- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Security
Create Custom C2
This lab delivers hands-on, defense-focused training in analyzing modern command-and-control (C2) evasion techniques through the design and evaluation of a controlled, simulated C2 framework. Participants examine how adversaries blend malicious traffic into enterprise environments by mimicking legitimate HTTP/2 and HTTP/3 communications, leveraging TLS encryption, and dynamically altering client fingerprints, timing, and traffic patterns to evade detection. Using tools such as Wireshark, you'll capture and dissect network activity, comparing these techniques against traditional beaconing indicators and signature-based detections. The lab highlights the continuous evolution of attacker tradecraft and defensive visibility, demonstrating how encoding, encryption, traffic shaping, and failover mechanisms impact detection. By the end of the exercise, you will be better equipped to identify, hunt, and respond to sophisticated, low-observable C2 activity in real-world network environments.
Lab Info
Table of Contents
-
Challenge
Develop and Deploy Custom HTTP C2
Modify, compile, and run C2 server,client using legitimate HTTP/2 or HTTP/3 headers to mimic Common Network Traffic. Use Wireshark to capture your custom HTTP C2 traffic and compare its signature against known "beaconing" patterns to verify successful evasion. Implement an encoding that bypasses HTTP C2 detection signatures.
-
Challenge
Upgrade to TLS
Implement an SSL/TLS wrapper for HTTPS client/server C2 communication and verify encryption in Wireshark. Use libraries like tls-client to rotate JA3/JA4 fingerprints, allowing the C2 agent to match various legitimate binary signatures. What you will notice most is that even with unsigned certificates, the traffic that was concerning in clear-text HTTP is mostly irrelevant.
-
Challenge
Add Dynamic Timing Behavior
Consistent check-ins from a C2 can be used as an indicator of compromise and can be signatured. If you see the same packet every 10 seconds, this "beaconing" behavior is well known and can be recognized by defenses. In this objective, you'll explore a few solutions to help evade timing-based detections.
-
Challenge
The Last Objective
Welcome to the final objective! This is your last chance to experiment in the environment. Clicking End Lab will end this little world that flittered into existence just for you.
-
Challenge
Enabling Resilient Redirection
For a variety of reasons—most notably when a defender or network administrator identifies and blocks your command-and-control (C2) infrastructure—you must ensure clients can communicate with alternative endpoints. This is typically achieved by provisioning multiple callback addresses that the client can attempt if the primary destination becomes unavailable.
A common approach is the use of redirectors. Redirectors act as intermediary nodes that receive traffic from clients and forward it to a central C2 server. This design allows you to expose multiple IP addresses to clients without requiring multiple backend servers, improving both resilience and operational flexibility.
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.