sysmon

Learning Sliver C2 (07) - Stagers: Process Injection

22 minute read Published:

A C++ stager for Sliver C2 implants that uses process injection to execute an implant in existing processes. Apart from the stager itself I'll also show how it might be detected by Sysmon logging.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction The previous post introduced basic custom stagers which run a Sliver implant within the stager process. Real malware however often injects a malicious payload into already existing processes for various reasons. The goal may be to bypass protection mechanisms or to avoid detection. For example, a browser process might be allowed to connect to the internet while other processes get blocked, or even if all processes are allowed, it may look less suspicious if it’s a browser doing that.