Red Team C2 — Sliver, Mythic, Havoc
Modern command-and-control frameworks for authorised red-team ops.
A C2 framework gives an operator interactive control over compromised hosts. Cobalt Strike defined the category; the 2024–26 OSS landscape has matured to where Sliver, Mythic, and Havoc are credible alternatives — and detection vendors actively flag all of them. For broader exploitation see Exploitation Frameworks. For AD-specific post-ex see Active Directory Pentesting. For defender side see EDR / OSQuery and Detection (Sigma / YARA / ATT&CK).
Open-source C2 — modern reference picks
- ★ ★ Sliver (BishopFox) — Go; mTLS / WireGuard / HTTPS / DNS transports; per-implant dynamic compilation; Linux / macOS / Windows; multi-operator console + GUI clients. The mainstream FOSS Cobalt-Strike alternative 2024–26. Free.
- ★ Mythic (its-a-feature) — agnostic C2 platform; Docker-deployed; many community agents — Apollo (.NET), Athena (.NET), Poseidon (Go), Medusa (Python), Tetanus (Rust), Freyja (Go), Thanatos (Rust). Free.
- ★ Havoc (C5pider) — C++ / Qt; Cobalt-Strike-shaped UX; "Demon" agent; growing community; popular among learners and operators. Free.
- AdaptixC2 — newer open C2 (2024+); pluggable extender model.
- NimPlant (Cas van Cooten) — Nim implants; small footprint; learning-focused; C2 by similar.
- Empire / Starkiller (BC-Security fork) — PowerShell + Python framework; Starkiller is the web UI. Free; older but maintained.
- Covenant — .NET-based; less active 2024+.
- Merlin — Go; HTTP/2 C2; less active.
- PoshC2 — PowerShell; legacy but works.
- Manjaro Tactical / OST community editions.
Commercial C2 (paid)
- Cobalt Strike (Fortra) — ~$5,900/seat/yr; Beacon implant; Malleable C2 profiles; the long-time industry default. Heavily fingerprinted by EDR.
- Brute Ratel C4 (Chetan Nayak) — ~$2,500/yr; modern; EDR-evasion focused.
- Outflank Security Tooling (OST) — paid; curated red-team kits.
Implant / loader / payload helpers
- donut — generate position-independent shellcode from a .NET / EXE.
- PEzor / scarecrow / freeze — modern payload obfuscation; expect detection.
- inceptor — payload-builder.
- MalDev Academy / Maldev community — research toolkits.
- freeze.rs / donut-rs — Rust ports.
Profiles / OPSEC
- Malleable C2 profiles (Cobalt Strike / Sliver / Havoc) — disguise traffic shape.
- TLS cert / SNI matching, JA3/JA4 spoofing — see Network IDS (Suricata / Zeek) for the defender side.
- Domain fronting — mostly dead in 2024–26 (Cloudflare / Fastly / Azure all blocked it); CDN-based redirector chains still common.
- Redirector / decoy traffic — Apache mod_rewrite or nginx redirector + cdn.
AD-pivot integration (link)
- See Active Directory Pentesting — BloodHound CE, NetExec, Impacket, Rubeus.
- Most C2s expose .NET / BOF execution to run those tools in-implant.
Cloud-pivot integration (link)
- See Cloud Pentesting — Pacu / Cloudfox / AzureHound.
Engagement-tracking
- Ghostwriter (SpecterOps) — engagement project + reporting; pairs naturally; see Pentest Reporting.
- MITRE CALDERA — automated adversary emulation; not strictly a C2 but adjacent.
- PurpleSharp / Stratus Red Team — for purple-team validation; see Detection (Sigma / YARA / ATT&CK).
Realistic expectations 2026
- Cobalt Strike Beacon — heavily flagged; vendors detect even custom Malleable profiles. Operators move to in-memory loaders / Brute Ratel / Sliver.
- Sliver default config — also flagged; tweaks (HTTP profile, custom mTLS certs, packer) buy time.
- Modern EDR (CrowdStrike / SentinelOne / Defender) — detect injection, AMSI, ETW patches, beacon traffic shape; expect detection unless you tune carefully.
- OSS C2 + custom tradecraft outperforms "stock Cobalt Strike from a torrent."
Legality / OPSEC reminders
- ★ Get a signed Statement of Work / RoE before touching anything.
- Whitelist your C2 IPs / domains with the customer.
- Don't run public bug-bounty C2 ops — always against an engagement.
- Some C2s (Cobalt Strike Beacon, Brute Ratel) are flagged by AV / IDS just by config presence — be ready.
Pick this if…
- Default OSS modern C2 2026: Sliver.
- Need many language agents / extreme flexibility: Mythic.
- Cobalt-Strike-like UX, FOSS: Havoc.
- Mature paid red-team program: Cobalt Strike or Brute Ratel.
- PowerShell-native legacy: Empire / Starkiller.
- Validate detections: Stratus Red Team / Atomic Red Team / CALDERA.
- Engagement project tracking: Ghostwriter.