Building a Red Team Lab: Infrastructure, VMs, and C2 Setup

Objective: Understand how to design, build, and operate a self-contained red team lab — hypervisor and VM selection, network segmentation, C2 framework deployment, redirector architecture, and OPSEC discipline — so authorized operators get a reproducible practice environment and defenders learn what adversary infrastructure looks like from the inside.

1. Lab Philosophy and Legal Guardrails

A red team lab exists for one reason: to test tradecraft against telemetry without touching production. Everything in this tutorial is for authorized testing inside an isolated environment you own. Never point lab C2 at systems outside your scope.

A dedicated lab gives you two things production cannot. First, repeatability — snapshot, detonate, revert, repeat. Second, observability — you run the blue stack and the red stack side by side and watch every event a real implant generates.

Two build models exist:

Air-gapped lab — host-only virtual networks with no internet. Safest for malware detonation and EDR-bypass study.
Cloud-backed lab — VPS-hosted team servers and redirectors for testing real callbacks, domain categorization, and redirector chains.

Most learners start air-gapped and graduate to a hybrid with a single controlled egress gateway.

2. Hardware and Hypervisor Selection

A workable lab runs on a single workstation. The constraint is RAM, because a Domain Controller, a Windows endpoint, a Linux target, and a SIEM run concurrently.

Component	Recommendation
Host RAM	16 GB minimum, 32 GB+ for full AD + SIEM
Storage	100 GB SSD minimum, 256 GB+ for multi-VM snapshots
CPU	Quad-core with virtualization extensions (VT-x/AMD-V)

Choose a Type-2 hypervisor:

Feature	VMware Workstation Pro	VirtualBox
Nested virtualization	Reliable	Limited
Advanced networking	LAN Segments	Internal Network
Snapshot fidelity	High	Adequate
Cost	Commercial	Free

VMware Workstation Pro / Fusion is preferred for nested virtualization and snapshot fidelity; VirtualBox is the free alternative with less reliable advanced networking.

Snapshot discipline is non-negotiable. Snapshot before each phase — a clean pre-exploitation baseline, a post-compromise state, a post-persistence state — so you can replay a scenario without rebuilding.

3. Network Architecture Design

Segment the lab into tiers so the attacker subnet, target subnet, and monitoring subnet cannot freely route to one another. This mirrors real network boundaries and forces realistic lateral movement.

Networking Mode	Behavior	Lab Use
Host-Only	Isolated subnet, no internet	Default for all tiers
NAT	VMs share the host IP outbound	Controlled egress only
LAN Segment / Internal	Inter-VM only, no host	Target-to-target traffic
Bridged	VM joins physical LAN	Avoid (leaks to real network)

Build three host-only segments: attacker, target, monitoring. A dedicated “egress” VM with dual NICs (one host-only, one NAT) acts as the only controlled gateway when you must test real C2 callbacks. The monitoring tier should receive logs one-way and remain unreachable from the attacker subnet.

Diagram showing three isolated host-only network tiers — attacker, target, and monitoring — connected through a dual-NIC egress VM acting as the sole gateway to the internet — Three-tier segmentation forces realistic lateral movement and keeps the monitoring subnet unreachable from the attacker tier.

4. Building the Target Network

The target network simulates a small enterprise: a Domain Controller, a domain-joined Windows endpoint, and a Linux host.

VM Role	OS	Purpose
Domain Controller	Windows Server 2019/2022	AD DS, DNS, DHCP
Windows Target	Windows 10/11 (domain-joined)	Implant testing
Linux Target	Ubuntu / CentOS	Cross-platform implants

Promote the DC with AD DS, configure DNS, then join endpoints to the domain. The following script joins a Windows target, points DNS at the DC, and enables WinRM for management.

# Domain join + WinRM enablement for a lab Windows target
$DC = "192.168.56.10"     # Domain Controller IP
$Domain = "lab.local"

# Point DNS at the DC so domain resolution works
Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" -ServerAddresses $DC

# Enable remote management for lab orchestration
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $DC -Force

# Join the domain (prompts for credentials, then reboot)
Add-Computer -DomainName $Domain -Restart

5. Deploying the Blue Team Monitoring Stack

The monitoring tier is what turns a playground into a detection lab. Deploy Wazuh or Security Onion as the SIEM/IDS, then instrument every Windows VM with Sysmon using a community config such as SwiftOnSecurity or Olaf Hartong’s sysmon-modular.

