C2 Matrix Eval Lab

Information about lab environment used to test C2s for the C2 Matrix

This is the lab environment used to test C2s for the C2 Matrix:
pfSense with 3 interfaces:
WAN
Attackers - LAN Segment
Victims - LAN Segment
Windows Victim
On the Windows victim machine, you should run tools that allow you to understand how the payload and modules work. The easiest to use are Wireshark for network traffic and Sysmon for endpoint detection.
Wireshark
Download and run Wireshark to see traffic between victim and attacker: https://www.wireshark.org/​
Choose the Ethernet adapter on the victim's LAN segment.
Filter: ip.addr == <attacker ip>
Sysmon
Download Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon​
Extract it to C:\tools\
Download and extract SwiftOnSecurity sysmon configuration into C:\tools https://github.com/SwiftOnSecurity/sysmon-config​
On an elevated command prompt:
cd \tools
Sysmon64.exe -accepteula -i sysmonconfig-export.xml
Open Event Viewer and navigate down through: Applications and Services Logs > Microsoft > Windows > Sysmon > Operational
Additional reading: https://www.blackhillsinfosec.com/getting-started-with-sysmon/​
​
​

Contribute

Next - Lab Infrastructure

Basic Lab

Last modified 3yr ago