A well designed Command and Control (C2) infrastructure is critical to the success of an adversary emulation exercise. During an engagement, established C2 sessions may get disconnected frequently. Whenever this happens, there might be a temptation to re-exploit the target and establish another C2 session. This is not only time consuming but also not recommended during an active engagement. For one, it can put the entire engagement at risk as re-exploitation may lead to unwanted consequences. To avoid this, C2 mechanisms are deployed in a layered (or tiered) manner.
C2 mechanisms are generally deployed into following three tiers:
Interactive - C2 mechanisms in this tier are used more frequently than others. They are primarily used for issuing commands, enumeration, scanning and data exfiltration. The callback time is usually within minutes. For example, C2 agents deployed on target machines.
Short-Haul - C2 mechanisms in this tier are used to re-establish interactive mechanisms. The callback time is within 12-24 hours. For example, a cronjob that downloads the C2 agent and executes it every 12 hours.
Long-Haul - C2 mechanisms in this tier are used to re-establish short-haul mechanisms. The callback time is 24 hours or more. This is the slowest mechanism of all three and should not be used for interactive purposes. For example, a start-up script to create the cronjob mentioned before.
Use a tier for it's intended purpose only. For example, a short-haul C2 mechanism should not be used to run commands interactively.
Use different C2 channels (HTTPS, DNS, SSH, SMB etc.) for different tiers. This will ensure that even if one channel gets blocked an alternate is available to use.
Use encryption to avoid detection via network security devices.
Minimize C2 callback volume wherever possible. This will help in avoiding unnecessary exposure.
Avoid dropping binaries on target machines as this may trigger the anti-malware solution and alert the Blue team.