Cover Image for Operating C2 for Red Team Operations: Pivoting & Beacon Object Files
Cover Image for Operating C2 for Red Team Operations: Pivoting & Beacon Object Files
Avatar for TryHackMe
Presented by
TryHackMe
5 Going

Operating C2 for Red Team Operations: Pivoting & Beacon Object Files

Google Meet
Get Tickets
Ticket Price
$150.00
Welcome! To join the event, please get your ticket below.
About Event

Who this workshop is for

  • Security practitioners who want hands-on time driving a C2, not another tool demo

  • Pentesters and red teamers who want a structured grounding in C2 tradecraft and the OPSEC thinking behind it

  • Blue teamers, detection engineers, and defenders who want to see how operators move, so they can catch them

No prior C2 experience needed. We start from standing up the server and build up to live pivoting, so beginners and experienced operators both have room to work.

What's included

  • Live, hands-on sessions in a dedicated lab range, where you operate a real C2

  • Live hands-on throughout: land your first agent, then pivot deeper across the range

  • Certificate of participation with CEP Credits

  • Recording included: a full session recording for everyone who registers

  • A dedicated detection walkthrough: how the blue team catches what you ran

  • Closing Q&A with the instructors on screen

  • A place in a focused, small cohort working the same range together


Red teams are expected to emulate real adversaries. But operating a C2 framework end-to-end, standing up the server, landing your first agent, keeping your footprint small, and pivoting deeper, is a skill set most practitioners never get structured time to build.

Spraying tools across a network isn't tradecraft. Modern defenders see noisy operators coming.

Sleep and jitter. In-process execution. Beacon Object Files. SOCKS pivoting. These aren't advanced extras. They're the everyday mechanics of operating with OPSEC in mind. And for most people, the only place to pick them up is mid-engagement, where there's no room to experiment.

Not because people don't care. Because a realistic, safe range time is hard to come by.

This workshop closes that gap.

In one focused session, you'll stand up an open-source C2, drive it through the full kill chain (foothold, post-ex, BOFs, pivot), and learn to think about OPSEC at every step, the way an operator does on a live engagement.

What makes this workshop different

  • It's built around live operation in a lab range, not a slide deck and a Q&A

  • You run the full chain yourself (first agent, post-ex comms, BOF execution, lateral movement), the way a real op unfolds

  • A dedicated detection segment shows how the blue team catches what you ran, so you leave understanding both sides of the engagement

What you'll learn

A focused, hands-on grounding in how red teams operate command and control, and the OPSEC thinking that separates good ops from noisy ones.

The foundations of C2

  • What C2 is, why red teams rely on it, and the core architecture: team server, listeners, redirectors

  • How to stand up an open-source C2 and generate, then deploy, an agent into the range

  • How to land your first agent and run clean post-exploitation comms

How to operate with OPSEC in mind

  • How sleep, jitter, and timing shape an agent's traffic and reduce noise

  • Why in-process execution beats spawning new processes for OPSEC

  • What Beacon Object Files are, how to load and run pre-built BOFs, and where they sit in a post-ex workflow

How to move through the network

  • How to use a single foothold to reach internal hosts

  • SOCKS proxying and port forwarding to work across network segments

  • How to move laterally through the range the way an operator does, and how each move looks to a defender

🗓 Workshop Agenda (14:00 – 18:00)

  • 14:00–14:15 | 15m | Setup & Ground Rules: objectives, lab access, rules of engagement and scope

  • 14:15–15:00 | 45m | C2 Fundamentals & Server Setup: what C2 is and why; team server, listeners, redirectors; generating and deploying your first agent into the range

  • 15:00–15:10 | 10m | Checkpoint: Everyone Lands an Agent: a sync point so the whole room has a live agent before going deeper

  • 15:10–15:55 | 45m | Agent Operation & OPSEC: post-ex comms, sleep/jitter, and the operator's decision loop, what each action costs and the quieter alternative

  • 15:55–16:10 | 15m | Break

  • 16:10–16:50 | 40m | Beacon Object Files & In-Process Execution: what BOFs are, why in-process beats spawning a process, loading and running pre-built BOFs

  • 16:50–17:35 | 45m | Pivoting & Lateral Movement: foothold to internal hosts, SOCKS proxying and port forwarding, moving across segments

  • 17:35–18:00 | 25m | Detection, Hardening & Wrap-up: how the blue team catches each step, defensive takeaways, Q&A, teardown

Learn directly from operators who run this work

  • Ariz Soriano, Senior Content Engineer at TryHackMe

A cohort, not just a course

You're not watching from the back row of a webinar. Everyone works the same lab range, so you can compare approaches, talk through OPSEC calls, and see how other practitioners handle the same foothold.

The format is intentional: you'll work in groups of three throughout the session, operating alongside other practitioners and getting unstuck quickly when an agent doesn't land or a pivot won't hold.

Avatar for TryHackMe
Presented by
TryHackMe
5 Going