RESEARCH: Top 5 most popular Command and Control (C2) frameworks used by Threat Actors in 2024

Command and Control (C2) frameworks are critical tools used by both threat actors and cybersecurity professionals for managing compromised systems, conducting post-exploitation activities, and simulating adversary behavior. Understanding the most popular C2 frameworks is essential for developing effective defense mechanisms and improving cybersecurity resilience.

This research delves into the functionalities, tactics, techniques, and procedures (TTPs), and usage trends of the top 5 C2 frameworks in 2024. The frameworks analyzed include Cobalt Strike, PowerShell Empire, Sliver, Havoc, and Brute Ratel C4. These frameworks were identified based on their prevalence in recent threat reports, their capabilities, and their adoption by both malicious actors and security professionals.

Cobalt Strike

Overview: Cobalt Strike is a commercial adversary simulation and red team operations platform. It is widely used for its robust capabilities in post-exploitation, lateral movement, and persistence.

Functionalities: It includes features like Beacon (a payload for remote access), Malleable C2 profiles for customizing network indicators, and extensive scripting capabilities.

TTPs: Cobalt Strike is known for its ability to evade detection through reflective DLL injection, in-memory execution, and obfuscation techniques. It supports various attack vectors, including phishing and exploiting vulnerabilities.

Usage Trends: Despite being a commercial tool, it is frequently pirated and used by threat actors. Its flexibility and powerful features make it a preferred choice for both red teams and cybercriminals.

Sources: Cobalt Strike Infrastructure Maintenance, Defining the Cobalt Strike Reflective Loader

PowerShell Empire

Overview: PowerShell Empire is an open-source post-exploitation framework that leverages PowerShell scripts for command and control. It is popular for its ease of use and powerful post-exploitation capabilities.

Functionalities: It includes modules for credential dumping, lateral movement, and persistence. It also supports in-memory execution and various obfuscation techniques to evade detection.

TTPs: PowerShell Empire is known for its stealthy operations, leveraging PowerShell's native capabilities to avoid detection by traditional security measures. It supports Malleable C2 profiles for customizing network traffic.

Usage Trends: Despite the original project being discontinued, it has been revived and maintained by BC Security. It remains a significant tool for red teams and is also used by threat actors.

Sources: PowerShell Empire: A Comprehensive Guide, The Empire (3.0) Strikes Back

Sliver

Overview: Sliver is an open-source C2 framework developed by Bishop Fox. It is designed to be a modern and flexible alternative to traditional C2 frameworks like Cobalt Strike.

Functionalities: Sliver supports multiple communication protocols, including HTTP, HTTPS, and DNS. It also includes features for lateral movement, persistence, and data exfiltration.

TTPs: Sliver is known for its modular architecture, allowing users to extend its capabilities easily. It uses Go for its backend, providing cross-platform support and performance benefits.

Usage Trends: Sliver is gaining popularity among red teams for its flexibility and modern design. Its open-source nature also makes it accessible to a broader audience, including threat actors.

Sources: Sliver: Intro to An Awesome C2 Framework

Havoc

Overview: Havoc is a modern and malleable post-exploitation command and control framework. It is designed to provide advanced capabilities for red team operations.

Functionalities: Havoc includes features like a modular implant system, support for multiple communication channels, and extensive evasion techniques. It also supports custom payloads and scripting.

TTPs: Havoc is known for its ability to evade detection through advanced obfuscation and encryption techniques. It supports reflective DLL injection and in-memory execution to minimize its footprint.

Usage Trends: Havoc is becoming increasingly popular among red teams due to its advanced features and flexibility. It is also being adopted by threat actors for its stealth capabilities.

Sources: Havoc C2 Framework Part 1: Installation, Havoc C2 Framework – A Defensive Operator's Guide

Brute Ratel C4

Overview: Brute Ratel C4 is a commercial red team and adversary simulation tool. It is designed to provide advanced capabilities for post-exploitation and command and control.

Functionalities: Brute Ratel C4 includes features like advanced payload generation, support for multiple communication protocols, and extensive scripting capabilities. It also supports custom C2 profiles.

TTPs: Brute Ratel C4 is known for its ability to evade detection through advanced obfuscation and encryption techniques. It supports various attack vectors, including phishing and exploiting vulnerabilities.

Usage Trends: Brute Ratel C4 is gaining popularity among red teams for its advanced features and ease of use. It is also being adopted by threat actors for its powerful capabilities.

Sources: Brute Ratel C4

References and Citations

1. Cobalt Strike Infrastructure Maintenance
2. Defining the Cobalt Strike Reflective Loader
3. PowerShell Empire: A Comprehensive Guide
4. The Empire (3.0) Strikes Back
5. Sliver: Intro to An Awesome C2 Framework
6. Havoc C2 Framework Part 1: Installation
7. Havoc C2 Framework – A Defensive Operator's Guide
8. Brute Ratel C4

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..

Join the the waiting list.