├── .gitignore ├── LICENSE ├── README.md ├── Rules ├── sliver.snort └── sliver.yar ├── protobufs ├── common_pb2.py ├── dns_pb2.py └── sliver_pb2.py ├── requirements.txt ├── sliver_decrypt.py ├── sliver_memdump_parser.py └── sliver_pcap_parser.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | exampledata/ 162 | captures/ 163 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Immersive Labs Sec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SliverC2-Forensics 2 | A collection of tools and detections for the Sliver C2 Framework 3 | 4 | Technical writeup - https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/ 5 | 6 | ## Rules 7 | 8 | ### Sliver.yar 9 | This yara file contains two rules, one rule to detect unpacked Sliver implants and another to detect Sliver implants in memory 10 | 11 | ### Sliver.snort 12 | A collection of Snort rules to identify Sliver HTTP traffic. Due to the designed of the C2 it is possible these patterns will match on legitimate traffic. 13 | 14 | 15 | ### Sliver-http.yml 16 | A sigma rule to detect sliver HTTP traffic in event logs like Zeek or PacketBeat. 17 | 18 | ## Pcap Parser 19 | 20 | Given a domain name or IP address extract HTTP and DNS payloads for decryption. 21 | 22 | ### requirements 23 | 24 | - tshark 25 | - pyshark 26 | 27 | ### Usage 28 | 29 | ``` 30 | > python3 sliver_pcap_parser.py -h 31 | 32 | usage: sliver_pcap_parser.py [-h] --pcap PCAP --filter {http,dns} [--domain_name DOMAIN_NAME] 33 | 34 | Sliver C2 Decryptor 35 | 36 | optional arguments: 37 | -h, --help show this help message and exit 38 | --pcap PCAP Path to pcap file 39 | --filter {http,dns} Filter for HTTP, or DNS 40 | --domain_name DOMAIN_NAME 41 | DNS Filter requires the C2 domain name 42 | ``` 43 | 44 | ## Decrypter 45 | 46 | ### Requirements 47 | 48 | There are a number of python libraries that are required 49 | 50 | - requirements.txt 51 | 52 | ### usage 53 | 54 | ``` 55 | > python3 sliver_decrypt.py -h 56 | 57 | usage: sliver_decrypt.py [-h] [--key KEY] --transport {dns,http} --file_path FILE_PATH [--force FORCE] 58 | 59 | Sliver C2 Decryptor 60 | 61 | optional arguments: 62 | -h, --help show this help message and exit 63 | --key KEY Session Key extracted from memory as hex 64 | --transport {dns,http} 65 | Transport Mode 66 | --file_path FILE_PATH 67 | path to file with encoded data 68 | --force FORCE Brute Force Key given a procdump file 69 | ``` 70 | -------------------------------------------------------------------------------- /Rules/sliver.snort: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Immersive Labs 2 | # Detects Default Sliver C2 configuratio 3 | # Please note due to the design of the C2 these patterns may match legitimate traffic 4 | 5 | alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Session Start Detected"; flow:to_server,established; content:"POST"; http_method; pcre:"/\/(?:php|api|upload|actions|rest|v1|auth|authenticate|oauth|oauth2|oauth2callback|database|db|namespaces\/)?(login|signin|api|samples|rpc|index|admin|register|sign-up)\.html\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000001; rev:1;) 6 | alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Session Message Detected"; flow:to_server,established; content:"POST"; http_method; pcre:"/\/(?:php|api|upload|actions|rest|v1|auth|authenticate|oauth|oauth2|oauth2callback|database|db|namespaces\/)?(login|signin|api|samples|rpc|index|admin|register|sign-up)\.php\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000002; rev:1;) 7 | alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Poll Detected"; flow:to_server,established; content:"GET"; http_method; pcre:"/\/(?:js|umd|assets|bundle|bundles|scripts|script|javascripts|javascript|jscript\/)?(bootstrap|bootstrap.min|jquery.min|jquery|route|app|app.min|array|backbone|script|email)\.js\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000003; rev:1;) 8 | alert tcp any any -> any $HTTP_PORTS (msg:"Sliver C2 Close File Detected"; flow:to_server,established; content:"GET"; http_method; pcre:"/\/(?:static|www|assets|images|icons|image|icon|png\/)?(favicon|sample|example)\.png\?