Introduction
In this blog post, we will explore some capabilities of the Sliver Command and Control (C2) framework and delve into investigating suspicious activity using LimaCharlie. We’ll cover generating a C2 session payload, setting up a web server for payload transfer, running commands to gather information, and analyzing potential security breaches. Let’s jump right in!
Generating the Sliver C2 Session Payload
To initiate our exploration, we generated the first C2 session payload using the Sliver framework. This payload acts as the key to establishing a connection between the attacker and the target system.
Setting Up a Web Server for Payload Transfer
Next, we needed to transfer the C2 payload to the Windows VM. To accomplish this, we started a web server using python to transfer the payload to the target machine.
Initiating the Sliver HTTP Listener
Once the payload was successfully downloaded onto the Windows VM, we started the Sliver HTTP listener. This step allowed us to establish a communication channel with the target system.
Verifying the C2 Session
After executing the payload on the Windows machine, we confirmed that a session had been created. Using the “sessions” command within Sliver, we cross-referenced the session IDs to ensure the successful establishment of the connection.
Interacting with the C2 Session and Gathering Information
With the C2 session active, we were now able to interact with the target system and run various commands to gather valuable information. Using the “getprivs” command, we explored the privileges associated with the C2 session, paying particular attention to the “SeDebugPrivilege” and “SeImpersonatePrivilege” privileges, which can help a lot with future attacks.
Analyzing Network Connections and Checking for Defensive Tools
To gain a comprehensive understanding of the system’s network connections, we used commands such as “netstat” to identify the Limacharlie connection (rhcp.exe). Additionally, we utilized “ps -T” to detect any defensive tools highlighted in red, indicating potential security measures in place.
Investigating Suspicious Activity
Returning to Limacharlie, we began searching for any signs of suspicious activity. By examining the process tree, we identified an unsigned process that was actively communicating over the network.
We then found out who the process was communicating with. In this case it was a device with IP 192.168.142.129 connecting from port 50197 through port 80.
We could have also done this using the Network tab.
In the file system, we checked the hash of the exe file using VirusTotal to see if this is a known threat.
However, since we generated this payload ourselves, the hash was unique and not recognized by VirusTotal. This uniqueness hints at a custom-crafted file, raising suspicions of potentially malicious activity…
Examining the Timeline and Access Gain
Utilizing Sliver’s timeline feature, we searched for the initial connection made by the suspicious process.
By filtering the timeline, we could also identify if the process gained sensitive access or performed any suspicious activities.
Conclusion
In this blog post, we explored the capabilities of the Sliver C2 framework and walked through the process of investigating suspicious activity using LimaCharlie. We generated a C2 session payload, executed it and ran various key commands, and analyzed network data using LimaCharlie’s toolset.
3 Responses
way better than the last post dude
Great read Karl!
so great