stagers

Learning Sliver C2 (07) - Stagers: Process Injection

22 minute read Published: 9 Oct, 2022

A C++ stager for Sliver C2 implants that uses process injection to execute an implant in existing processes. Apart from the stager itself I'll also show how it might be detected by Sysmon logging.

Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction The previous post introduced basic custom stagers which run a Sliver implant within the stager process. Real malware however often injects a malicious payload into already existing processes for various reasons. The goal may be to bypass protection mechanisms or to avoid detection. For example, a browser process might be allowed to connect to the internet while other processes get blocked, or even if all processes are allowed, it may look less suspicious if it’s a browser doing that.

Learning Sliver C2 (06) - Stagers: Basics

26 minute read Published: 30 Sep, 2022

A demonstration of the various ways in which Sliver C2 implants can be delivered with stagers. First I'll show basic stagers generated by Sliver itself. After that, there will be three custom stagers written in C++, C# and PowerShell.

Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction Sliver C2 implants will often be delivered with a small script or program called a “stager”. Such a program downloads implant shellcode from a remote location, such as the C2 server, and then runs the shellcode. At first sight, this sounds unnecessarily complicated. Why not execute the implant directly instead of a stager?