Deep-dive into Sliver extensions, a means to execute DLLs reflectively within the implant process.
We will see how to develop, install and run them.
Extensions can run one-off jobs which operators submit and get output from when the job is done.
They can also be used to start long-running background jobs the output of which is retrieved some time later.
That however works only with session mode implants, as far as I can tell.
As usual I finish with opportunities for detection and spoiler alert: it's difficult.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.35 with a few bugfixes on top, commit 749f71d. For a series overview: click here.
Introduction In posts 9 to 11 we discussed what I originally advertised as the three ways to run 3rd party tools. Time to reflect on what we can do with that. Its possible to run .NET code with execute-assembly and we can do that either by spawning and injecting into a sacrificial process (suspicious and detectable) or we run them --in-process (harder to detect, but seemed to be less stable and killed a few of my beacons).
Deep-dive into the spwandll command Sliver provides for execution of so-called reflective DLLs.
I show how to use the command and discuss some implementation details.
The post mostly covers Sliver itself but also briefly touches upon the reflective loader,
which is what makes a DLL reflective.
At the end you can find the usual notes on detection.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.34). For an overview: click here.
Introduction With the execute-assembly (post 9) and sideload (post 10) commands we are able to run 3rd part tools written as .NET or native PE executables. This post now is about the command spawndll. At first glance it looks very similar to sideload since both commands execute Windows DLLs.
Deep-dive into the sideload command Sliver provides for execution of native shared libraries, including Windows DLLs.
It also supports execution of EXEs on Windows.
I show how to use the command but also how it works under the hood.
We cover both Sliver itself as well as Donut, which Sliver depends on.
On top there are some brief notes on detection.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.30). For an overview: click here. As of March 6 2023, this post got a new bonus section to illustrate execution of Windows PE EXE files with sideload. The rest of the text was also updated, but only here and there.
Introduction The previous post 9 was about making a Windows implant run 3rd party tools.