In this Sliver part 3 workshop, Senior Security Consultant Tim Makram Ghatas will explore how Sliver handles traffic encoding by default and how attackers can extend its capabilities with custom Wasm-based encoders. We’ll walk through how Sliver’s encoder framework works, what’s possible with WebAssembly, and how to design and test your own encoders.

💡 Pre-requisite: This workshop builds on content from “Sliver Workshop - Getting Started & 1.6 Features”  and "Sliver Workshop - Staging & Automation" Attendees are encouraged to review Part 1 and Part 2 or have basic familiarity with Sliver.

Speaker: Tim Makram Ghatas,  Senior Security Consultant II, Bishop Fox

Session Summary

This workshop focuses on Sliver traffic encoders, covering how Sliver masks C2 traffic using built-in encoders and how operators can extend this functionality with custom WASM-based encoders. Tim walks through the encoder architecture, shows how encoder identifiers appear in network traffic, and demonstrates how Sliver randomly rotates encoders to reduce detectable patterns. The session includes hands-on demos using Wireshark, curl, and Sliver’s generate workflow, followed by a deep dive into writing, loading, and performance-testing custom encoders compiled to WebAssembly. The workshop closes with discussion around operational tradeoffs (sessions vs. beacons), performance considerations, and detection realities.

Key Takeaways:

• Sliver uses multiple encoders to obfuscate C2 traffic and reduce detectable patterns
• Each message includes a masked encoder ID so the implant and server know how to decode it.
  
• Sliver randomly rotates encoders to avoid consistent network signatures.
• Custom traffic encoders can be written in WASM and embedded into implants.
• WASM encoders must implement simple encode and decode byte functions.
• Encoder performance matters, especially for real-time sessions.
• Network obfuscation helps, but detection is usually driven by behavior, not traffic alone.