[p0l0v3r4]

Hey all,
 
I’ve been working on refining some C2 infrastructure setups and testing stealth techniques in a controlled lab environment, trying to stay close to what’s being seen in recent real-world campaigns. Thought I’d open up the conversation and learn what others are experimenting with. Here’s what I’ve been playing with lately:
 
C2 Frameworks I'm using:

• Sliver (mTLS + DNS channels)
  
• Mythic with Apfell and Apollo payloads
  
• Custom C2 in Go with AES-CBC over HTTP
  

Anyone using Havoc, Poseidon, or lesser-known alternatives worth looking into?
 
Transport & Evasion:

• Domain fronting
  
• JA3 evasion + randomized jitter
  
• DoH callbacks for quiet beacons
  
• Nginx redirectors with GeoIP filtering
  

Still testing different combinations. Has anyone set up CDN abuse (Cloudflare Workers, AWS CloudFront, etc.) for staging or redirecting?
 
Initial Delivery Vectors:

• LNK chains → DLL sideloading
  
• Signed MSI installers with hidden beacons
  
• COM hijacks + wscript = solid post-ex persistence in lab setup
  

Not touching static EXEs anymore unless I want a quick flag
 
Looking to exchange thoughts

• What’s your go-to transport method for C2 when dealing with modern EDR?
  
• Anyone experimenting with encrypted DNS tunneling for callbacks?
  
• Tools or scripts to automate redirector rotation or domain switching?
  

This is all in isolated testing environments, nothing live. Just pushing the envelope and refining TTPs for realistic simulations. Drop your thoughts below or DM if you’ve got configs or ideas worth testing.
 
Let’s trade knowledge

[Bragi]

Custom C2 over https or third party services as middle-man for client resolution will yield best results. E.g. Google Calendar, pastebin, blogs, etc for base64'd resolution for client connection details, droppers, and anything else. If you NEED to drop cobalt or similar framework for AD lateral movement, customized .profile w/ own sleep obfuscation is best route. Thread stomps, sleep obf etc present in publicly available .profile configs are always going to be flagged by latest EDR. Especially good ones like CrowdStrike, Cortex, etc. The real hard part regarding known frameworks like cobalt, havok, etc is going to be persistence. Getting beacon is ez, especially with modern lolbin sideloads, in mem exec, thread pool abuse, etc. Once you start doing "cobalt" things with cobalt, EDR will unsurprisingly catch on, and sound a high-critical alarm letting SOC analysts know "hey this ish looks like cobalt". Again, best bet is obfuscating C2 traffic and making sure your cobalt .profile isn't preparing callbacks in anyway close to similar to how modern cobalt beacons do. FastFlux, DomainFlux, etc most robust if you can get non-blacklisted SSLs. Be sure to check Chrome's blacklist in addition to just spamhaus lists since google has been getting more and more strict with the certs they acknowledge vs block and warn user not to continue. Your payload passing MoTW isn't enough anymore with this new era of Google wearing a blindfold and waving around an automatic shotgun at tons of cert providers, pulling the trigger seemingly at random.

If you rely heavily on known c2 frameworks like cobalt or havok etc to conduct post-access AD ops, I'd highly recommend working on a private "loader" with various initial recon "modules" that get you and your team to EDR blinding stage before dropping cobalt or havok so you don't even have to worry about it. Fortinet and some other EDR solutions are still vuln to hilariously simple "by-passes" like bring your own installer (update client bypass), Nim, etc. Just make sure once you deploy EDR blinding techniques you have scripts ready to fire off enumeration, elevation, and lateral movement attempts you plan on using since the clock is ticking fast on blue team realizing the intrusion when you opt for such methods.

As long as you get admin on domain controller faster than blue team's mitigation efforts, you should be victorious in most contexts, so human-detection shouldn't matter usually if your post-edr blinding cobalt/havok drop flow is fast and targeted.