Summary
This module introduces one of the popular open-source Command and Control frameworks - Sliver. The module itself comes with a vulnerable Active Directory environment that provides a means of testing the capabilities of the aforementioned tool. It is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the target host provided in the interactive sections or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "HARD" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. Further analytical thinking would be considered as a minimum requirement as well.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Completion of the
Penetration Testerpath and understanding of the basic components of an Active Directory environment and its exploitation. - Completion of the
Introduction to Active Directorymodule.
Completion of the following modules would be considered as a plus:
-
Active Directory PowerView -
Active Directory BloodHound -
DACL Attacks I -
Kerberos Attacks -
Using CrackMapExec
Introduction to C2s and Sliver
A command and control (C2) server is software tasked to execute commands or binaries on a remote computer, or a network of computers. The primary focus of a C2 is to have a centralized management system where the operator can manage access to other machines somewhere in the network. An operator is the one who carries out the (simulated) attack and manages the software. The access can be gained in multiple ways, be it a SQL Injection vulnerability, weak credentials on different services such as SSH, RDP, or access to the initial machine (foothold) given by the client for a red team engagement or a penetration test. The term "red team" refers to a group of people specializing in researching different ways getting into systems and refining tools, and being a step ahead of defenders.
A C2 server facilitates the creation of a specific executable, and once it is on the target machine, establishes a communication channel between the server and the target when executed. From here on, we are going to refer to these executables as beacons.
Predominantly, C2 servers are used by the red team. It is a focused, goal-oriented security testing approach to achieve specific objectives. The objectives closely follow the Cyber Kill Chain.
Attack Lifecycle
Developed by Lockheed Martin in 2011, the Cyber Kill Chain framework categorizes the attack lifecycle of cyber operations into seven steps.
| Attack Lifecycle | Description |
|---|---|
| Reconnaissance | starts with gathering as much information as possible about the target. It can be active reconnaissance (actively interacting with the target) or passive reconnaissance. Such recon can include active scanning, gathering information about the victim's hosts/identity or the network, and searching through the open and deep web. |
| Weaponization | characterizing the process of the development of the payload allowing foothold access. |
| Delivery | constitutes a stage when one has found a way of transferring the payload onto the target. |
| Exploitation | the step where one executes the payload onto the target. |
| Installation | the step during which the adversary establishes initial control over the target |
| Command and Control (C2) | constitutes a step wherein one has established a connection from the target to the command and control server. |
| Actions on Objectives | the step where one starts carrying out the intended goals, whether data theft or exfiltration. |
One important aspect not mentioned in the Cyber Kill Chain is the Operational Security known as OpSec. It is an aspect where an adversary minimize their footprints to hide their presence on target systems.
Sliver
Sliver is a command and control software developed by BishopFox. Used by penetration testers and red teamers, its client, server, and beacons (known as implants) are written in Golang - making it easy to cross-compile for different platforms.
Sliver has implants, beacons, and stagers (or stager). Implants are the software (binaries/executables) used to preserve an entry onto a target, facilitated by a command and control server.
Beaconing is the process of communicating from the target host to the command and control server over a set period.
Stagers or a stager are a way of loading a code onto a remote machine. It is mostly used to execute a small piece of code (stager) that loads a different code.
Sliver can be installed using the Linux one-liner in the GitHub repository or by downloading Sliver's server and client separately from the releases. The server can be used as a single point of connection both for beacons and for operators, having the ability to host multiple operators at the same time. A downside of not having a server and a client is that everything runs inside the process of Sliver, meaning that if you accidentally terminate the process, you might lose the beacons or sessions. One of the most important features of Sliver is its Armory, a library of precompiled .NET binaries that can be executed on the victim machine, helping us minimize the footprint.
Delving into the following module sections, we will be exposed to different tools, methodologies, and scenarios, primarily targeting Active Directory and Windows systems.