Security tools often have very poor security, this talk will cover our attempts at creating a reasonably secure implant framework. This talk will cover the motivations, reasoning, design, and tricks of building secure custom implants and covert C2 channels.

Sliver is an open source general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Sliver uses an embedded version of the Go compiler to dynamically generate implant binaries with per-binary X.509 certificates, per-binary obfuscation, and per-binary DNS canaries (unique domain strings that are deliberately not obfuscated and the server trigger alert if it's ever resolved, indicating the implant has been discovered). Other features include in-band TCP tunnels (e.g. TCP over DNS), procedurally generated HTTP C2 messages, automated Let's Encrypt integration, and more.

Sliver supports Windows-specific post-exploit features such as: user token manipulation in-memory .NET assembly execution, process migration, and privilege escalation features.

The Sliver GUI features a reasonably secure Electron design, leveraging sandboxed webviews, custom protocol handlers, context isolation, content-security-policy, and sandbox-to-native-IPC communication.

moloch and ronan

I like computers

Associate at Bishop Fox