Learning Sliver C2 (12) - Extensions

24 minute read Published:

Deep-dive into Sliver extensions, a means to execute DLLs reflectively within the implant process. We will see how to develop, install and run them. Extensions can run one-off jobs which operators submit and get output from when the job is done. They can also be used to start long-running background jobs the output of which is retrieved some time later. That however works only with session mode implants, as far as I can tell. As usual I finish with opportunities for detection and spoiler alert: it's difficult.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.35 with a few bugfixes on top, commit 749f71d. For a series overview: click here. Introduction In posts 9 to 11 we discussed what I originally advertised as the three ways to run 3rd party tools. Time to reflect on what we can do with that. Its possible to run .NET code with execute-assembly and we can do that either by spawning and injecting into a sacrificial process (suspicious and detectable) or we run them --in-process (harder to detect, but seemed to be less stable and killed a few of my beacons).