Speaker
Description
This paper presents a comparative analysis of the command-and-control (C2) frameworks PoshC2 and SliverC2, examined within the context of evolving adversarial tradecraft, shifting infrastructure paradigms and the increasing maturity of defensive capabilities. While C2 frameworks are traditionally associated with the post-exploitation phase, this study adopts a broader perspective, arguing that framework selection reflects not only tactical requirements but also strategic and operational adaptations to a rapidly changing cyber environment.
The analysis is based on the recent transformations in enterprise infrastructure, notably the transition from predominantly on-premises, Active Directory-centric Windows environments to complex, distributed, and hybrid cloud ecosystems. This evolution, combined with the expanded attack surfaces across critical sectors, has imposed new constraints on adversary operations. In parallel, defensive practices have become increasingly proactive and intelligence-driven, with widespread adoption of EDR, XDR and SIEM solutions. These developments have contributed to a significant reduction in attacker dwell time and increased detection of well-established tools, techniques, and procedures (TTPs).
Within this context, the paper contrasts the architectural and operational characteristics of PoshC2 and SliverC2. PoshC2 is a mature, PowerShell-centric framework optimized for Windows environments, offering extensive post-exploitation functionality but exhibiting increased detectability due to its reliance on heavily monitored technologies. In contrast, SliverC2 represents a modern, Golang-based, cross-platform approach, emphasizing dynamic payload generation, modular extensibility, and advanced communication protocols.
The findings of this paper indicate that the shift from PoshC2 to SliverC2 reflects adaptive adversary behavior driven by environmental complexity and defensive pressure, rather than a simple tool substitution. Contemporary offensive operations are inherently multi-framework, with tooling selected dynamically based on operational requirements and target characteristics.