Command and control

Sliver C2 framework on macOS

An overview of the framework Sliver that handles c2 infction on all OS

FrameworkSliver
PlatformmacOS implant
FocusSetup & usage

Overview

Sliver is an open-source command and control framework that supports cross-platform implants, including macOS. This article focuses on a Mac implant setup in a lab context.

Setting up Sliver

  • Install Sliver on a C2 host following the official project documentation.
  • Generate a macOS implant payload with the desired communication channel (for example mTLS or HTTP).
  • Stage the implant binary to the target macOS system using a suitable delivery mechanism.
  • Confirm callback connectivity from the implant to your Sliver listener in a controlled environment.
Sliver CLI, with sessions listed and new arriving session from implant

Sliver Connect

Sliver CLI Select session

Sliver Connect

Using Sliver shell, updating a Mac OSX plist for persistence

Sliver Connect

Plist detail

Sliver Connect

macOS implant considerations

  • Review Apple security controls such as Gatekeeper and notarisation, and understand how they affect implant execution.
  • Consider using plist-based launch daemons for persistence, while recognising that these are visible artefacts for defenders.
  • Keep track of file-system paths and log entries created during implant installation and execution.
  • Ensure that any testing is performed in an isolated lab or clearly authorised environment.

Operating the C2

  • Use Sliver channels to run commands, gather reconnaissance, and pivot in a controlled way.
  • Monitor how host-based controls and network security tools react to C2 activity.
  • Log C2 operator actions and results for later analysis and blue-team training.

Detection opportunities

The original article notes that, while Sliver can be stealthy, its artefacts, network patterns, and persistence mechanisms still provide detection opportunities for defenders.

  • Watch for unusual binaries and execution paths on macOS systems.
  • Enable and review relevant macOS logging, especially around process creation and network connections.
  • Use network visibility to identify suspicious C2-style traffic to the Sliver server.
Fortnetworks Sliver C2 macOS article redesigned in the shared technical style.