operating-sliver-c2

Installation
SKILL.md

Operating Sliver C2

Legal Notice: This skill is for authorized security testing, red-team engagements, and educational purposes only. Operating a command-and-control framework against systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud, wiretap, and abuse statutes. Always work within a signed rules-of-engagement document.

Overview

Sliver is an open-source, cross-platform adversary emulation and command-and-control (C2) framework developed by BishopFox (https://github.com/BishopFox/sliver). It is written in Go and is widely used by red teams as a modern, open alternative to commercial frameworks such as Cobalt Strike. Sliver supports two implant interaction models: sessions (interactive, real-time) and beacons (asynchronous check-in with configurable jitter), and it speaks C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Each implant is dynamically compiled with per-binary, asymmetric encryption keys, so no two implants share static signatures.

Sliver also ships an armory — an alias and extension package manager that installs third-party tooling such as Beacon Object Files (BOFs) and .NET assemblies (e.g., sharpdpapi, seatbelt, rubeus) for in-memory execution. Because Sliver has been adopted by real threat actors (documented by Cybereason, Microsoft, and others), exercising it during sanctioned engagements is valuable both for emulating realistic adversary tradecraft and for validating that defensive controls (EDR, network detection, DNS monitoring) catch its C2 channels. This skill covers deploying the server, generating implants, managing listeners, running post-exploitation, and pivoting through compromised hosts.

When to Use

  • When conducting an authorized red-team engagement that requires a resilient, multi-protocol C2 channel
  • When emulating a specific threat actor's TTPs that include Sliver (per CTI reporting) during a purple-team exercise
  • When validating that EDR and network monitoring detect mTLS/HTTPS/DNS beaconing
  • When demonstrating post-exploitation and lateral movement impact for a report

Prerequisites

Installs
4
GitHub Stars
24.8K
First Seen
12 days ago
operating-sliver-c2 — mukul975/anthropic-cybersecurity-skills