios?Cloud for Game Developers – Myth or Real Scenarios?
Cloud for Game Developers – Myth or Real Scenarios?DevGAMM Conference
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsAraf Karsh Hamid
 
As You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsAs You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsInside Analysis
 

Similar to C2 Matrix A Comparison of Command and Control Frameworks (20)

How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Testing libraries for fun & profit. Beware: Increased productivity ahead
Testing libraries for fun & profit. Beware: Increased productivity aheadTesting libraries for fun & profit. Beware: Increased productivity ahead
Testing libraries for fun & profit. Beware: Increased productivity ahead
 
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015Docker Orchestration: Welcome to the Jungle! JavaOne 2015
Docker Orchestration: Welcome to the Jungle! JavaOne 2015
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
The Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian CockcroftThe Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian Cockcroft
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
 
Devoxx university - Kafka de haut en bas
Devoxx university - Kafka de haut en basDevoxx university - Kafka de haut en bas
Devoxx university - Kafka de haut en bas
 
Microservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsMicroservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration Patterns
 
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...
Mobile IoT Middleware Interoperability & QoS Analysis - Eclipse IoT Day Paris...
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with Docker
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Cloud for Game Developers – Myth or Real Scenarios?
Cloud for Game Developers – Myth or Real Scenarios?Cloud for Game Developers – Myth or Real Scenarios?
Cloud for Game Developers – Myth or Real Scenarios?
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
 
As You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsAs You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data Analytics
 

More from Jorge Orchilles

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzJorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020Jorge Orchilles
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Jorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixJorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Jorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestJorge Orchilles
 

More from Jorge Orchilles (20)

SCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim SchulzSCYTHE Purple Team Workshop with Tim Schulz
SCYTHE Purple Team Workshop with Tim Schulz
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