VM Role	OS	Purpose
Blue Team / SIEM	Security Onion / Wazuh	Log aggregation, IDS, alerting

Forward all Windows and Sysmon channels to the SIEM, enable real-time alerting, and leave Windows Defender enabled on targets so you can observe EDR behavior against your implants. Add Zeek for network metadata — its conn.log is invaluable for spotting beaconing.

6. C2 Framework Selection and Trade-offs

A C2 framework is the infrastructure used to control compromised systems remotely. It has three parts: a C2 server (backend), a C2 client (operator interface), and a C2 agent / implant (payload on the target).

Framework	License	Notes
Sliver	Open-source (Bishop Fox)	mTLS, HTTP/S, DNS, WireGuard transports; go-to Cobalt Strike alternative
Havoc	Open-source	Real-time client UI via API; Cobalt-Strike-like feel
Mythic	Open-source	Docker-based, web UI, pluggable C2 profiles and agents
Metasploit	Open-source	`msfconsole`, `multi/handler`; good for catching payloads, weak for long-haul
Cobalt Strike	Commercial (~$3,540/user/yr)	Malleable C2, Beacon, Aggressor Script; awareness only

Core architecture primitives apply across all of them:

Term	Definition
Team Server	Persistent backend; never directly internet-facing
Implant / Beacon / Agent	Payload on the target that calls back
Redirector	Disposable proxy in front of the team server; assumed to be burned
Listener	Server-side handler waiting for callbacks (e.g., HTTPS/443)
Malleable Profile	Config shaping HTTP/S traffic to mimic legitimate requests
Sleep / Jitter	Callback interval plus randomness; breaks beacon regularity

This tutorial uses Sliver as the primary example because it is free, modern, and well-documented at sliver.sh/docs.

7. Deploying Sliver C2

Install the server on a dedicated Ubuntu 22.04 host on the attacker tier. The team server should never be exposed directly — a redirector sits in front of it (Section 8).

# Install Sliver server (run on the dedicated C2 VM)
curl https://sliver.sh/install | sudo bash

# Run as a service so it survives reboots
sudo systemctl enable --now sliver

# Drop into the server console
sliver-server

Inside the console, start an HTTPS listener and generate a Windows x64 beacon. --skip-symbols speeds up builds in a lab; flags change between releases, so verify against the official docs.

# Start an HTTPS listener bound to the redirector-facing interface
https --lhost 192.168.56.20 --lport 443

# Generate a Windows x64 HTTPS beacon
generate beacon --http 192.168.56.20 --os windows --arch amd64 --skip-symbols

# After the implant calls back:
sessions                 # list active sessions
use <session_id>         # interact with a session

The HTTP/S transport is shaped via /root/.sliver/configs/http-c2.json, which controls URIs, headers, and polling behavior. The default mTLS transport listens on 8888.

8. Redirector Architecture

A redirector is a disposable proxy that fronts the team server. Implants talk only to the redirector; if blue team burns its IP, you rebuild it and the long-term server stays hidden.

Implant → Redirector (Nginx/Apache/socat) → C2 Team Server

The redirector filters traffic: requests matching your implant’s expected path and user-agent are forwarded to the team server; everything else is dropped or returned as a benign error or redirected to a legitimate site.

# Nginx redirector: forward only matching C2 traffic, 404 everything else
server {
    listen 443 ssl;
    server_name cdn.example-lab.local;

    location /api/v2/updates {
        # Only forward requests carrying the expected implant User-Agent
        if ($http_user_agent != "Mozilla/5.0 (Windows NT 10.0; Win64; x64)") {
            return 404;
        }
        proxy_pass https://192.168.56.30:443;   # team server (internal)
        proxy_ssl_verify off;
    }

    # Anything else gets a flat 404 — no team server exposure
    location / {
        return 404;
    }
}

For HTTPS redirectors use Apache, Nginx, or Caddy; for DNS redirectors use socat or iptables. In advanced cloud setups, CDN fronting via CloudFront, Azure CDN, or Cloudflare blends C2 with legitimate traffic. Do not deploy domain-fronting or malleable-profile code from a tutorial — reference framework docs.

