Sliver Is Cool!

You ever spin up a Sliver beacon and think “Wow, this feels like cheating”?
Yeah. Same here!

Sliver is sleek, cross-platform, open-source, and honestly? It’s a red teamer’s dream! But here's the twist: Sliver isn’t just for silently flexing in someone’s network during a pentest. It can be a collaborative powerhouse in purple team engagements too.

This post is about how to go from "I got a shell" to "let's tune detections on this bad boy together." Purple teaming isn't just about attacking or defending, it's about learning from each other. And Sliver makes that SUPER fun!

What is Sliver? (And Why Should You Care)

• Developed by Bishop Fox, built in Go.
  

• C2 framework that supports Windows, Linux, macOS.
  

• Comes with juicy features:
  

  • Multiple transport options (HTTPS, mTLS, DNS, WireGuard)
    

  • Built-in port forwarding, file staging, Beacon Object File (BOF) support
    

  • Payload customization and OPSEC-friendly implants
    

TL;DR: Sliver makes it easy to act like a real threat actor. That makes it perfect for purple teaming.

• Generate your payload

• Drop your payload onto your target

• Execute the payload and wait for the connection to be made, then play!

Once you have a session, the possibilities are endless! We may need to showcase some features and BOF support in a future post. But for now, we’ll focus on purple teaming!

From Red to Purple: Sliver in a Collaborative Engagement

Here’s how you move from “pop a shell” to “pop some detections”:

1. Pick a Beacon Config to Match a Real Threat

• Use a custom implant profile to simulate APT behavior:
  

  • Low-frequency callbacks
    

  • DNS-based C2
    

  • User-defined Traffic Encoders
    

• Tie it to a real ATT&CK technique (like T1055 – Process Injection).
  

Purple Tip: Share your implant profile and TTP mapping with defenders ahead of time (or after, if going blind).

2. Stage Actions that Trigger Detections

Use Sliver to simulate:

Action ATT&CK Example

LSASS Dump T1003.001 mimikatz BOF

Lateral Movement T1021.002 psexec module

Credential Access T1555 find /home -name id_rsa

Purple Tip: Pair each Sliver action with expected log sources (Sysmon, EDR alerts, Windows Event Logs) and let the blue team hunt it down.

3. Log allTheThings

Use Sliver’s audit logs living in ~/.sliver/logs/ to keep track of:

• New sessions or beacon connections
  

• Command execution
  

• Module usage
  

Purple Tip: Combine with RedELK and VECTR to compare red action vs. blue detection in near real-time.

Building Purple Detection VECTR Metrics For Sliver Tests

Once you’ve run a few scenarios, take notes and capture outcomes in VECTR:

Tactic Technique Sliver Action Blue Detection Gaps?

Execution T1059 execute-assembly Defender Alerted ✅

Persistence T1547.001 registry create No Alert ❌

C2 T1071.001 mTLS Beacon Logged, no alert ⚠️

Final Thoughts: Your Beacon, Their Logs, Everyone Wins

Purple teaming with Sliver turns post-exploitation into a two-player game where everyone gets better: red teamers test real-world tradecraft, defenders fine-tune their telemetry, and the organization walks away stronger.

So don’t just drop beacons. Build conversations. Drive improvements. Make your security stack earn its keep!