# C2 Frameworks > Frameworks de Command & Control (C2) usados por threat actors para estabelecer persistência, manter comunicação com hosts comprometidos e orquestrar operações pos-exploração. A maioria originou-se em comunidades de red team e pentest legitimos, mas e amplamente abusada em campanhas reais. ```mermaid graph TB ATK["🎯 Atacante"] subgraph C2["📡 C2 Frameworks"] CS["Cobalt Strike<br/>Comercial - mais usado"] SL["Sliver<br/>Open-source - Go"] MYT["Mythic<br/>Open-source - multi-agent"] BRC4["Brute Ratel C4<br/>Comercial - evasao EDR"] EMP["Empire / PoshC2<br/>PowerShell-based"] OTH["Koadic / Covenant<br/>Pupy / SILENTTRINITY"] end subgraph INFRA["🏗️ Infraestrutura"] LS["Listener<br/>HTTP/S, DNS, SMB"] RP["Redirector<br/>Proxy de C2"] TS["Team Server<br/>Operador"] end subgraph ALVO["🖥️ Host Comprometido"] AG["Agente / Beacon<br/>Executa comandos"] PE["Post-Exploitation<br/>Lateral movement, creds"] end ATK --> TS TS --> LS LS --> RP RP --> AG AG --> PE C2 --> INFRA style ATK fill:#e74c3c,color:#fff style C2 fill:#1a1a2e,color:#fff style INFRA fill:#16213e,color:#fff style ALVO fill:#0f3460,color:#fff style CS fill:#e74c3c,color:#fff style SL fill:#c0392b,color:#fff style MYT fill:#922b21,color:#fff style BRC4 fill:#7b241c,color:#fff style EMP fill:#641e16,color:#fff style OTH fill:#4a235a,color:#fff ``` > [!warning] Uso Dual > C2 frameworks sao ferramentas legitimas para red team e pentest. Esta documentacao cobre seu **abuso por threat actors** em campanhas reais, alinhado ao MITRE ATT&CK Tactic **Command and Control (TA0011)**. ## Detecção e Mitigação Principais TTPs associados a frameworks C2: - **[[t1071-application-layer-protocol|T1071]]** - Protocolo de camada de aplicação (HTTP/S, DNS) - **[[t1573-encrypted-channel|T1573]]** - Canal criptografado - **[[t1105-ingress-tool-transfer|T1105]]** - Transferencia de ferramentas - **[[t1059-command-and-scripting-interpreter|T1059]]** - Interpretador de scripts Deteccoes relevantes: - **[[_detections|Hub de Deteccoes]]** - analytics e data components aplicaveis - **[[_defenses|Hub Defensivo]]** - mitigacoes e playbooks ## Catalogo %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Framework", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/c2-frameworks" WHERE type = "malware" OR type = "tool" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Framework", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/c2-frameworks" WHERE type = "malware" OR type = "tool" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Framework", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools/c2-frameworks" WHERE type = "malware" OR type = "tool" SORT title ASC --> | Framework | Aliases | Status | | -------------------------------------------------------------------------- | ------------------------------------------------------------------- | ------ | | [[brute-ratel-c4\|Brute Ratel C4]] | <ul><li>Brute Ratel C4</li><li>BRc4</li><li>Dark Vortex</li></ul> | active | | [[s0465-carrotball\|CARROTBALL]] | <ul><li>CARROTBALL</li></ul> | active | | [[s1155-covenant\|Covenant]] | <ul><li>Covenant</li></ul> | active | | [[s0363-empire\|Empire]] | <ul><li>Empire</li><li>EmPyre</li><li>PowerShell Empire</li></ul> | active | | [[s0250-koadic\|Koadic]] | <ul><li>Koadic</li></ul> | active | | [[s0699-mythic\|Mythic]] | <ul><li>Mythic</li></ul> | active | | [[s1050-pcshare\|PcShare]] | <ul><li>PcShare</li></ul> | active | | [[s0378-poshc2\|PoshC2]] | <ul><li>PoshC2</li></ul> | active | | [[s0192-pupy\|Pupy]] | <ul><li>Pupy</li></ul> | active | | [[s0692-silenttrinity\|SILENTTRINITY]] | <ul><li>SILENTTRINITY</li></ul> | active | | [[s0633-sliver\|Sliver]] | <ul><li>Sliver</li><li>Sliver C2</li><li>BishopFox Sliver</li></ul> | active | <!-- SerializedQuery END --> ## Navegacao - [[_tools|Tools Hub]] - visao geral de todas as ferramentas - [[_software|Software Hub]] - malware + tools - [[_cti|CTI Hub]] - hub central de inteligência