Flow diagram showing an implant beaconing to a disposable redirector that filters traffic by path and user-agent, forwarding matched requests to the hidden team server and dropping or redirecting unmatched traffic to a decoy site — Redirectors act as disposable proxies so burning an IP never exposes the long-lived team server.

9. OPSEC and Infrastructure Hygiene

Your infrastructure is your OPSEC. A flat setup is a single point of failure that burns the whole operation.

Never connect the operator machine directly to the team server. Tunnel through a VPN overlay (WireGuard, Tailscale/Headscale) or a jump box.
Separate infrastructure for phishing, payload hosting, and C2 — three servers, three redirectors.
Use aged, categorized domains registered 30+ days prior with a benign-looking category.
Rotate redirector IPs and never reuse burned infrastructure.
Geofence access via Cloudflare so only the client’s country can reach C2 and campaign domains, blocking external threat-intel scanners.

A minimal operator WireGuard client routes only team-server traffic through the jump box:

# wg0.conf — operator client tunneling to the jump box
[Interface]
PrivateKey = <operator_private_key>
Address    = 10.10.10.2/32

[Peer]
PublicKey  = <jumpbox_public_key>
Endpoint   = jump.example-lab.local:51820
AllowedIPs = 10.10.10.0/24      # only the team-server subnet
PersistentKeepalive = 25

Relevant transports and ports:

Protocol	Port	C2 Use
HTTPS	443	Primary beacon transport
HTTP	80	Fallback / staging
DNS	53	Low-and-slow tunneling
SMB Named Pipe	IPC$	Lateral movement pivots
WireGuard	51820	Operator VPN overlay
mTLS	8888	Sliver default implant transport

Graph diagram showing an operator machine routing through a WireGuard jump box to three separate infrastructure components — C2 server, phishing server, and payload hosting — each isolated from one another — Separating C2, phishing, and payload infrastructure ensures a single burned server cannot compromise the entire operation.

10. Infrastructure-as-Code with Terraform

Terraform declares lab state in configuration, so a burned redirector is rebuilt in minutes. The example provisions a team server and a redirector, then bootstraps the server with remote-exec.

resource "digitalocean_droplet" "c2_server" {
  name   = "c2-teamserver"
  region = "nyc3"
  size   = "s-2vcpu-4gb"
  image  = "ubuntu-22-04-x64"

  provisioner "remote-exec" {
    inline = ["curl https://sliver.sh/install | sudo bash"]
  }
}

resource "digitalocean_droplet" "redirector" {
  name   = "c2-redirector"
  region = "nyc3"
  size   = "s-1vcpu-1gb"
  image  = "ubuntu-22-04-x64"
}

output "c2_ip"        { value = digitalocean_droplet.c2_server.ipv4_address }
output "redirector_ip"{ value = digitalocean_droplet.redirector.ipv4_address }

terraform apply builds the stack and emits IPs; terraform destroy tears it down. Teardown-and-rebuild cycles keep infrastructure disposable.

11. Common Attacker Techniques

These are the primitives a lab is built to study and detect.

Technique	Description
HTTPS beaconing	Implant polls a redirector over 443 to blend with web traffic
DNS tunneling	Encodes C2 in DNS queries for low-and-slow egress
Redirector chaining	Disposable proxies hide the long-term team server
Domain fronting	CDN obfuscation routes C2 through trusted domains
Malleable profiles	Shape headers/URIs/jitter to mimic legitimate apps
SMB named-pipe C2	Internal pivots over `IPC$` for lateral movement
Ingress tool transfer	Implant downloads additional tooling to the target

12. Defensive Strategies and Detection

Run the same lab as blue team to build detections. Sysmon plus a tuned config surfaces nearly every C2 stage.

