Glossary

Glossary of the most commonly used terms in C3.

• Relays - stand-alone pieces of C3 Networks. They communicate using Interfaces. There are two types of Relays: Gate Relays (or Gateways) and Node Relays.
• Gateway - a special Relay that controls one C3 Network. A C3 Network cannot operate without an operational Gateway. The Gateway is the bridge back to the attacker’s infrastructure from Node Relays. It's also responsible for communicating back to a third-party C2 server (such as Cobalt Strike’s Teamserver). Gateways should always be hosted within attacker-controlled infrastructure.
• Node Relay - an executable to be launched on a compromised host. Node Relays communicate through Devices either between one another or back to the Gateway.
• Interface - a high level name given to anything that facilitates the sending and receiving of data within a C3 network. They are always connected to some Relay and their purpose is to extend Relay's capability. Currently there are three types of Interfaces: Channels, Peripherals and Connectors.
• Devices - common name for Channels and Peripherals. This abstraction is created to generalize Interfaces that able to be used on Node Relays.
• Channel - an Interface used to transport data between two Relays. Channels works in pairs and do not support the one-to-many transmission (see Negotiation Channels).
• Negotiation Channel - a special Channel capable of establishing regular Channel connections with multiple Relays. The negotiation process is fully automatic. Negotiation Channels support only negotiation protocol and cannot be used in any other transmission.
• Gateway Return Channel (GRC) - the configured Channel that a Relay will use to send data back to the Gateway. GRC may be a route through another Relay. The first Channel (initial) on a Node Relay is automatically set as GRC for that Node Relay.
• Peripherals - a third-party implant of a command and control framework. Peripherals talk to their native controllers via a Controller. For example, Cobalt Strike’s SMB beacon.
• Connectors - an integration with a third-party command and control framework. For instance the ‘External C2’ interface exposed by Cobalt Strike’s Teamserver through the externalc2_start command.
• Binders - common name for Peripherals and Connectors.
• Device ID - a dynamic ID that uniquely addresses one Device on a Relay.
• Agent ID - a dynamic ID that uniquely addresses a Node Relay. Node Relay instantiated from the same executable will have different Agent IDs.
• Build ID - a static ID that is built into every Relay. Stays unchanged over reboots. Can be used to to block compromised Node Relays.
• Route ID - a pair of an Agent ID and a Device ID. Used to describe one "path" to a Node Relay (Node Relays might be reachable via many Routes).
• Routes - a "path" to a Node Relay. Every Relay keeps a table of all of their child Relays (and grandchildren, grand-grandchildren, and so on) along with Channel Device IDs used to reach that particular Relay (see Route ID). When a packet from the Gateway arrives to a Node Relay, routing table is used to choose appropriate Channel to send the packet through to the recipient.
• Update Delay Jitter - delay between successive updates of an Interface (in case of Channels - calls to OnReceiveFromChannel method). Can be set to be randomized in provided range of time values.