[a-zA-Z]=/U"; pcre: "/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)/C"; classtype:trojan-activity; sid:1000004; rev:1;) 9 | -------------------------------------------------------------------------------- /Rules/sliver.yar: -------------------------------------------------------------------------------- 1 | rule sliver_binary_native { 2 | 3 | meta: 4 | author = "Kev Breen @kevthehermit" 5 | description = "Detects unmodified Sliver implant generated for Windows, Linux or MacOS" 6 | 7 | strings: 8 | $sliverpb = "sliverpb" 9 | $bishop_git = "github.com/bishopfox/" 10 | $encryption = "chacha20poly1305" 11 | 12 | 13 | condition: 14 | // This detects Go Headers for PE, ELF, Macho 15 | ( 16 | (uint16(0) == 0x5a4d) or 17 | (uint32(0)==0x464c457f) or 18 | (uint32(0) == 0xfeedfacf) or 19 | (uint32(0) == 0xcffaedfe) or 20 | (uint32(0) == 0xfeedface) or 21 | (uint32(0) == 0xcefaedfe) 22 | ) 23 | // String matches 24 | and $sliverpb 25 | and $bishop_git 26 | and $encryption 27 | } 28 | 29 | rule sliver_memory { 30 | 31 | meta: 32 | author = "Kev Breen @kevthehermit" 33 | description = "Detects Sliver running in memory" 34 | 35 | strings: 36 | $str1 = "sliverpb" 37 | 38 | 39 | condition: 40 | all of them 41 | } 42 | -------------------------------------------------------------------------------- /protobufs/common_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: common.proto 4 | """Generated protocol buffer code.""" 5 | from google.protobuf.internal import builder as _builder 6 | from google.protobuf import descriptor as _descriptor 7 | from google.protobuf import descriptor_pool as _descriptor_pool 8 | from google.protobuf import symbol_database as _symbol_database 9 | # @@protoc_insertion_point(imports) 10 | 11 | _sym_db = _symbol_database.Default() 12 | 13 | 14 | 15 | 16 | DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x0c\x63ommon.proto\x12\x08\x63ommonpb\"\x07\n\x05\x45mpty\"N\n\x07Request\x12\r\n\x05\x41sync\x18\x01 \x01(\x08\x12\x0f\n\x07Timeout\x18\x02 \x01(\x03\x12\x10\n\x08\x42\x65\x61\x63onID\x18\x08 \x01(\t\x12\x11\n\tSessionID\x18\t \x01(\t\"H\n\x08Response\x12\x0b\n\x03\x45rr\x18\x01 \x01(\t\x12\r\n\x05\x41sync\x18\x02 \x01(\x08\x12\x10\n\x08\x42\x65\x61\x63onID\x18\x08 \x01(\t\x12\x0e\n\x06TaskID\x18\t \x01(\t\"\"\n\x04\x46ile\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\x0c\n\x04\x44\x61ta\x18\x02 \x01(\x0c\"\x81\x01\n\x07Process\x12\x0b\n\x03Pid\x18\x01 \x01(\x05\x12\x0c\n\x04Ppid\x18\x02 \x01(\x05\x12\x12\n\nExecutable\x18\x03 \x01(\t\x12\r\n\x05Owner\x18\x04 \x01(\t\x12\x14\n\x0c\x41rchitecture\x18\x07 \x01(\t\x12\x11\n\tSessionID\x18\x05 \x01(\x05\x12\x0f\n\x07\x43mdLine\x18\x06 \x03(\t\"$\n\x06\x45nvVar\x12\x0b\n\x03Key\x18\x01 \x01(\t\x12\r\n\x05Value\x18\x02 \x01(\tB/Z-github.com/bishopfox/sliver/protobuf/commonpbb\x06proto3') 17 | 18 | _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) 19 | _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'common_pb2', globals()) 20 | if _descriptor._USE_C_DESCRIPTORS == False: 21 | 22 | DESCRIPTOR._options = None 23 | DESCRIPTOR._serialized_options = b'Z-github.com/bishopfox/sliver/protobuf/commonpb' 24 | _EMPTY._serialized_start=26 25 | _EMPTY._serialized_end=33 26 | _REQUEST._serialized_start=35 27 | _REQUEST._serialized_end=113 28 | _RESPONSE._serialized_start=115 29 | _RESPONSE._serialized_end=187 30 | _FILE._serialized_start=189 31 | _FILE._serialized_end=223 32 | _PROCESS._serialized_start=226 33 | _PROCESS._serialized_end=355 34 | _ENVVAR._serialized_start=357 35 | _ENVVAR._serialized_end=393 36 | # @@protoc_insertion_point(module_scope) 37 | -------------------------------------------------------------------------------- /protobufs/dns_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: dns.proto 4 | """Generated protocol buffer code.""" 5 | from google.protobuf.internal import builder as _builder 6 | from google.protobuf import descriptor as _descriptor 7 | from google.protobuf import descriptor_pool as _descriptor_pool 8 | from google.protobuf import symbol_database as _symbol_database 9 | # @@protoc_insertion_point(imports) 10 | 11 | _sym_db = _symbol_database.Default() 12 | 13 | 14 | 15 | 16 | DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\tdns.proto\x12\x05\x64nspb\"v\n\nDNSMessage\x12#\n\x04Type\x18\x01 \x01(\x0e\x32\x15.dnspb.DNSMessageType\x12\n\n\x02ID\x18\x02 \x01(\r\x12\r\n\x05Start\x18\x03 \x01(\r\x12\x0c\n\x04Stop\x18\x04 \x01(\r\x12\x0c\n\x04Size\x18\x05 \x01(\r\x12\x0c\n\x04\x44\x61ta\x18\x06 \x01(\x0c*\x87\x01\n\x0e\x44NSMessageType\x12\x07\n\x03NOP\x10\x00\x12\x08\n\x04TOTP\x10\x01\x12\x08\n\x04INIT\x10\x02\x12\x08\n\x04POLL\x10\x03\x12\t\n\x05\x43LOSE\x10\x04\x12\x0c\n\x08MANIFEST\x10\x06\x12\x13\n\x0f\x44\x41TA_TO_IMPLANT\x10\x07\x12\x15\n\x11\x44\x41TA_FROM_IMPLANT\x10\x08\x12\t\n\x05\x43LEAR\x10\tB,Z*github.com/bishopfox/sliver/protobuf/dnspbb\x06proto3') 17 | 18 | _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) 19 | _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'dns_pb2', globals()) 20 | if _descriptor._USE_C_DESCRIPTORS == False: 21 | 22 | DESCRIPTOR._options = None 23 | DESCRIPTOR._serialized_options = b'Z*github.com/bishopfox/sliver/protobuf/dnspb' 24 | _DNSMESSAGETYPE._serialized_start=141 25 | _DNSMESSAGETYPE._serialized_end=276 26 | _DNSMESSAGE._serialized_start=20 27 | _DNSMESSAGE._serialized_end=138 28 | # @@protoc_insertion_point(module_scope) 29 | -------------------------------------------------------------------------------- /protobufs/sliver_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: sliver.proto 4 | """Generated protocol buffer code.""" 5 | from google.protobuf.internal import builder as _builder 6 | from google.protobuf import descriptor as _descriptor 7 | from google.protobuf import descriptor_pool as _descriptor_pool 8 | from google.protobuf import symbol_database as _symbol_database 9 | # @@protoc_insertion_point(imports) 10 | 11 | _sym_db = _symbol_database.Default() 12 | 13 | 14 | from protobufs import common_pb2 as common__pb2 15 | 16 | 17 | DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x0csliver.proto\x12\x08sliverpb\x1a\x0c\x63ommon.proto\"N\n\x08\x45nvelope\x12\n\n\x02ID\x18\x01 \x01(\x03\x12\x0c\n\x04Type\x18\x02 \x01(\r\x12\x0c\n\x04\x44\x61ta\x18\x03 \x01(\x0c\x12\x1a\n\x12UnknownMessageType\x18\x04 \x01(\x08\"Q\n\x0b\x42\x65\x61\x63onTasks\x12\n\n\x02ID\x18\x01 \x01(\t\x12!\n\x05Tasks\x18\x02 \x03(\x0b\x32\x12.sliverpb.Envelope\x12\x13\n\x0bNextCheckin\x18\x03 \x01(\x03\"\x9f\x02\n\x08Register\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\x10\n\x08Hostname\x18\x02 \x01(\t\x12\x0c\n\x04Uuid\x18\x03 \x01(\t\x12\x10\n\x08Username\x18\x04 \x01(\t\x12\x0b\n\x03Uid\x18\x05 \x01(\t\x12\x0b\n\x03Gid\x18\x06 \x01(\t\x12\n\n\x02Os\x18\x07 \x01(\t\x12\x0c\n\x04\x41rch\x18\x08 \x01(\t\x12\x0b\n\x03Pid\x18\t \x01(\x05\x12\x10\n\x08\x46ilename\x18\n \x01(\t\x12\x10\n\x08\x41\x63tiveC2\x18\x0b \x01(\t\x12\x0f\n\x07Version\x18\x0c \x01(\t\x12\x19\n\x11ReconnectInterval\x18\r \x01(\x03\x12\x10\n\x08ProxyURL\x18\x0e \x01(\t\x12\x10\n\x08\x43onfigID\x18\x10 \x01(\t\x12\x0e\n\x06PeerID\x18\x11 \x01(\x03\x12\x0e\n\x06Locale\x18\x12 \x01(\t\"y\n\x0e\x42\x65\x61\x63onRegister\x12\n\n\x02ID\x18\x01 \x01(\t\x12\x10\n\x08Interval\x18\x02 \x01(\x03\x12\x0e\n\x06Jitter\x18\x03 \x01(\x03\x12$\n\x08Register\x18\x04 \x01(\x0b\x32\x12.sliverpb.Register\x12\x13\n\x0bNextCheckin\x18\x05 \x01(\x03\"C\n\x0fSessionRegister\x12\n\n\x02ID\x18\x01 \x01(\t\x12$\n\x08Register\x18\x02 \x01(\x0b\x32\x12.sliverpb.Register\"s\n\x0bOpenSession\x12\x0b\n\x03\x43\x32s\x18\x01 \x03(\t\x12\r\n\x05\x44\x65lay\x18\x02 \x01(\x03\x12$\n\x08Response\x18\x08 \x01(\x0b\x32\x12.commonpb.Response\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"X\n\x0c\x43loseSession\x12$\n\x08Response\x18\x08 \x01(\x0b\x32\x12.commonpb.Response\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"_\n\x04Ping\x12\r\n\x05Nonce\x18\x01 \x01(\x05\x12$\n\x08Response\x18\x08 \x01(\x0b\x32\x12.commonpb.Response\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"<\n\x07KillReq\x12\r\n\x05\x46orce\x18\x01 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"+\n\x05PsReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"P\n\x02Ps\x12$\n\tProcesses\x18\x01 \x03(\x0b\x32\x11.commonpb.Process\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"N\n\x0cTerminateReq\x12\x0b\n\x03Pid\x18\x01 \x01(\x05\x12\r\n\x05\x46orce\x18\x02 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\">\n\tTerminate\x12\x0b\n\x03Pid\x18\x01 \x01(\x05\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"1\n\x0bIfconfigReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"_\n\x08Ifconfig\x12-\n\rNetInterfaces\x18\x01 \x03(\x0b\x32\x16.sliverpb.NetInterface\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"M\n\x0cNetInterface\x12\r\n\x05Index\x18\x01 \x01(\x05\x12\x0c\n\x04Name\x18\x02 \x01(\t\x12\x0b\n\x03MAC\x18\x03 \x01(\t\x12\x13\n\x0bIPAddresses\x18\x04 \x03(\t\"9\n\x05LsReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x95\x01\n\x02Ls\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x0e\n\x06\x45xists\x18\x02 \x01(\x08\x12!