# Sliver — Open-Source Adversary Emulation Framework

> A cross-platform adversary emulation and red team framework by Bishop Fox, providing implant generation, C2 infrastructure, and post-exploitation capabilities for authorized penetration testing and security assessments.

## Install

Save as a script file and run:

# Sliver — Open-Source Adversary Emulation Framework

## Quick Use
```bash
# Install Sliver server
curl https://sliver.sh/install | sudo bash

# Start the Sliver console
sliver

# Generate an implant
sliver > generate --mtls --os linux --arch amd64 --save /tmp/implant

# Start a listener
sliver > mtls --lhost 0.0.0.0 --lport 8888
```

## Introduction
Sliver is an open-source command-and-control (C2) framework developed by Bishop Fox for authorized red team engagements and adversary emulation. It generates cross-platform implants that communicate over multiple protocols (mTLS, WireGuard, HTTP/S, DNS), enabling security teams to simulate real-world attack scenarios and test organizational detection capabilities.

## What Sliver Does
- Generates cross-platform implants for Windows, Linux, and macOS in various formats
- Provides multiple C2 communication channels including mTLS, WireGuard, HTTP(S), and DNS tunneling
- Supports multi-operator collaboration with role-based access and audit logging
- Includes post-exploitation modules for lateral movement, credential harvesting, and persistence
- Offers both session-based (interactive) and beacon-based (asynchronous callback) implant modes

## Architecture Overview
Sliver consists of a server component (the C2 infrastructure) and generated implants (clients). The server is a single Go binary that manages listeners, implant connections, and operator sessions. Implants are compiled per-engagement with unique cryptographic keys and configurable communication parameters. The server exposes a gRPC API that powers both the interactive console and third-party integrations. Armory provides a package manager for community-contributed extensions and BOFs.

## Self-Hosting & Configuration
- Install the server binary on a dedicated host; supports Linux, macOS, and Windows
- Generate operator configuration files to distribute secure console access to team members
- Configure listeners on multiple ports and protocols for implant communication diversity
- Use the Armory package manager to install community extensions and Beacon Object Files
- Deploy redirectors and CDN fronting for covert C2 channels in adversary simulations

## Key Features
- Multi-protocol C2 (mTLS, WireGuard, HTTP/S, DNS) with automatic failover between channels
- Implant obfuscation with per-build unique encryption keys and configurable evasion techniques
- Multi-operator support with gRPC-based API for team collaboration and automation
- Beacon mode for low-and-slow operations with configurable jitter and callback intervals
- Armory extension ecosystem for BOFs, .NET assemblies, and third-party tooling integration

## Comparison with Similar Tools
- **Cobalt Strike** — industry-standard commercial C2 with Malleable C2 profiles; Sliver is free, open-source, and actively maintained
- **Metasploit** — exploitation framework focused on initial access; Sliver focuses on post-exploitation C2 and long-term operations
- **Mythic** — modular C2 with agent plugins; Sliver provides a more integrated experience with built-in implant generation
- **Havoc** — newer C2 framework with modern evasion; Sliver has broader community adoption and more mature multi-operator workflows

## FAQ
**Q: Is Sliver only for offensive security professionals?**
A: Sliver is designed for authorized security testing, red team engagements, and adversary emulation exercises. Unauthorized use is illegal.

**Q: How does Sliver handle implant detection by antivirus?**
A: Each implant is uniquely compiled with different encryption keys and optional obfuscation. The Go-based implants have naturally lower detection rates than common C2 frameworks.

**Q: Can multiple operators use the same Sliver server?**
A: Yes. Sliver supports multi-player mode where multiple operators connect to the same server with individual credentials and audit trails.

**Q: Does Sliver support staging and payload delivery?**
A: Yes. Sliver supports staged and stageless payloads, shellcode generation, and integration with initial access tools for payload delivery.

## Sources
- https://github.com/BishopFox/sliver
- https://sliver.sh/

---
Source: https://tokrepo.com/en/workflows/asset-61c5c9c0
Author: Script Depot