Watch an interactive workshop led by Bishop Fox Senior Security Consultant, Tim Ghatas, as we dive into Sliver, the open-source C2 framework making waves in Red Team ops.

This session will start with a foundational overview of Sliver—covering how listener jobs, beacons, and sessions work. From there, we’ll explore how Sliver uses various encoding techniques to mask gRPC traffic, along with the initial key exchange process during session initialization.

We’ll wrap by looking ahead to the upcoming 1.6 release, including:

1. Updates to the HTTP C2 profile
2. Changes to payload staging
3. And other key features on the horizon

Speaker: Tim Makram Ghatas, Senior Security Consultant II, Bishop Fox

Summary

Get started with Sliver, the open-source C2 framework transforming Red Team operations. In this interactive workshop, Bishop Fox Senior Security Consultant Tim Makram Ghatas walks through the fundamentals of Sliver, including how listener jobs, beacons, and sessions work together. From there, Tim dives into advanced topics, exploring how Sliver masks gRPC traffic and handles key exchange during session initialization. Plus, he provides an inside look at the upcoming 1.6 release, including updates to the HTTP C2 profile, changes to payload staging, and more. Whether you’re new to Sliver or looking to refine your approach, this session is packed with practical insights for leveraging Sliver effectively in offensive security engagements.

Highlights from the Workshop:

• Sessions vs. Beacons – Sessions support high-bandwidth, real-time operations; beacons are lightweight and stealthy for long-term access with customizable intervals and jitter.

• Multiplayer Mode – Multiple operators can collaborate live by connecting Sliver clients to the same backend, improving team coordination.

• Custom C2 Profiles – v1.6 introduces per-implant network profiles that mimic legitimate traffic and allow for randomized, evasive callback paths.

• On-Demand Session Spawning – Operators can convert a beacon to an interactive session for temporary activity, then close it without losing persistence.

• Improved Logging & Replay – Sliver now tracks command history, outputs, and even interactive shell sessions via AsciiCast for better auditing and reporting.

• Implant Generation Profiles – Easily reuse implant configurations to generate multiple, uniquely encrypted binaries quickly, streamlining deployment.

• Real-World Flexibility – Operators can simulate traffic from known web applications (like WordPress) using real URL paths to better blend in on target networks.

Key Takeaway:

Sliver 1.6 makes red team operations more adaptive and collaborative. With flexible implants, customizable C2 traffic, and improved multi-user support, it’s a powerful framework for stealthy and efficient post-exploitation.