\n\x05\x46iles\x18\x03 \x03(\x0b\x32\x12.sliverpb.FileInfo\x12\x10\n\x08timezone\x18\x04 \x01(\t\x12\x16\n\x0etimezoneOffset\x18\x05 \x01(\x05\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"b\n\x08\x46ileInfo\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\r\n\x05IsDir\x18\x02 \x01(\x08\x12\x0c\n\x04Size\x18\x03 \x01(\x03\x12\x0f\n\x07ModTime\x18\x04 \x01(\x03\x12\x0c\n\x04Mode\x18\x05 \x01(\t\x12\x0c\n\x04Link\x18\x06 \x01(\t\"9\n\x05\x43\x64Req\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\",\n\x06PwdReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"9\n\x03Pwd\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"[\n\x05RmReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x11\n\tRecursive\x18\x02 \x01(\x08\x12\r\n\x05\x46orce\x18\x03 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"8\n\x02Rm\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"E\n\x05MvReq\x12\x0b\n\x03Src\x18\x01 \x01(\t\x12\x0b\n\x03\x44st\x18\x02 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"D\n\x02Mv\x12\x0b\n\x03Src\x18\x01 \x01(\t\x12\x0b\n\x03\x44st\x18\x02 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"<\n\x08MkdirReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\";\n\x05Mkdir\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"m\n\x0b\x44ownloadReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\r\n\x05Start\x18\x02 \x01(\x03\x12\x0c\n\x04Stop\x18\x03 \x01(\x03\x12\x0f\n\x07Recurse\x18\x04 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\xc5\x01\n\x08\x44ownload\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x0f\n\x07\x45ncoder\x18\x02 \x01(\t\x12\x0e\n\x06\x45xists\x18\x03 \x01(\x08\x12\r\n\x05Start\x18\x04 \x01(\x03\x12\x0c\n\x04Stop\x18\x05 \x01(\x03\x12\x0c\n\x04\x44\x61ta\x18\x06 \x01(\x0c\x12\r\n\x05IsDir\x18\x07 \x01(\x08\x12\x11\n\tReadFiles\x18\x08 \x01(\x05\x12\x17\n\x0fUnreadableFiles\x18\n \x01(\x05\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"k\n\tUploadReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x0f\n\x07\x45ncoder\x18\x02 \x01(\t\x12\x0c\n\x04\x44\x61ta\x18\x03 \x01(\x0c\x12\r\n\x05IsIOC\x18\x04 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"<\n\x06Upload\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"R\n\x0eProcessDumpReq\x12\x0b\n\x03Pid\x18\x01 \x01(\x05\x12\x0f\n\x07Timeout\x18\x02 \x01(\x05\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"A\n\x0bProcessDump\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"c\n\x08RunAsReq\x12\x10\n\x08Username\x18\x01 \x01(\t\x12\x13\n\x0bProcessName\x18\x02 \x01(\t\x12\x0c\n\x04\x41rgs\x18\x03 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"=\n\x05RunAs\x12\x0e\n\x06Output\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"F\n\x0eImpersonateReq\x12\x10\n\x08Username\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"3\n\x0bImpersonate\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"2\n\x0cRevToSelfReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"1\n\tRevToSelf\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\":\n\x14\x43urrentTokenOwnerReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"I\n\x11\x43urrentTokenOwner\x12\x0e\n\x06Output\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"^\n\x12InvokeGetSystemReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x16\n\x0eHostingProcess\x18\x02 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"1\n\tGetSystem\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"f\n\x0cMakeTokenReq\x12\x10\n\x08Username\x18\x01 \x01(\t\x12\x10\n\x08Password\x18\x02 \x01(\t\x12\x0e\n\x06\x44omain\x18\x03 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"1\n\tMakeToken\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"k\n\x07TaskReq\x12\x0f\n\x07\x45ncoder\x18\x01 \x01(\t\x12\x10\n\x08RWXPages\x18\x02 \x01(\x08\x12\x0b\n\x03Pid\x18\x03 \x01(\r\x12\x0c\n\x04\x44\x61ta\x18\x04 \x01(\x0c\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\",\n\x04Task\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\xaf\x02\n\x12\x45xecuteAssemblyReq\x12\x10\n\x08\x41ssembly\x18\x01 \x01(\x0c\x12\x11\n\tArguments\x18\x02 \x01(\t\x12\x0f\n\x07Process\x18\x03 \x01(\t\x12\r\n\x05IsDLL\x18\x04 \x01(\x08\x12\x0c\n\x04\x41rch\x18\x05 \x01(\t\x12\x11\n\tClassName\x18\x06 \x01(\t\x12\x0e\n\x06Method\x18\x07 \x01(\t\x12\x11\n\tAppDomain\x18\x08 \x01(\t\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\x13\n\x0bProcessArgs\x18\x0b \x03(\t\x12\x11\n\tInProcess\x18\x0c \x01(\x08\x12\x0f\n\x07Runtime\x18\r \x01(\t\x12\x12\n\nAmsiBypass\x18\x0e \x01(\x08\x12\x11\n\tEtwBypass\x18\x0f \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x80\x01\n\x18InvokeExecuteAssemblyReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x0f\n\x07process\x18\x02 \x01(\t\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\x13\n\x0bProcessArgs\x18\x0b \x03(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x9d\x01\n\x1eInvokeInProcExecuteAssemblyReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x11\n\tArguments\x18\x02 \x03(\t\x12\x0f\n\x07Runtime\x18\x03 \x01(\t\x12\x12\n\nAmsiBypass\x18\x04 \x01(\x08\x12\x11\n\tEtwBypass\x18\x05 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"G\n\x0f\x45xecuteAssembly\x12\x0e\n\x06Output\x18\x01 \x01(\x0c\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"Q\n\x10InvokeMigrateReq\x12\x0b\n\x03Pid\x18\x01 \x01(\r\x12\x0c\n\x04\x44\x61ta\x18\x02 \x01(\x0c\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"@\n\x07Migrate\x12\x0f\n\x07Success\x18\x01 \x01(\x08\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\x8a\x01\n\nExecuteReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x0c\n\x04\x41rgs\x18\x02 \x03(\t\x12\x0e\n\x06Output\x18\x03 \x01(\x08\x12\x0e\n\x06Stdout\x18\x04 \x01(\t\x12\x0e\n\x06Stderr\x18\x05 \x01(\t\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\xa3\x01\n\x11\x45xecuteWindowsReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x0c\n\x04\x41rgs\x18\x02 \x03(\t\x12\x0e\n\x06Output\x18\x03 \x01(\x08\x12\x0e\n\x06Stdout\x18\x04 \x01(\t\x12\x0e\n\x06Stderr\x18\x05 \x01(\t\x12\x10\n\x08UseToken\x18\x06 \x01(\x08\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"l\n\x07\x45xecute\x12\x0e\n\x06Status\x18\x01 \x01(\r\x12\x0e\n\x06Stdout\x18\x02 \x01(\x0c\x12\x0e\n\x06Stderr\x18\x03 \x01(\x0c\x12\x0b\n\x03Pid\x18\x04 \x01(\r\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\xc9\x01\n\x0bSideloadReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x13\n\x0bProcessName\x18\x02 \x01(\t\x12\x0c\n\x04\x41rgs\x18\x03 \x01(\t\x12\x12\n\nEntryPoint\x18\x04 \x01(\t\x12\x0c\n\x04Kill\x18\x05 \x01(\x08\x12\r\n\x05isDLL\x18\x06 \x01(\x08\x12\x11\n\tisUnicode\x18\x07 \x01(\x08\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\x13\n\x0bProcessArgs\x18\x0b \x03(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"@\n\x08Sideload\x12\x0e\n\x06Result\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\xad\x01\n\x11InvokeSpawnDllReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x13\n\x0bProcessName\x18\x02 \x01(\t\x12\x0c\n\x04\x41rgs\x18\x03 \x01(\t\x12\x12\n\nEntryPoint\x18\x04 \x01(\t\x12\x0c\n\x04Kill\x18\x05 \x01(\x08\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\x13\n\x0bProcessArgs\x18\x0b \x03(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\xa3\x01\n\x0bSpawnDllReq\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x13\n\x0bProcessName\x18\x02 \x01(\t\x12\x0e\n\x06Offset\x18\x03 \x01(\r\x12\x0c\n\x04\x41rgs\x18\x04 \x01(\t\x12\x0c\n\x04Kill\x18\x05 \x01(\x08\x12\x0c\n\x04PPid\x18\n \x01(\r\x12\x13\n\x0bProcessArgs\x18\x0b \x03(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"@\n\x08SpawnDll\x12\x0e\n\x06Result\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"w\n\nNetstatReq\x12\x0b\n\x03TCP\x18\x01 \x01(\x08\x12\x0b\n\x03UDP\x18\x02 \x01(\x08\x12\x0b\n\x03IP4\x18\x03 \x01(\x08\x12\x0b\n\x03IP6\x18\x05 \x01(\x08\x12\x11\n\tListening\x18\x06 \x01(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\xf1\x01\n\x0cSockTabEntry\x12\x32\n\tLocalAddr\x18\x01 \x01(\x0b\x32\x1f.sliverpb.SockTabEntry.SockAddr\x12\x33\n\nRemoteAddr\x18\x02 \x01(\x0b\x32\x1f.sliverpb.SockTabEntry.SockAddr\x12\x0f\n\x07SkState\x18\x03 \x01(\t\x12\x0b\n\x03UID\x18\x04 \x01(\r\x12\"\n\x07Process\x18\x05 \x01(\x0b\x32\x11.commonpb.Process\x12\x10\n\x08Protocol\x18\x06 \x01(\t\x1a$\n\x08SockAddr\x12\n\n\x02Ip\x18\x01 \x01(\t\x12\x0c\n\x04Port\x18\x02 \x01(\r\"X\n\x07Netstat\x12\'\n\x07\x45ntries\x18\x01 \x03(\x0b\x32\x16.sliverpb.SockTabEntry\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\":\n\x06\x45nvReq\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"T\n\x07\x45nvInfo\x12#\n\tVariables\x18\x01 \x03(\x0b\x32\x10.commonpb.EnvVar\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"S\n\tSetEnvReq\x12\"\n\x08Variable\x18\x01 \x01(\x0b\x32\x10.commonpb.EnvVar\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\".