C3 Custom Command and Control
C3 (Custom Command and Control) is a tool that allows Red Teams to rapidly develop and utilise esoteric command and control channels (C2). It’s a framework that extends other red team tooling, such as the commercial Cobalt Strike (CS) product via ExternalC2, which is supported at release. It allows the Red Team to concern themselves only with the C2 they want to implement; relying on the robustness of C3 and the CS tooling to take care of the rest. This efficiency and reliability enable Red Teams to operate safely in critical client environments (by assuring a professional level of stability and security); whilst allowing for safe experimentation and rapid deployment of customised Tactics, Techniques and Procedures (TTPs). Thus, empowering Red Teams to emulate and simulate an adaptive real-world attacker.
Attackers must establish command and control (C2) to gain influence within their target environments in order to pursue their goals and objectives. It is therefore arguably one of the most important parts of the cyber kill chain because without it any payloads that are successfully delivered operate blindly, cannot provide network level pivoting and near real-time interaction. It is no surprise then that organisations have been imposing more controls against what types of communications are allowed from systems and a priority has been placed on defensive teams to be able to effectively detect C2. This is emphasised by two out of the twelve columns of Mitre ATT&CK being related to this area, ‘Command and Control’ and ‘Exfiltration’.
The first proof of concept of C3 was presented at BlueHat v18 by William Knowles and Dave Hartley. Since then it has been refactored and some aspects reimagined into what it is today by a team of developers heavily influenced by members of the MWR Red Team.
Practical Usage
C3 is designed to be an easy and intuitive interface that allows users to form complex paths during adversarial simulations. This section provides an in-depth guide of how to use C3, from compilation through to code execution.
Usage
See this blog post for a detailed tutorial.
For contribution guide (how to develop a Channel tutorials), see this page.
Glossary
The most commonly used terms in C3:
-
Relays
- stand-alone pieces of C3 Networks. They communicate usingInterfaces
. There are two types ofRelays
:Gate Relays
(orGateways
) andNode Relays
. -
Gateway
- a specialRelay
that controls one C3 Network. A C3 Network cannot operate without an operationalGateway
. TheGateway
is the bridge back to the attacker’s infrastructure fromNode Relays
. It’s also responsible for communicating back to a third-party C2 server (such as Cobalt Strike’s Teamserver).Gateways
should always be hosted within attacker-controlled infrastructure. -
Node Relay
- an executable to be launched on a compromised host.Node Relays
communicate throughDevices
either between one another or back to theGateway
. -
Interface
- a high level name given to anything that facilitates the sending and receiving of data within a C3 network. They are always connected to someRelay
and their purpose is to extendRelay's
capability. Currently there are three types ofInterfaces
:Channels
,Peripherals
andConnectors
. -
Devices
- common name forChannels
andPeripherals
. This abstraction is created to generalizeInterfaces
that are able to be used onNode Relays
. -
Channel
- anInterface
used to transport data between twoRelays
.Channels
works in pairs and do not support the one-to-many transmission (seeNegotiation Channels
). -
Negotiation Channel
- a specialChannel
capable of establishing regularChannel
connections with multipleRelays
. The negotiation process is fully automatic.Negotiation Channels
support only negotiation protocol and cannot be used in any other transmission. -
Gateway Return Channel (GRC)
- the configuredChannel
that aRelay
will use to send data back to theGateway
.GRC
may be a route through anotherRelay
. The firstChannel
(initial) on aNode Relay
is automatically set asGRC
for thatNode Relay
. -
C3 Minimal MTU
- the minimal portion of data that every C3 Channel is required to be able to send. CurrentlyC3 Minimal MTU
is equal to 64 bytes. Unless a chunk shorter than 64 bytes contains a complete packet, receiver Relay ignores it and sender Relay tries and re-sends last portion of data. -
Peripherals
- a third-party implant of a command and control framework.Peripherals
talk to their native controllers via aController
. For example, Cobalt Strike’s SMB beacon. -
Connectors
- an integration with a third-party command and control framework. For instance the ‘External C2’ interface exposed by Cobalt Strike’s Teamserver through the externalc2_start command. -
Binders
- common name forPeripherals
andConnectors
. -
Device ID
- a dynamic ID that uniquely addresses oneDevice
on aRelay
. -
Agent ID
- a dynamic ID that uniquely addresses aNode Relay
.Node Relays
instantiated from the same executable will have differentAgent IDs
. -
Build ID
- a static ID that is built into everyRelay
. Stays unchanged over reboots. -
Route ID
- a pair of anAgent ID
and aDevice ID
. Used to describe one “path” to aNode Relay
(Node Relays
might be reachable via manyRoutes
). -
Route
- a “path” to aNode Relay
. EveryRelay
keeps a table of all of their childRelays
(and grandchildren, grand-grandchildren, and so on) along withChannel
Device IDs
used to reach that particularRelay
(seeRoute ID
). When a packet from theGateway
arrives to aNode Relay
, routing table is used to choose appropriateChannel
to send the packet through to the recipient. -
Update Delay Jitter
- delay between successive updates of anInterface
(in case ofChannels
- calls to OnReceiveFromChannel method). Can be set to be randomized in provided range of time values.