sliver VS Mythic

IDK if you are too young to remember the fallout from Snowden, but the Kremlin threw out entire rooms computers and for a time used actual typewriters. Because those computers had, more or less, twingate connectors on them. That's a bit of a rich example, but you're essentially installing what sliver calls an implant, what meterpreter calls a payload, and what Cobalt Strike calls a beacon. It's cool if you want to, but there's no need when you can just open a port with the same technology a Fortune 50 does.

What they said. Also, if you want a free alternative to cobalt: https://github.com/BishopFox/sliver

Sliver is neat, https://github.com/BishopFox/sliver

Armitage is precursor to CS but they diverged a long time ago. I ran up the armitage that comes with Kali these days, it has issues and bugs that would prevent it being useful. Sliver is probably the most usable FOSS C2. https://github.com/BishopFox/sliver

I’m a huge fan of Sliver, super powerful and well written/maintained with a lot of care and attention paid to tradecraft. I’m a big fan of the features like the built-in support for DNS canaries to detect blue team analysis. Only downside is that the documentation may be a little lacking.

- https://github.com/BishopFox/sliver/wiki/DNS-C2

For the additional more advanced steps I used sliver as a c2. Sliver is an excellent tool for the job and unlike some other tools, it's FOSS! You can easily replace sliver with your tool of choice, however.

Learn the basic installation of Mythic Command and Control (C2) step by step. We'll configure Mythic C2 (open-source C2 framework https://github.com/its-a-feature/Mythic)

title: Detect Mythic Agent Traffic Over Port 8443 status: experimental author: Rotten_Sec description: Detects traffic over port 8443 that matches the WebSocket handshake used by Mythic agents to communicate with the C2 server. references: - https://github.com/its-a-feature/Mythic tags: - attack.t1071.001 - attack.t1071.004 - attack.t1071.005 - attack.t1071.006 logsource: category: network keywords: [tcp, port, 8443] condition: tcp.port == 8443 and ( "GET /websocket HTTP/1.1\r\n" in to_string($data) or "HTTP/1.1 101 Switching Protocols\r\nUpgrade: websocket\r\nConnection: Upgrade\r\n" in to_string($data) )

In my opinion, Mythic is a great choice because it is free, extremely well developed, and provides a base capability that allows you to either extend it or to leverage the work of others. With Mythic, there are currently 16 public MythicAgents and 6 different MythicC2Profiles. You can use the public agents/C2profile and then switch to internal private versions if your team decides to go that way without the need to re-learn an entire framework. It has a web front end that provides a lot of (extendable) functionality I don't see in other tools. Additionally the lead developer is always extremely eager to provide help, add features, and fix bugs. Full disclosure: I'm the primary developer of Merlin.