-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Beginner's Guide
A command and control (C2) framework allows attackers to fully leverage existing access to computer systems or networks. C2 frameworks such as Sliver by themselves will generally not get you access to systems that you do not already have. There are many techniques for gaining initial access, however some of the most common are exploiting software vulnerabilities using something like Metasploit, or by social engineering a user to inadvertently execute a C2 payload. Regardless of the initial access method, the subsequent steps taken by an attacker are referred to as "post-exploitation" activities.
Throughout this guide and the Sliver code base the following terms of art are used. These definitions may vary slightly across the industry but this is how we define them:
-
Implant - A generic term for piece of software used to maintain access to an environment or system, generally through the use of command and control (C&C, C2, etc.), this is the code that the attack executes on the target machine as well as maintain access. The term "implant" is often interchangeable with "agent."
-
Beacon - May refer to (1) a communication pattern where an implant periodically connects to the C2 server as apposed to using a stateful/real time connection (2) Cobalt Strike's primary implant, more often called "CS Beacon." In the context of Sliver, "Beacon" specifically refers to a Sliver implant that implements definition (1) communication style.
-
Stage - A "stage" or "staged payload" is a method of loading a piece of code, typically over a network, onto a remote machine. Traditionally staging was used in conjunction with exploits that had size limitations. Typically the goal is to execute a small piece of code, i.e. the "stager," which in turn loads a larger piece of code. Staged payloads are still used in this way today, however they are also often useful for bypassing anti-virus detection since the majority of the malicious code is loaded directly into memory. Stages are sometimes number e.g. a "stage 0" will load a "stage 1" which loads a "stage 2" payload.
You should always choose the right tool for the right job. There are many open source, as well as commercially available C2 frameworks to choose from. A key element to successful red teams, is the ability understand how all these tools work, and when best to apply them given the contextual variables of an operation or action. The C2 Matrix has a good overview of both commercial and open source frameworks -though the Sliver entry is a bit out of date.
Here is a high level overview of open source frameworks we recommend in addition to Sliver, and some advantages/disadvantages of each:
Both the Sliver server and implant are written in golang. This makes setup of a basic Sliver deployment as easy as running the server binary. The Sliver implant is also written in Golang, which means it's easy to cross-compile to a variety of platforms.
A Mythic deployment consists of several components implemented in a variety of languages, setup of a deployment is relatively automated however isn't as simple as Sliver or Merlin. However, Mythic makes it much easier to integrate 3rd party or modified implants to avoid detection in comparison to Sliver or Merlin. Mythic also features a multi-user web interface making collaboration between operators easy.
The Merlin server and implant are also implemented in Golang.
"Bred as living shields, these slivers have proven unruly—they know they cannot be caught."