donut

Learning Sliver C2 (10) - Sideload

37 minute read Published: 4 Feb, 2023

Deep-dive into the sideload command Sliver provides for execution of native shared libraries, including Windows DLLs. It also supports execution of EXEs on Windows. I show how to use the command but also how it works under the hood. We cover both Sliver itself as well as Donut, which Sliver depends on. On top there are some brief notes on detection.

Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.30). For an overview: click here. As of March 6 2023, this post got a new bonus section to illustrate execution of Windows PE EXE files with sideload. The rest of the text was also updated, but only here and there. Introduction The previous post 9 was about making a Windows implant run 3rd party tools.

Learning Sliver C2 (09) - Execute Assembly

29 minute read Published: 6 Nov, 2022

Deep-dive into the execute-assembly command Sliver provides for .NET assembly execution. I show how to use the command as well as how it works under the hood (Donut). On top there are some notes on detection.

Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (currently on v1.5.30). For an overview: click here. Introduction We went through the most basic implant commands in post 8, but sometimes you may want to do a bit more than just that. Its great that your Sliver implant can read files or registry keys but it would be better if you could use it as a launchpad for all of the sophisticated attack tools that already exist out there.