C2, C3, Whatever It Takes

Darin Roberts//

If you have been in the security field for any length of time at all you have heard the term C2.  You might have heard it also called C&C or Command and Control.  I will refer to it as C2 as here at BHIS, that is what we do.  Some of you might wonder what exactly is C2, and those who might know what it is might not understand what it means, and even more might not know how to set up a C2.  It is really not uncommon to be talking with another tester and they will say something along the lines of, “I couldn’t do X, Y or Z, so I just set up a C2 to bypass the problems.”  So, what exactly is a C2 and how does it work?  And even better, how can I set one up?

First off, what is C2?  C2 is remotely controlling another system.  This can be a good thing.  I know that for me personally, I love Remote Desktop and use it daily.  There are other common forms of C2 like VNC or SSH that are common as well.  They can be very beneficial and make working on computers much easier than physically being in front of the machine.

However, where something can be used for good, it can also be used for bad.  On the evil side of C2, malware is uploaded to a target host and then executed.  This malware has been pre-programmed to run and then to set up a communications channel to the command and control server on the internet.  The malware can be downloaded and installed in limitless ways.  It can come as an email attachment, clicking on the wrong link, downloading a trojan software, plugging in a USB, or any of another myriad of ways.  The result with C2 is the same, you have given an avenue for an attacker to execute commands on your computer.

So how does C2 work?  The unsuspecting victim executes a command on their computer to install the malware.  After the malware is installed, the malware will call out to the C2 server and wait for its next command.  It is usually going to send out a beacon on a time basis to let the server know it is still alive and to see if there is anything it should do.  When the server is ready, it will issue its command to execute on the infected host machine.

Because the hosts are not sending constant data out of the network, detecting these infected hosts can sometimes be difficult.  There are anti-virus programs that detect off-the-shelf C2 programs, but they don’t detect everything.  I was in a meeting just the other day when a co-worker said, “I always use custom C2 and bypass everything.  I know it will work.”

How do you set up a C2?  In this blog I will set up a C2 using Metasploit and Veil.  The host will be running Windows 10 with Windows Defender installed and in use.

The first step is to set up the listener using Metasploit.  Thanks to our great SysAdmins at BHIS, I got a Kali instance set up just for this purpose.

Now that we have our listener set up, we need to get the payload.  I first used Metasploit to create the payload.

I copied this C2.exe file to my Windows machine, but Windows Defender didn’t like it.

Windows Defender is a surprisingly good antivirus program.  However, as this is not a review of AV solutions, we will just try to see if we can bypass it.  I then used Veil-Evasion (https://github.com/Veil-Framework/Veil-Evasion).

Now that we have the payload from Veil (the file c2.bat), let’s copy it over to our Windows machine to see if it bypasses Windows Defender.

I created a folder on my desktop called C2 Folder.  I was able to just move this c2.bat file into my newly created folder, and Windows Defender did not trigger on it.

I want this file to run with administrator privileges, so I will right click on it and “Run as administrator”.  Click Yes to allow.

After I run the c2.bat file, a session gets started on my Kali with the Meterpreter listener on it.

I want to interact with the session so I type the command “sessions -i 1”.

On my Windows machine it doesn’t look like anything is happening.  I could take a screen shot of that, but it would be boring.

I don’t want Windows to kill my process, so I am going to change migrate to another process that is stable and that Windows likes.  Spool is a good idea.  Explorer is another popular choice.

Now that I know the PID for spool is 4188, I am going to change my PID to 4188.

Now that I have access, I am going to change directories to see what is out there.

I want to see what is in this file!  

With a C2 session, there are all kinds of fun things you can do, but that is for another blog.

 

And for those of you who haven’t seen Mr. Mom or who are curious about the title of this blog post: