C2 techniques
The c2/* package tree is the implant's outbound communication layer
plus the operator's listener side. Six sub-packages compose into a
complete reverse-shell / staging / multi-session stack:
flowchart LR
subgraph implant [Implant side]
S[c2/shell<br>reverse shell]
M[c2/meterpreter<br>MSF stager]
end
subgraph wire [Wire]
T[c2/transport<br>TCP / TLS / uTLS]
NP[c2/transport/namedpipe<br>SMB pipes]
Cert[c2/cert<br>mTLS certs + pinning]
T -.uses.-> Cert
end
subgraph operator [Operator side]
MC[c2/multicat<br>multi-session listener]
end
S --> T
S --> NP
M --> T
T --> MC
NP --> MC
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
c2/shell | reverse-shell.md | noisy | reverse shell with PTY + auto-reconnect + AMSI/ETW evasion hooks |
c2/meterpreter | meterpreter.md | noisy | MSF stager (TCP / HTTP / HTTPS) with optional inject.Injector for stage delivery |
c2/transport | transport.md · malleable-profiles.md | moderate | pluggable TCP / TLS / uTLS + malleable HTTP profiles |
c2/transport/namedpipe | namedpipe.md | quiet | Windows named-pipe transport (local IPC + SMB lateral) |
c2/cert | transport.md | quiet | self-signed X.509 generation + SHA-256 fingerprint pinning |
c2/multicat | multicat.md | quiet | operator-side multi-session listener (BANNER protocol) |
Quick decision tree
| You want to… | Use |
|---|---|
| …land a reverse shell that survives drops | c2/shell.New + c2/transport |
| …blend C2 with browser TLS fingerprints | c2/transport uTLS profile (Chrome / Firefox / iOS Safari) |
| …pin the operator certificate against TLS-MITM | c2/cert.Fingerprint + transport PinSHA256 |
| …carry C2 over local IPC / SMB lateral | c2/transport/namedpipe |
…stage a Meterpreter session with inject middleware | c2/meterpreter + Config.Injector |
| …disguise HTTP traffic as jQuery CDN fetches | malleable-profiles.md |
| …host many simultaneous reverse-shell agents | c2/multicat on the operator box |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1071 | Application Layer Protocol | c2/transport (HTTP/TLS), c2/transport/namedpipe | D3-NTA |
| T1071.001 | Web Protocols | c2/transport (malleable), c2/meterpreter (HTTP/HTTPS) | D3-NTA |
| T1573 | Encrypted Channel | c2/transport (TLS) | D3-NTA |
| T1573.002 | Asymmetric Cryptography | c2/cert (mTLS) | D3-NTA |
| T1095 | Non-Application Layer Protocol | c2/transport (raw TCP) | D3-NTA |
| T1059 | Command and Scripting Interpreter | c2/shell | D3-PSA |
| T1571 | Non-Standard Port | c2/multicat | D3-NTA |
| T1021.002 | SMB/Admin Shares | c2/transport/namedpipe (cross-host) | D3-NTA |
See also
- Operator path: build a reliable shell
- Detection eng path: C2 telemetry
evasion— apply patches before the shell connects.useragent— pair with HTTP transports for realistic User-Agent headers.inject— stage execution surface forc2/meterpreter.