> For the complete documentation index, see [llms.txt](https://top-gun-diary.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://top-gun-diary.gitbook.io/blog/sliver-c2-framework-series/a-comprehensive-command-and-control-framework-overview.md). # A Comprehensive Command & Control Framework Overview *We’re kicking off a detailed learning series on **Sliver**, one of the most powerful and widely used modern **command and control (C2)** frameworks in red teaming, penetration testing, and adversary emulation.* *This will be a progressive series. We’ll start with **fundamentals and gradually move into installation, configuration, implant generation, advanced post-exploitation, evasion techniques, detection perspectives**, and real-world usage patterns.* ## What is a Command and Control (C2) Framework? *A **Command and Control (C2 or C\&C) framework** is basically the system an attacker or red teamer uses **after gaining access to a machine** to control it remotely. Here is an example structure:* ``` +--------------------------------------------------+ | Operator Layer | | (CLI / GUI used by attacker) | +--------------------------------------------------+ | v +--------------------------------------------------+ | Client API Layer | | (Authentication, operator commands) | +--------------------------------------------------+ | v +--------------------------------------------------+ | C2 Team Server Layer | | Tasking Engine | Session Manager | Result Parser | +--------------------------------------------------+ | v +--------------------------------------------------+ | Communication Layer | | Protocol handlers (HTTP, HTTPS, DNS, TCP) | +--------------------------------------------------+ | v +--------------------------------------------------+ | Redirector Layer | | (Traffic forwarding / filtering) | +--------------------------------------------------+ | v +--------------------------------------------------+ | Network Layer | | Internet / VPN / internal network | +--------------------------------------------------+ | v +--------------------------------------------------+ | Implant Layer | | Agent running on compromised host | +--------------------------------------------------+ | v +--------------------------------------------------+ | Execution / OS Interaction | | Process exec | memory access | filesystem | +--------------------------------------------------+ ``` ## Why Sliver? *In the rapidly evolving world of **red teaming, adversary emulation, and post-exploitation tooling (as of 2026)**, a common question many people ask is: **“Which C2 framework should I start learning first?”*** *There are several strong options available today such as **Mythic, Havoc, Cobalt Strike, Brute Ratel, and other newer frameworks**, each with its own strengths and use cases. However, **Sliver stands out as one of the best starting points**, particularly when following a structured learning path. It offers a solid balance of modern features, usability, and real-world relevance, making it an excellent foundation for understanding how contemporary C2 frameworks operate. Because of this, Sliver deserves the spotlight as the **core framework to begin with** before exploring more specialized or complex alternatives like Cobalt Strike.* ![Figure 1.1](/files/fe72297d857a8420e9885abbdd0ef5f7db7deebe) ## Background * *Created and maintained by **Bishop Fox**, a highly respected offensive security firm, meaning it is **professionally engineered rather than a side project**.* * *Actively maintained with **consistent releases and improvements continuing into early 2026**, ensuring modern vulnerability coverage and stability.* * *Written entirely in **Go (Golang)**, producing **single statically linked binaries** that require **no external runtime dependencies**.* * ***Cross-compilation is trivial** thanks to Go’s toolchain, allowing builds for **Windows, Linux, and macOS across x86 and ARM architectures** from the same codebase.* * ***Completely open source**, eliminating the need for cracked or pirated versions and enabling **full code auditing, customization, and extension**, which makes it ideal for researchers and security engineers who want to study or modify the internals.* ## Sliver Architecture ``` ┌─────────────────────────────┐ │ Operators (Multiplayer) │ │ (sliver-client) │ └───────────────┬─────────────┘ │ (mTLS / gRPC) │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Sliver Server │ │ (Central C2 Controller) │ │ │ │ ┌──────────────┬───────────────────────┬──────────────┐ │ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ │ [BoltDB] [Listeners] [Outbound C2] │ │ │ (Persistence: (mTLS / HTTPS / (Encrypted + │ │ │ implants, DNS / WireGuard) Encoded Messages) │ │ │ tasks, loot) │ │ └─────────────────────────────────────────────────────────────┘ ▲ │ Outbound Connections │ ▼ ┌─────────────────────────────┐ │ Implants / Slivers │ │ (on Compromised Targets) │ └───────────────┬─────────────┘ │ ┌─────────────┴─────────────┐ │ │ Session Mode Beacon Mode (Real-time, interactive) ``` ## What We’ll Cover in This Series *This series covers the **core concepts and practical usage of the Sliver C2 framework**, starting from foundational command-and-control principles and progressing into more advanced red team techniques.* *Topics include Sliver setup and configuration, implant generation, and different C2 communication profiles such as mTLS and HTTPS. You’ll also explore operational workflows including session management, post-exploitation capabilities, and system interaction techniques used during engagements.* *As the series progresses, it will also cover advanced offensive security concepts such as in-memory execution, extensibility features, alternative C2 channels, pivoting strategies, and operational security considerations in real-world scenarios.* ## But We’re Not Stopping at Sliver !!… *We’ll start by going deep into **Sliver** covering everything from **installation and initial setup to advanced evasion techniques**. Once that foundation is established, we’ll move on to exploring and comparing other major frameworks, including:* * ***AdaptixC2**: A newer, highly modular open-source framework that is gaining momentum in **2025–2026**. It uses a **Golang-based server** and a **cross-platform C++/Qt GUI client**, offering a flexible and collaborative (“multiplayer”) environment. The project emphasizes **extensibility, a polished user interface, and features designed for penetration testers and red teams**, though some reports suggest it has also appeared in underground usage. We’ll examine its **setup process, agent architecture, and how its design differs from Sliver**.* * ***Mythic**: Often considered the **most modular C2 framework available**, featuring **Python-based agents (Apollo, Poseidon, Athena, etc.)** and a very large **plugin and extension ecosystem** that allows deep customization.* *By starting with **Sliver**, you’ll gain a **strong grounding in core C2 concepts** such as **implants, listeners, encrypted communications, beaconing strategies, and operational security (OPSEC)**. Once those fundamentals are clear, it becomes much easier to understand how other frameworks **build on, extend, or specialize** these same ideas.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://top-gun-diary.gitbook.io/blog/sliver-c2-framework-series/a-comprehensive-command-and-control-framework-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.