Event ID	Name	C2 Relevance
`1`	Process Creation	Implant execution; check `ParentImage`, `CommandLine`, `Hashes`
`3`	Network Connection	Connections to C2; `DestinationIp`, `DestinationPort`, `Image`
`7`	Image Loaded	DLL loads by implant; `Signed`, `Signature`
`8`	CreateRemoteThread	Injection; `SourceImage` → `TargetImage`
`11`	FileCreate	Stager writes payload to disk
`22`	DNSEvent	Beaconing via unusual or excessive `QueryName`
`23`	FileDelete	Implant self-deletes after staging

Tune Sysmon to capture outbound connections from non-browser processes and DNS queries from shells:

<RuleGroup name="C2 Network" groupRelation="or">
  <NetworkConnect onmatch="include">
    <DestinationPort condition="is">443</DestinationPort>
    <DestinationPort condition="is">53</DestinationPort>
  </NetworkConnect>
  <DnsQuery onmatch="include">
    <Image condition="end with">powershell.exe</Image>
    <Image condition="end with">cmd.exe</Image>
  </DnsQuery>
</RuleGroup>

A Sigma rule for beacon-like connections keys on Sysmon EventID 3, common C2 ports, and an allowlist of browsers. Correlate hits with short, regular intervals to catch low-jitter beacons.

title: Non-Browser Outbound to Common C2 Ports
logsource:
  product: windows
  service: sysmon
  category: network_connection
detection:
  selection:
    EventID: 3
    DestinationPort:
      - 443
      - 80
      - 53
    Initiated: 'true'
  filter_browsers:
    Image|contains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
  condition: selection and not filter_browsers
fields:
  - Image
  - DestinationIp
  - DestinationPort
  - DestinationHostname
level: high

Layer behavioral analytics on top:

Jitter analysis — alert on outbound HTTPS at regular intervals (e.g., 60 ± 5 s); Zeek conn.log excels at long-duration, low-byte sessions.
Named-pipe anomalies — Cobalt Strike’s default msagent_* pipe names appear in Sysmon EID 17/18.
Anomalous parent-child chains — Word.exe → cmd.exe → powershell.exe is a classic phishing chain.
User-agent mismatch — svchost.exe issuing a Chrome user-agent is anomalous.

Enable Command Line Auditing via GPO (Audit Process Creation → include command line, EID 4688) and forward Microsoft-Windows-PowerShell/Operational (EID 4104) script-block logs to the SIEM. Keep the monitoring tier one-way and unreachable from the attacker subnet.

MITRE ATT&CK Mapping

Technique	MITRE ID	Detection
Command and Control (tactic)	`TA0011`	Beacon traffic correlation across SIEM
Application Layer Protocol	`T1071`	Sysmon `EID 3`, Zeek `conn.log`
Web Protocols	`T1071.001`	Non-browser HTTPS to rare destinations
DNS	`T1071.004`	Sysmon `EID 22`, DNS-Client ETW
Proxy / External Proxy	`T1090` / `T1090.002`	Redirector IP reputation, JA3 anomalies
Domain Fronting	`T1090.004`	TLS SNI vs. Host header mismatch
Protocol Tunneling	`T1572`	mTLS/DoH volume anomalies
Ingress Tool Transfer	`T1105`	Sysmon `EID 11`, download-and-exec
Acquire Infrastructure: VPS / Domains	`T1583.003` / `T1583.001`	Newly registered / uncategorized domains
Remote Access Software	`T1219`	RMM tools acting as C2

13. Tools for Red Team Lab Analysis

Tool	Description	Link
Sliver	Open-source C2 server, client, implants	sliver.sh
Wazuh	SIEM + EDR agent for the blue tier	wazuh.com
Security Onion	IDS + log management distro	securityonionsolutions.com
Sysmon	Endpoint telemetry (process/network/DNS)	microsoft.com
Zeek	Network metadata and beacon hunting	zeek.org
Terraform	Infrastructure-as-code provisioning	terraform.io
WireGuard	Operator VPN overlay	wireguard.com
Nginx	Redirector reverse proxy	nginx.org

Summary

A red team lab is a closed, segmented environment where authorized operators rehearse C2 tradecraft while the blue stack records every event it generates.
Tiered host-only networks, snapshot discipline, and a Type-2 hypervisor make scenarios isolated and repeatable.
A team server must never be internet-facing; disposable redirectors front it and are rebuilt with infrastructure-as-code when burned.
OPSEC is architecture — operator VPN overlays, separated phishing/C2/payload infrastructure, aged domains, and rotated IPs keep operations deniable.
Detect C2 with Sysmon EID 3/22, jitter and named-pipe analysis, and Sigma rules, mapping every primitive back to MITRE TA0011.

Archive