The Ecology of Command and Control - A Theological and Tactical Survey of Proprietary C2s, Part I
⚠️ Ethical & Legal Disclaimer: Wisdom Governs Knowledge
⚠️ The infrastructure, code, and methodologies described in this blog are designed solely for lawful, educational, and ethical purposes. This series is intended to help red team professionals, security researchers, and students build controlled environments for testing, training, and strengthening defensive postures.
As those made in the image of God and called to walk in integrity, we affirm that knowledge must be governed by wisdom. The Apostle Paul reminds us, “All things are lawful, but not all things are helpful” (1 Cor. 10:23). Accordingly, these tools are not to be used for harm, unauthorized access, or malicious activity of any kind.
Let it be clear: this work is to be conducted with a clear conscience before both God and man (Acts 24:16). Those who weaponize such knowledge outside the bounds of legality and virtue not only violate human law, but grieve the moral law of the Creator Himself.
“Whatever you do, in word or deed, do everything in the name of the Lord Jesus…”
— Colossians 3:17
Part I — Proprietary C2s: The Established Order
“For God is not a God of confusion but of peace, as in all the churches of the saints.”
— 1 Corinthians 14:33
Representative tools: Cobalt Strike (Forta), Outflank C2 (formerly Stage 1), Brute Ratel, and others.
The Centralized Command: The Burden of Institution
Proprietary Command-and-Control (C2) frameworks represent the institutional church of the red team world. They offer mature, centralized platforms that provide professional ecosystems essential for large-scale, coordinated operations.
However, because these “Cathedrals” are so large and visible, every EDR vendor in the world has spent a decade building “telescopes” specifically to find them. This has forced Proprietary C2s to move beyond simple obfuscation and into Architectural Gaslighting—the art of using the Operating System’s own logic to hide a malicious heart behind a perfectly “righteous” appearance.
Customization and the EDR Bypass: Law vs. Grace
In the tactical realm, a “signature” is the Law. It is a fixed, uncompromising standard. If an artifact matches the signature, it is condemned. Proprietary C2s combat the rigidity of the Law through malleability—a technical analog to Grace, allowing the operator to move freely by appearing to transcend the standard rules of detection.
1. Malleable C2: The Art of Contextualization
Cobalt Strike’s Malleable C2 profiles allow an operator to redefine the network indicators of a Beacon. By modifying HTTP headers, URIs, and response bodies, the operator ensures the traffic mimics legitimate services like Amazon or Windows Update.
- Theological Parallel: This is the practice of contextualization. Just as the Apostle Paul became “all things to all people” (1 Cor. 9:22) to gain an audience, the C2 agent becomes “all things to the firewall” to maintain its presence.
2. The Emergence of Tool Diversity
Because Cobalt Strike became the “canonical text” for Red Teams, it also became the primary target for Defenders. This has created a tactical necessity for tool diversity.
- Helping Red Teams: Switching to a tool like Outflank Stage 1 is like moving where the Law has no power; its memory footprint and behavior haven’t been “codified” into defensive signatures yet.
- The Hindrance: This proliferation creates “Tool Fatigue.” An operator must now be a steward of multiple “dialects,” mastering five different C2 frameworks to stay effective.
Deep Tradecraft: Subverting the Source of Truth
In modern tradecraft, the “Law” (EDR) relies on three primary sources of truth: Hooks, Call Stacks, and Memory Scans. To move in Grace, the operator must subvert all three.
1. Indirect Syscalls: Circumventing the Pharisaic Hooks
Modern EDRs function as “gatekeepers,” placing JMP instructions (hooks) at the start of critical functions in ntdll.dll. When a C2 agent tries to allocate memory, the EDR intercepts the call.
Proprietary C2s use Indirect Syscalls to bypass this. Instead of calling the hooked function, the agent:
- Manually moves the System Service Number (SSN) into the
EAXregister. - Searches
ntdll.dllfor a legitimatesyscallinstruction already present in memory. - Jumps to that instruction directly.
- The Result: The EDR’s hook is never triggered. The Kernel receives a valid request, and to any observer, it looks like
ntdll.dllinitiated the request.
