How to Build Custom Red Team Testing Tools in C++
For red team practitioners looking to enhance their skills, or software developers interested in learning more about how Command and Control (C2) frameworks function, Security Compass Senior Security Consultant Steven Patterson has released a free eBook. Titled Building C2 Implants in C++: A Primer, the book explains in detail how to design a custom C2 framework from the ground up. With clear explanations and well-commented code, Steven makes creating C2 implants in C++ accessible to anyone with an understanding of software development.
How does it benefit a red team to have custom C2 implants and what are the distinct benefits of C++? In this video interview, I spoke with Steven about these questions and what led him to create this timely and helpful resource. You can listen in below.
Patterson began his career as a game designer. After working on a cybersecurity-themed game, the experience got him interested in the subject matter. He spent a year learning and doing independent research, including publishing articles about Windows exploit development and fuzzing on his website shogunlab.com, before coming to work as a consultant with Security Compass. It was a natural fit for the next stage of his career: working for a security company that values passion, curiosity, independent research, and community contribution.
Patterson became interested in C++ after hearing a talk by Josh Lospinoso entitled “C++ for Hackers.” His interests in C++ and command and control tools began to merge, as he decided that command and control tools would be a good practical project for improving his skills in the language. As he continued to study, he noticed a lack of resources about C2 implants in C++. Instead of getting frustrated, he decided to fix the issue.
“It was primarily because I saw that gap,” said Patterson, “and the fact that a lot of the implants were being written in languages like PowerShell or C#. There were relatively few written in C++, so I wanted to contribute something that would help others in that area, and also try to make that material a little more accessible as well.”
Why should security professionals read Patterson’s book and learn to build implants in C++? Patterson outlines several reasons. C++ is a practical language for writing Windows implants, since it can easily interface with the Windows API. A custom C2 framework that uses C++ implants is often more stealthy, since current antivirus and endpoint detection and response products have signatures for existing frameworks like Cobalt Strike and Covenant. AV and EDR platforms also have more visibility into PowerShell or C# code than C++. Reverse engineering the executables for implants written in C++ often proves more difficult than reversing PowerShell or C#, as well.
Patterson has continued his research and plans on expanding upon his eBook in the future. He has been researching the more sophisticated aspects of modern C2 infrastructure including techniques that it uses for evasion, anti-reverse-engineering, obfuscation, and encryption. He plans to write a second part that delves more deeply into the advanced aspects of writing a C2 framework.
I hope you’ll watch the interview to hear Steven Patterson talk more about his career, his research, and his book. You can read Building C2 Implants in C++: a Primer here.
After watching the interview, you may have questions about our development of red team tools, such as command and control (C2) implants, how vulnerable your business may be to attacks, or about how red teaming can help fortify your defenses. Our security community involvement, experience with emerging technologies, and collaborative approach distinguish us in the security world. Contact us, and see for yourself how Security Compass can be your trusted partner to secure your business.