C2 Matrix
  • The C2 Matrix
  • About
  • SANS Slingshot C2 Matrix VM
  • Contribute
  • Feedback
  • Lab Infrastructure
    • C2 Matrix Eval Lab
    • Basic Lab
    • Virtual Machines with C2s
    • Docker
    • Resources
  • C2
    • Caldera
    • Covenant
    • Deimos
    • Empire3
    • Empire5
    • Havoc
    • ibombshell
    • Koadic
    • Merlin
    • Mythic
    • Nuages
    • PoshC2
    • PowerHub
    • SilentTrinity
    • Sliver
    • SCYTHE
    • TrevorC2
  • Attack Infrastructure
    • Resources
    • Redirectors/Relays
  • Detection
    • Basics
    • Beacons
    • JA3/JA3S Hashes
    • JARM
Powered by GitBook
On this page
  • Windows Victim
  • Wireshark
  • Sysmon

Was this helpful?

  1. Lab Infrastructure

C2 Matrix Eval Lab

Information about lab environment used to test C2s for the C2 Matrix

PreviousFeedbackNextBasic Lab

Last updated 5 years ago

Was this helpful?

This is the lab environment used to test C2s for the C2 Matrix:

pfSense with 3 interfaces:

  • WAN

  • Attackers - LAN Segment

  • Victims - LAN Segment

Windows Victim

On the Windows victim machine, you should run tools that allow you to understand how the payload and modules work. The easiest to use are Wireshark for network traffic and Sysmon for endpoint detection.

Wireshark

Choose the Ethernet adapter on the victim's LAN segment.

Filter: ip.addr == <attacker ip>

Sysmon

Extract it to C:\tools\

On an elevated command prompt:

cd \tools
Sysmon64.exe -accepteula -i sysmonconfig-export.xml

Open Event Viewer and navigate down through: Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

Download and run Wireshark to see traffic between victim and attacker:

Download Sysmon:

Download and extract SwiftOnSecurity sysmon configuration into C:\tools

Additional reading:

https://www.wireshark.org/
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/SwiftOnSecurity/sysmon-config
https://www.blackhillsinfosec.com/getting-started-with-sysmon/