2. Call Stack Spoofing: Forging the Ancestry
Even if an agent stays hidden, an EDR can perform a Thread Call Stack analysis. If the stack shows that a system call originated from “Unbacked Memory” (memory not tied to a legitimate file on disk), the agent is exposed.
Proprietary tools now implement Call Stack Spoofing. They synthetically “push” legitimate-looking return addresses onto the stack before making a call.
- The Deception: When the EDR inspects the thread, it sees a perfectly normal chain of calls (e.g.,
BaseThreadInitThunk -> RtlUserThreadStart -> tpHost.dll). The malicious origin is surgically removed from the historical record.
3. Sleep Masking & Memory Obfuscation
When a Beacon sleeps, it is most vulnerable to Memory Scanners (like YARA) looking for “original sin”—default strings in the heap.
Proprietary tools use Sleep Masking. Before dormant periods, the agent XOR-encrypts its own memory space. The cleverest tools avoid the standard Sleep() function—a massive red flag—and instead use Waitable Timers or APCs (Asynchronous Procedure Calls) to wake themselves up, blending in with the background noise of the CPU.
1
2
3
4
5
6
7
// The "Hiddenness" Loop: Masking the Beacon in memory
// "In the world, but not of it."
void mask_beacon(BYTE* beacon_base, size_t size, BYTE key) {
for (size_t i = 0; i < size; i++) {
beacon_base[i] ^= key; // XORing the memory to evade scanners
}
}
The Blue Team Response: A Ministry of Discernment
Defenders are moving from looking at what a file is to how it behaves. They are no longer merely checking “IDs” at the gate; they are performing Digital Exegesis—interpreting the deeper meaning of Operating System telemetry to find the hidden hand of the operator.
- ETW-Ti (The Internal Witness): Modern Blue Teams rely on Event Tracing for Windows (Threat Intelligence). This is a special telemetry stream provided by the Microsoft Kernel that provides visibility below the hooks. It allows defenders to see the actual syscalls being made, even if they are using the “indirect” methods discussed above.
- The Telemetry Soup Paradox: Defenders are drowning in information. Every process creation, network connection, and memory adjustment is logged. The challenge is Signal-to-Noise. Discernment is required to distinguish between a legitimate administrator using a tool like
msiexec.exeand a Red Teamer using it as a living-off-the-land bin (LoLBins) to execute a payload.
“For the tree is known by its fruit.”
— Matthew 12:33
If an agent is disguised as a Windows Update service but is seen making an NtOpenProcess call against lsass.exe (the “fruit”), the Blue Team discerns its true nature regardless of its “holy” appearance.
The Theological Frame: Stewardship and the Sovereignty of Skill
This high-level architectural chess match is the ultimate test of Stewardship.
“To whom much is given, much will be required.”
— Luke 12:48
- The Sovereignty of Skill: We recognize that God has given us the intellect to find these paths. Using a “clever” bypass—understanding the stack, the registers, and the kernel—is an act of subduing the digital earth. We find order and opportunity within the complex systems created by man.
- Integrity in the Shadows: The more “weird” and undetectable your tool is, the more accountable you are for its use. When the EDR cannot see you, and the client’s logs remain silent, your only guide is your Integrity before the Creator. Stealth is a gift to be used for the hardening of the brethren, not for the pride of the operator.
Summary of Part I
Proprietary C2s represent the “Established Order.” They are the heavy hitters of the industry, pushing the boundaries of what it means to be “hidden.” They have forced the defensive community to move away from lazy signatures and toward a deeper, more rigorous Ministry of Discernment. But as their institutional visibility grows, so does the weight of the armor they must carry to remain invisible.
Looking Ahead: The Great Reformation
While the Established Order of proprietary C2s continues to innovate within the high walls of commercial development, a radical shift is occurring in the wilderness. In Part II, we will step away from the centralized institutions and explore the Reformation of Open-Source C2s. We’ll discuss how the fragmentation of tools like Mythic, Havoc, and Sliver has democratized offensive power and forced defenders to contend with a decentralized threat that no longer follows a single canonical law.
AthanasiusXOR
Contra Mundum. Code Obscurum.