C2 Matrix A Comparison of Command and Control Frameworks

  • 1. #C2MATRIXA COMPARISON OF C2 FRAMEWORKS @JORGEORCHILLES PRESENTED BY
  • 2. C2 MATRIX SPEAKER Leads the offensive security team at large financial Published author with industry contributions including: • Common Vulnerability Scoring System (CVSSv3.1) • Threat-led penetration testing framework (GFMA) • SANS Certified Instructor • Author of SEC564: Red Team Exercises and Adversary Emulation • ISSA fellow • Board of the ISSA South Florida since 2010 • AuthorofWindows7AdministratorsReference JORGE ORCHILLES @JORGEORCHILLES /IN/JORGEORCHILLES/
  • 3.  Python2 server; *nix and windows agents  Automatically configures lightweight agents with listener  C2 via http or https (proxy aware) as beacons  Cryptographically secure communication (regardless of TLS)  Rapid deployment of post-exploitation modules, with a variety of module types: powersploit, powerbreach, powerup, powerview  Reliable, consistent, not many bugs; operational security!  Thank you! @Harmj0y | @sixdub | @enigma0x3 rvrsh3ll | @killswitch_gui | @xorrior EMPIRE WAS THE BEST… @JORGEORCHILLES
  • 4. ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have b ”the projects time has passed and newer frameworks with better capabilities have been released” ects time has passed and newer frameworks with better capabilities have been released” passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” ”the projects time has passed and newer frameworks with better capabilities have been released” HELP! OH no! SOS! What do we do!? HELP! OH no! SOS! What do we do!? BUT NOW… "The project's time has passed and newer frameworks with better capabilities have been released. So it is time to say farewell to EMPIRE" @JORGEORCHILLES
  • 5. THE MISSION Choose the best modern, replacement for Empire. One that is reliable, consistent, user-friendly and that meets these requirements @JORGEORCHILLES
  • 6. OUR REQUIREMENTS 62 % @JORGEORCHILLES  Operationally secure  Multiple C2 channels  Multiple agents/payloads  Custom profiles  Domain fronting capable  Proxy aware  Internal pivoting  Multi-user  Community involvement
  • 7. THERE ARE A LOT OF DIFFERENT FRAMEWORKS 30 TO BE EXACT @JORGEORCHILLES
  • 8. APFELL C3 CALDERA COBALT STRIKE COVENANT EMPIRE EVILOSX FACTION C2 FLYINGAFALSEFLAG GODOH IBOMBSHELL INNUENDO KOADICC3 MACSHELLSWIFT MERLIN NUAGES POSHC2 POSHC2_PYTHON POWERHUB PRISMATICA PUPY QUASARRAT RED TEAM TOOLKIT REDVIPER SCYTHE SILENT TRINITY SLIVER THROWBACK TREVOR C2 VOODOO FRAMEWORKS A SPECIAL THANK YOU TO ALL CONTRIBUTING DEVELOPERS!!!! @JORGEORCHILLES
  • 9. Phase 1  Evaluate and document all C2 frameworks  Focus on communication channel and C2 features Phase 2 Post exploitation features, lateral movement, ATT&CK mapping Phase 3? You tell us SETTING PARAMETERS PHASES IF YOU WILL, OR WE WILL RUN OUT OF TIME @JORGEORCHILLES
  • 10. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION COMMAND AND CONTROL EXFILTRATION IMPACT DRIVE- BY COMPROMISE APPLESCRIPT .BASH_PROFULE AND .BASHRC ACCESS TOKEN MANIPULATION ACCESS TOKEN MANIPULATION ACCOUNT MANIPULATION ACCOUNT DISCOVERY APPLESCRIPT AUDIO CAPTURE COMMONLY USED PORT AUTOMATED EXFILTRATION DATA DESTRUCTION EXPLOIT PUBLIC- FACING APPLICATION CMSTP ACCESIBILITY FEATURES ACCESIBILITY FEATURES BITS JOBS BASH HISTORY APPLICATION WINDOW DISCOVERY APPLICATION DEPLOYMENT SOFTWARE AUTOMATED COLLECTION COMMUINICTION THROUGH REMOVABLE DATA DATA COMPRESSED DATA ENCRYPTED FOR IMPACT EXTERNAL REMOTE SERVICES COMMAND-LINE INTERFACE ACCOUNT MANIPULATION APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER BOOKMARK DISCOVERY DISTRUBETED COMPONENT OBJECT MODEL CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT HARDWARE ADDITIONS COMPILED HTML FILE APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL BYPASS USER CREDENTIAL DUMPING DOMAIN TRUST DISCOVERY EXPLOITATION OF REMOTE SERVICES DATA STAGE CUSTOM COMMAND AND CONTROL PROTOCOL DATA TRANSFER SIZE LIMIT DISK CONTENT WIPE REPLICATION THROUGH REMOVABLE MEDIA CONTORL PANEL ITEMS APPINIT DLLS APPLICATION SHIMMIMG CMSTP CREDENTIALS IN FILES FILE AND DIRECTORY DISCOVERY LOGON SCRIPT DATA FROM INFORMATION REPOSITORIES CUSTOM CRYPTOGRAPHIC PROTOCOL EXFILTRATION OVER ALTERNATIVE PROTOCOL DISK STRUCTURE WIPE SPEARPHISHING ATTACHMENT DYNAMIC DATA EXCHANGE APPLICATION SHIMMING BYPASS USER ACCOUNT CONTROL CLEAR COMMAND HISTORY CREDENTIALS IN REGISTRY NETWORK SERVICE SCANNING PASS THE HASH DATA FROM LOCAL SYSTEM DATA ENCODING EXFILTRATION OVER COMMAND AND CONTROL CHANNEL ENDPOINT DENIAL OF SERVICE SPEARPHISHING LINK EXECUTION THROUGH API AUTHENTICATION PACKAGE DLL SEARCH ORDER HIJACKING CODE SIGNING EXPLOITATION FOR CREDENTIAL ACCESS NETWORK SHARE DISCOVERY PASS THE TICKET DATA FROM NETWORK SHARE DRIVE DATA OBFUSCATION EXFILTRATION OVER OTHER NETWORK MEDIUM FIRMWARE CORRUPTION FOCUSONCOMMANDANDCONTROL @JORGEORCHILLES
  • 11. CHANNELS  TCP (DIRECT)  HTTP - PROXY AWARE - DOMAIN FRONTING - CUSTOM PROFILE  HTTP2  HTTP3  DNS  DOH  ICMP  FTP  IMAP @JORGEORCHILLES
  • 12. Consistent connections are poor opsec - Meterpreter - Koadic (http long poll) Beacons are better - Jitter makes pattern matching a little harder Working hours Kill date BEACONS & JITTER @JORGEORCHILLES
  • 14. USER INTERFACE Command Line Interface Graphical User Interface Web API Multi-Player: the “Team” part of “Red Team” ANDROID AGENTS @JORGEORCHILLES
  • 15. OPERATIONAL SECURITY Key exchange regardless of TLS − Encrypted Key Exchange − aPAKE OPAQUE − ECDHE − mTLS − AES Warning for bad OPSEC Know your IOCs! − Sysmon − Wireshark/tcpdump @JORGEORCHILLES
  • 16. TESTING INFRASTRUCTURE C2 MATRIX LAB PFSENSE VICTIMS ATTACKERS WINDOWS @JORGEORCHILLES
  • 18. OTHER REFERENCES Similar work James Tubberville post on threatexpress.com: - https://threatexpress.com/blogs/2019/c2-agent-comparison Alex Rodriguez from Secure Ideas: - https://hackmd.io/EhFjuYHESIGhFQXFQ6duTQ?View The Golden Age of C2 by Matthew Toussain on YouTube: - https://www.youtube.com/watch?v=DjChyUrbZd8 @JORGEORCHILLES