Sliver — Open-Source Adversary Emulation Framework

Introduction

Sliver is an open-source command-and-control (C2) framework developed by Bishop Fox for authorized red team engagements and adversary emulation. It generates cross-platform implants that communicate over multiple protocols (mTLS, WireGuard, HTTP/S, DNS), enabling security teams to simulate real-world attack scenarios and test organizational detection capabilities.

What Sliver Does

• Generates cross-platform implants for Windows, Linux, and macOS in various formats
• Provides multiple C2 communication channels including mTLS, WireGuard, HTTP(S), and DNS tunneling
• Supports multi-operator collaboration with role-based access and audit logging
• Includes post-exploitation modules for lateral movement, credential harvesting, and persistence
• Offers both session-based (interactive) and beacon-based (asynchronous callback) implant modes

Architecture Overview

Sliver consists of a server component (the C2 infrastructure) and generated implants (clients). The server is a single Go binary that manages listeners, implant connections, and operator sessions. Implants are compiled per-engagement with unique cryptographic keys and configurable communication parameters. The server exposes a gRPC API that powers both the interactive console and third-party integrations. Armory provides a package manager for community-contributed extensions and BOFs.

Self-Hosting & Configuration

• Install the server binary on a dedicated host; supports Linux, macOS, and Windows
• Generate operator configuration files to distribute secure console access to team members
• Configure listeners on multiple ports and protocols for implant communication diversity
• Use the Armory package manager to install community extensions and Beacon Object Files
• Deploy redirectors and CDN fronting for covert C2 channels in adversary simulations

Key Features

• Multi-protocol C2 (mTLS, WireGuard, HTTP/S, DNS) with automatic failover between channels
• Implant obfuscation with per-build unique encryption keys and configurable evasion techniques
• Multi-operator support with gRPC-based API for team collaboration and automation
• Beacon mode for low-and-slow operations with configurable jitter and callback intervals
• Armory extension ecosystem for BOFs, .NET assemblies, and third-party tooling integration

Comparison with Similar Tools

• Cobalt Strike — industry-standard commercial C2 with Malleable C2 profiles; Sliver is free, open-source, and actively maintained
• Metasploit — exploitation framework focused on initial access; Sliver focuses on post-exploitation C2 and long-term operations
• Mythic — modular C2 with agent plugins; Sliver provides a more integrated experience with built-in implant generation
• Havoc — newer C2 framework with modern evasion; Sliver has broader community adoption and more mature multi-operator workflows

FAQ

Q: Is Sliver only for offensive security professionals? A: Sliver is designed for authorized security testing, red team engagements, and adversary emulation exercises. Unauthorized use is illegal.

Q: How does Sliver handle implant detection by antivirus? A: Each implant is uniquely compiled with different encryption keys and optional obfuscation. The Go-based implants have naturally lower detection rates than common C2 frameworks.

Q: Can multiple operators use the same Sliver server? A: Yes. Sliver supports multi-player mode where multiple operators connect to the same server with individual credentials and audit trails.

Q: Does Sliver support staging and payload delivery? A: Yes. Sliver supports staged and stageless payloads, shellcode generation, and integration with initial access tools for payload delivery.

Sources

• https://github.com/BishopFox/sliver
• https://sliver.sh/