Commercial and open source C2 and post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Since there’s no universally agreed upon definition that differentiates C2 from post-exploitation frameworks, we chose to analyze both collectively in this section.
Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt Strike. While Cobalt Strike has received a lot of attention and remains Red Canary’s most-observed framework, both red teamers and adversaries have begun to leverage alternative frameworks.
Cobalt Strike and Metasploit continue to be the most popular C2 and post-exploitation frameworks seen in our customers’ environments. Cobalt Strike was the highest-ranking framework, coming in at #8, followed by Metasploit ranking 14th. While they didn’t break into our top 50 for 2022, Brute Ratel, Sliver, and Mythic may continue to gain popularity as adversaries look for alternative frameworks, so they’re worth keeping an eye on.
Brute Ratel is a commercial post-exploitation framework with implants that can take many forms, including executables, service binaries, DLLs, and PowerShell scripts. It is capable of moving laterally via Server Message Block (SMB), escalating privileges, and creating processes to inject itself into for defense evasion. Qbot was observed delivering Brute Ratel in 2022.
Sliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell. It supports several protocols for C2 including HTTP, WireGuard, and DNS. TA551 reportedly used Sliver in 2021, and in 2022 Team Cymru observed at least two distinct campaigns using it. In 2022, adversaries also took advantage of Sliver’s support for macOS.