C2 Infrastructure
#Overview
Command and Control (C2) infrastructure is the backbone of sustained red team operations. A well-designed C2 architecture uses redirectors, fronting, and staged payloads to protect the core team server from discovery and attribution. This section covers C2 framework setup, redirector configuration, domain fronting, and payload staging.
#C2 Architecture Overview
Target (Implant) ──HTTPS──▶ CDN / Domain Front ──▶ Redirector 1 ──▶ Redirector 2 ──▶ Team Server
│ │
(TLS termination) (Filter by UA/URI)
TEXT
Key principles:
- The team server is never directly exposed to the target
- Redirectors act as traffic filters — only valid beacon traffic reaches the team server
- Domain fronting hides the real destination from network monitoring
- Staged payloads keep the initial footprint small
#Technique Files
| File | Covers | Complexity |
|---|---|---|
| C2 Framework Setup | Sliver, Havoc, Mythic, Cobalt Strike overview | Medium-High |
| Redirectors & Fronting | Nginx/Apache/socat redirectors, domain fronting, CDN pivoting | High |
| Payload Staging | Staged vs stageless, delivery, infrastructure lifecycle | Medium |
#Cross-References
- 10 - Persistence — C2 implant persistence mechanisms
- 11 - Data Exfiltration — C2 channel data exfiltration
- Tunnels & Proxies — Pivoting infrastructure to support C2