Quick Overview
Command and Control (C2) servers are critical components in offensive security, allowing red teamers and penetration testers to maintain access to compromised machines. In this blog, we’ll explore Sliver, an open-source C2 developed by BishopFox, and how it is used in red teaming. This module provides hands-on experience with Sliver’s implants, beacons, and stagers, focusing on Active Directory and Windows-based environments.
For those familiar with Cobalt Strike, transitioning from a GUI-based C2 to a command-line interface (CLI) like Sliver can be a significant change. While this module does not replace the depth of CRTO, it serves as an excellent introduction to Sliver and its capabilities.
Why This Module Matters
Command and Control servers play a crucial role in red teaming and adversary emulation, enabling attackers to establish persistence and execute post-exploitation activities. Sliver has gained popularity as a free and open-source alternative to Cobalt Strike for several reasons:
- Written in Golang, making it cross-platform and highly portable
- Supports multiple operators, allowing teams to collaborate efficiently
- Offers flexible implants and beaconing to maintain access to compromised hosts
- Includes Armory, a built-in collection of precompiled .NET binaries for post-exploitation
A deep understanding of these tools is essential for both red teamers and defenders. Offensive operators must learn how to minimize detection, while blue teamers need to analyze and mitigate threats effectively.
What You’ll Learn
This module covers:
- The fundamentals of Command and Control operations
- The Cyber Kill Chain and how attackers progress through different attack phases
- How Sliver functions, including implants, beacons, and stagers
- Setting up and configuring a Sliver server
- Using Sliver to exploit Active Directory environments
- Basic detection methods used to identify Sliver activity
Hands-On Learning
This module includes a vulnerable Active Directory environment, allowing you to practice attacks in a controlled setting. The hands-on exercises walk you through:
- Deploying a Sliver server and client
- Generating and deploying implants (beacons)
- Using stagers for executing payloads
- Running commands on compromised machines
- Exploring persistence techniques
- Basic detection and evasion strategies
While the module touches on OpSec (Operational Security), it primarily focuses on functionality rather than advanced stealth techniques. More advanced training, such as CRTO or PACES, is necessary for those who want to refine their ability to evade detection.
Prerequisites
Before starting this module, you should have:
- A solid understanding of the Linux command line
- Basic knowledge of penetration testing concepts, including remote access tools
- Familiarity with Active Directory environments, as the exercises focus on Windows networks
- Strong analytical skills for troubleshooting and optimizing attacks
If you have experience with Cobalt Strike, Mythic, or Havoc, you will find Sliver relatively easy to grasp. However, the transition from a GUI-based C2 to a CLI-driven framework can take some adjustment.
Why You Should Take This Module
- Ideal for those new to Command and Control tools, particularly those transitioning from GUI-based C2s
- Provides a realistic hands-on lab environment without needing to set up your own AD infrastructure
- Offers a free alternative to Cobalt Strike, making it accessible to a wider audience
- Serves as a stepping stone to more advanced C2 training, such as CRTO or PACES
If your goal is to become proficient in C2 operations, this module offers a strong foundation but is not a complete guide to mastering Command and Control. To gain deeper expertise, additional training is recommended.
Final Thoughts & Rating
I would rate this module 9/10. It is well-structured and provides great hands-on experience, but it does not dive deep into evasion techniques or detection methodologies, which are crucial for real-world red teaming.
Pros:
- Covers Sliver in depth with practical exercises
- Provides a realistic Active Directory environment for testing
- Balances theory with hands-on application
Cons:
- Limited focus on detection and blue team countermeasures
- Does not cover advanced OpSec techniques for stealthy operations
- CLI-based workflow may be challenging for those used to GUI-based C2s
If you have already completed CRTO, you will find Sliver’s command-line interface a significant shift from Cobalt Strike’s graphical environment. In CRTO, much of the focus is on Cobalt Strike’s Malleable C2 profiles, evasion techniques, and bypassing modern detection mechanisms, which are not covered in depth in this module. The threat emulation and adversary simulation concepts in CRTO are much more advanced, particularly in terms of OpSec, beacon customization, and lateral movement strategies.
While CRTO is significantly more difficult, this module still provides valuable insight into how a C2 server operates, allowing you to understand what can be done, how it works, and where to look for signs of compromise. However, the primary goal of this module is not to train you as a professional C2 operator, but rather to introduce the concepts and functionalities of Sliver in a practical environment.
Overall, this module is a solid introduction to Sliver but should be complemented with additional learning for those serious about offensive security operations.
For those interested, here’s a look at the exam table of contents:
