Assumptions

• Reader knows what a reverse shell is
• Reader has done a HackTheBox or any black box CTF penetration test challenge

As an operator, we rely heavily on our tools. Once we get our reverse shell, we will bring our tools onto the compromised machine and continue our engagement.

• Is this realistic?

Enter C2’s; Command and Control. They are complex tools with multiple components. Typically there are:

• A teamserver, to interface communications between the operator and the implant
  • Like how we need a listener to catch our reverse shell, a teamserver will have a listener so the implant and communicate with the teamserver.
• The implant, our malware which can be summed up as “a reverse shell on crack”

Implants are capable of many complex functions that a standard reverse shell cannot do.

• What they be doing?
• Who is they?

If this solves the issue of running our tools after exploitation, then what more is there to discuss? Well, C2 implants fall under the same issue as our tools; they will get caught. Both during execution, or maybe some function are capable of will trigger an alarm.

• Essentially, to avoid detection, it seems we must use a tool that gets detected?

Evasion focuses on two things which can be independent of each other.

• Payload Delivery
• Payload functionality

To do these tasks, we generally have to get a bit on the lower level of things. Since a lot of this deals with memory, there are APIs we will have to utilize our code. These APIs are commonly watched from the EDR side of things, so we still have to take caution when creating our evasion.