\n\x06SetEnv\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"?\n\x0bUnsetEnvReq\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"0\n\x08UnsetEnv\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\x1d\n\x0e\x44NSSessionInit\x12\x0b\n\x03Key\x18\x01 \x01(\x0c\"3\n\x07\x44NSPoll\x12(\n\x06\x62locks\x18\x01 \x03(\x0b\x32\x18.sliverpb.DNSBlockHeader\"*\n\x0e\x44NSBlockHeader\x12\n\n\x02ID\x18\x01 \x01(\t\x12\x0c\n\x04Size\x18\x02 \x01(\r\"\x1e\n\x0fHTTPSessionInit\x12\x0b\n\x03Key\x18\x01 \x01(\x0c\"3\n\rScreenshotReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"@\n\nScreenshot\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\x9c\x01\n\x0fStartServiceReq\x12\x13\n\x0bServiceName\x18\x01 \x01(\t\x12\x1a\n\x12ServiceDescription\x18\x02 \x01(\t\x12\x0f\n\x07\x42inPath\x18\x03 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\x11\n\tArguments\x18\x05 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"3\n\x0bServiceInfo\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"7\n\x0eServiceInfoReq\x12\x13\n\x0bServiceName\x18\x01 \x01(\t\x12\x10\n\x08Hostname\x18\x02 \x01(\t\"c\n\x0eStopServiceReq\x12-\n\x0bServiceInfo\x18\x01 \x01(\x0b\x32\x18.sliverpb.ServiceInfoReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"e\n\x10RemoveServiceReq\x12-\n\x0bServiceInfo\x18\x01 \x01(\x0b\x32\x18.sliverpb.ServiceInfoReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"X\n\x0b\x42\x61\x63kdoorReq\x12\x10\n\x08\x46ilePath\x18\x01 \x01(\t\x12\x13\n\x0bProfileName\x18\x02 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"0\n\x08\x42\x61\x63kdoor\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"p\n\x0fRegistryReadReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x0b\n\x03Key\x18\x03 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"C\n\x0cRegistryRead\x12\r\n\x05Value\x18\x01 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\xcf\x01\n\x10RegistryWriteReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x0b\n\x03Key\x18\x03 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\x13\n\x0bStringValue\x18\x05 \x01(\t\x12\x11\n\tByteValue\x18\x06 \x01(\x0c\x12\x12\n\nDWordValue\x18\x07 \x01(\r\x12\x12\n\nQWordValue\x18\x08 \x01(\x04\x12\x0c\n\x04Type\x18\n \x01(\r\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"5\n\rRegistryWrite\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"u\n\x14RegistryCreateKeyReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x0b\n\x03Key\x18\x03 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"9\n\x11RegistryCreateKey\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"u\n\x14RegistryDeleteKeyReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x0b\n\x03Key\x18\x03 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"9\n\x11RegistryDeleteKey\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"i\n\x15RegistrySubKeyListReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"K\n\x12RegistrySubKeyList\x12\x0f\n\x07Subkeys\x18\x01 \x03(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"i\n\x15RegistryListValuesReq\x12\x0c\n\x04Hive\x18\x01 \x01(\t\x12\x0c\n\x04Path\x18\x02 \x01(\t\x12\x10\n\x08Hostname\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"N\n\x12RegistryValuesList\x12\x12\n\nValueNames\x18\x01 \x03(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"1\n\x06Tunnel\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\x11\n\tSessionID\x18\t \x01(\t\"\xbf\x01\n\nTunnelData\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x0e\n\x06\x43losed\x18\x02 \x01(\x08\x12\x10\n\x08Sequence\x18\x03 \x01(\x04\x12\x0b\n\x03\x41\x63k\x18\x04 \x01(\x04\x12\x0e\n\x06Resend\x18\x05 \x01(\x08\x12\x15\n\rCreateReverse\x18\x06 \x01(\x08\x12$\n\x08rportfwd\x18\x07 \x01(\x0b\x32\x12.sliverpb.RPortfwd\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\x11\n\tSessionID\x18\t \x01(\t\"r\n\x08ShellReq\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x11\n\tEnablePTY\x18\x02 \x01(\x08\x12\x0b\n\x03Pid\x18\x03 \x01(\r\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"q\n\x05Shell\x12\x0c\n\x04Path\x18\x01 \x01(\t\x12\x11\n\tEnablePTY\x18\x02 \x01(\x08\x12\x0b\n\x03Pid\x18\x03 \x01(\r\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"t\n\nPortfwdReq\x12\x0c\n\x04Port\x18\x01 \x01(\r\x12\x10\n\x08Protocol\x18\x02 \x01(\x05\x12\x0c\n\x04Host\x18\x03 \x01(\t\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"s\n\x07Portfwd\x12\x0c\n\x04Port\x18\x01 \x01(\r\x12\x10\n\x08Protocol\x18\x02 \x01(\x05\x12\x0c\n\x04Host\x18\x03 \x01(\t\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"0\n\x05Socks\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\x11\n\tSessionID\x18\t \x01(\t\"\x9c\x01\n\tSocksData\x12\x0c\n\x04\x44\x61ta\x18\x01 \x01(\x0c\x12\x11\n\tCloseConn\x18\x02 \x01(\x08\x12\x10\n\x08Username\x18\x03 \x01(\t\x12\x10\n\x08Password\x18\x04 \x01(\t\x12\x10\n\x08Sequence\x18\x05 \x01(\x04\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x84\x01\n\x15PivotStartListenerReq\x12!\n\x04Type\x18\x01 \x01(\x0e\x32\x13.sliverpb.PivotType\x12\x13\n\x0b\x42indAddress\x18\x02 \x01(\t\x12\x0f\n\x07Options\x18\x03 \x03(\x08\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"F\n\x14PivotStopListenerReq\x12\n\n\x02ID\x18\x01 \x01(\r\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\xa1\x01\n\rPivotListener\x12\n\n\x02ID\x18\x01 \x01(\r\x12!\n\x04Type\x18\x02 \x01(\x0e\x32\x13.sliverpb.PivotType\x12\x13\n\x0b\x42indAddress\x18\x03 \x01(\t\x12&\n\x06Pivots\x18\x04 \x03(\x0b\x32\x16.sliverpb.NetConnPivot\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"c\n\nPivotHello\x12\x11\n\tPublicKey\x18\x01 \x01(\x0c\x12\x12\n\x06PeerID\x18\x02 \x01(\x03\x42\x02\x30\x01\x12\x1a\n\x12PublicKeySignature\x18\x03 \x01(\t\x12\x12\n\nSessionKey\x18\x04 \x01(\x0c\">\n\x16PivotServerKeyExchange\x12\x10\n\x08OriginID\x18\x01 \x01(\x03\x12\x12\n\nSessionKey\x18\x02 \x01(\x0c\"-\n\tPivotPeer\x12\x12\n\x06PeerID\x18\x01 \x01(\x03\x42\x02\x30\x01\x12\x0c\n\x04Name\x18\x02 \x01(\t\"\x82\x01\n\x11PivotPeerEnvelope\x12\"\n\x05Peers\x18\x01 \x03(\x0b\x32\x13.sliverpb.PivotPeer\x12\x0c\n\x04Type\x18\x02 \x01(\r\x12\x16\n\x0ePivotSessionID\x18\x03 \x01(\x0c\x12\x0c\n\x04\x44\x61ta\x18\x04 \x01(\x0c\x12\x15\n\rPeerFailureAt\x18\x05 \x01(\x03\"\x1a\n\tPivotPing\x12\r\n\x05Nonce\x18\x01 \x01(\r\"9\n\x0cNetConnPivot\x12\x12\n\x06PeerID\x18\x01 \x01(\x03\x42\x02\x30\x01\x12\x15\n\rRemoteAddress\x18\x02 \x01(\t\"\\\n\x10PivotPeerFailure\x12\x12\n\x06PeerID\x18\x01 \x01(\x03\x42\x02\x30\x01\x12\'\n\x04Type\x18\x02 \x01(\x0e\x32\x19.sliverpb.PeerFailureType\x12\x0b\n\x03\x45rr\x18\x03 \x01(\t\"7\n\x11PivotListenersReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"b\n\x0ePivotListeners\x12*\n\tListeners\x18\x01 \x03(\x0b\x32\x17.sliverpb.PivotListener\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"e\n\x15WGPortForwardStartReq\x12\x11\n\tLocalPort\x18\x01 \x01(\x05\x12\x15\n\rRemoteAddress\x18\x02 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"b\n\rWGPortForward\x12+\n\tForwarder\x18\x01 \x01(\x0b\x32\x18.sliverpb.WGTCPForwarder\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"F\n\x14WGPortForwardStopReq\x12\n\n\x02ID\x18\x01 \x01(\x05\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"C\n\x0fWGSocksStartReq\x12\x0c\n\x04Port\x18\x01 \x01(\x05\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"X\n\x07WGSocks\x12\'\n\x06Server\x18\x01 \x01(\x0b\x32\x17.sliverpb.WGSocksServer\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"@\n\x0eWGSocksStopReq\x12\n\n\x02ID\x18\x01 \x01(\x05\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"8\n\x12WGTCPForwardersReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"7\n\x11WGSocksServersReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"C\n\x0eWGTCPForwarder\x12\n\n\x02ID\x18\x01 \x01(\x05\x12\x11\n\tLocalAddr\x18\x02 \x01(\t\x12\x12\n\nRemoteAddr\x18\x03 \x01(\t\".\n\rWGSocksServer\x12\n\n\x02ID\x18\x01 \x01(\x05\x12\x11\n\tLocalAddr\x18\x02 \x01(\t\"`\n\x0eWGSocksServers\x12(\n\x07Servers\x18\x01 \x03(\x0b\x32\x17.sliverpb.WGSocksServer\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"e\n\x0fWGTCPForwarders\x12,\n\nForwarders\x18\x01 \x03(\x0b\x32\x18.sliverpb.WGTCPForwarder\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"}\n\x0eReconfigureReq\x12\x19\n\x11ReconnectInterval\x18\x01 \x01(\x03\x12\x16\n\x0e\x42\x65\x61\x63onInterval\x18\x02 \x01(\x03\x12\x14\n\x0c\x42\x65\x61\x63onJitter\x18\x03 \x01(\x03\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"3\n\x0bReconfigure\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"K\n\x0fPollIntervalReq\x12\x14\n\x0cPollInterval\x18\x01 \x01(\x03\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"4\n\x0cPollInterval\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"\xca\x01\n\rSSHCommandReq\x12\x10\n\x08Username\x18\x01 \x01(\t\x12\x10\n\x08Hostname\x18\x02 \x01(\t\x12\x0c\n\x04Port\x18\x03 \x01(\r\x12\x0f\n\x07\x43ommand\x18\x04 \x01(\t\x12\x10\n\x08Password\x18\x05 \x01(\t\x12\x0f\n\x07PrivKey\x18\x06 \x01(\x0c\x12\x10\n\x08Krb5Conf\x18\x07 \x01(\t\x12\x0e\n\x06Keytab\x18\x08 \x01(\x0c\x12\r\n\x05Realm\x18\n \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"R\n\nSSHCommand\x12\x0e\n\x06StdOut\x18\x01 \x01(\t\x12\x0e\n\x06StdErr\x18\x02 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"1\n\x0bGetPrivsReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x8d\x01\n\x15WindowsPrivilegeEntry\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\x13\n\x0b\x44\x65scription\x18\x02 \x01(\t\x12\x0f\n\x07\x45nabled\x18\x03 \x01(\x08\x12\x18\n\x10\x45nabledByDefault\x18\x04 \x01(\x08\x12\x0f\n\x07Removed\x18\x05 \x01(\x08\x12\x15\n\rUsedForAccess\x18\x06 \x01(\x08\"\x92\x01\n\x08GetPrivs\x12\x31\n\x08PrivInfo\x18\x01 \x03(\x0b\x32\x1f.sliverpb.WindowsPrivilegeEntry\x12\x18\n\x10ProcessIntegrity\x18\x02 \x01(\t\x12\x13\n\x0bProcessName\x18\x03 \x01(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"p\n\x14RegisterExtensionReq\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\x0c\n\x04\x44\x61ta\x18\x02 \x01(\x0c\x12\n\n\x02OS\x18\x03 \x01(\t\x12\x0c\n\x04Init\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"9\n\x11RegisterExtension\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"w\n\x10\x43\x61llExtensionReq\x12\x0c\n\x04Name\x18\x01 \x01(\t\x12\x13\n\x0bServerStore\x18\x02 \x01(\x08\x12\x0c\n\x04\x41rgs\x18\x03 \x01(\x0c\x12\x0e\n\x06\x45xport\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"Z\n\rCallExtension\x12\x0e\n\x06Output\x18\x01 \x01(\x0c\x12\x13\n\x0bServerStore\x18\x02 \x01(\x08\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"7\n\x11ListExtensionsReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"E\n\x0eListExtensions\x12\r\n\x05Names\x18\x01 \x03(\t\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"I\n\x17RportFwdStopListenerReq\x12\n\n\x02ID\x18\x01 \x01(\r\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x92\x01\n\x18RportFwdStartListenerReq\x12\x13\n\x0b\x42indAddress\x18\x01 \x01(\t\x12\x10\n\x08\x42indPort\x18\x02 \x01(\r\x12\x13\n\x0b\x66orwardPort\x18\x03 \x01(\r\x12\x16\n\x0e\x66orwardAddress\x18\x04 \x01(\t\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"\x98\x01\n\x10RportFwdListener\x12\n\n\x02ID\x18\x01 \x01(\r\x12\x13\n\x0b\x42indAddress\x18\x02 \x01(\t\x12\x10\n\x08\x62indPort\x18\x03 \x01(\r\x12\x16\n\x0e\x66orwardAddress\x18\x04 \x01(\t\x12\x13\n\x0b\x66orwardPort\x18\x05 \x01(\r\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"h\n\x11RportFwdListeners\x12-\n\tListeners\x18\x01 \x03(\x0b\x32\x1a.sliverpb.RportFwdListener\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\":\n\x14RportFwdListenersReq\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request\"t\n\x08RPortfwd\x12\x0c\n\x04Port\x18\x01 \x01(\r\x12\x10\n\x08Protocol\x18\x02 \x01(\x05\x12\x0c\n\x04Host\x18\x03 \x01(\t\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12$\n\x08Response\x18\t \x01(\x0b\x32\x12.commonpb.Response\"u\n\x0bRPortfwdReq\x12\x0c\n\x04Port\x18\x01 \x01(\r\x12\x10\n\x08Protocol\x18\x02 \x01(\x05\x12\x0c\n\x04Host\x18\x03 \x01(\t\x12\x14\n\x08TunnelID\x18\x08 \x01(\x04\x42\x02\x30\x01\x12\"\n\x07Request\x18\t \x01(\x0b\x32\x11.commonpb.Request*I\n\x0cRegistryType\x12\x0b\n\x07Unknown\x10\x00\x12\n\n\x06\x42inary\x10\x01\x12\n\n\x06String\x10\x02\x12\t\n\x05\x44WORD\x10\x03\x12\t\n\x05QWORD\x10\x04*,\n\tPivotType\x12\x07\n\x03TCP\x10\x00\x12\x07\n\x03UDP\x10\x01\x12\r\n\tNamedPipe\x10\x02*3\n\x0fPeerFailureType\x12\x10\n\x0cSEND_FAILURE\x10\x00\x12\x0e\n\nDISCONNECT\x10\x01\x42/Z-github.com/bishopfox/sliver/protobuf/sliverpbb\x06proto3') 18 | 19 | _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) 20 | _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'sliver_pb2', globals()) 21 | if _descriptor._USE_C_DESCRIPTORS == False: 22 | 23 | DESCRIPTOR._options = None 24 | DESCRIPTOR._serialized_options = b'Z-github.com/bishopfox/sliver/protobuf/sliverpb' 25 | _TUNNEL.fields_by_name['TunnelID']._options = None 26 | _TUNNEL.fields_by_name['TunnelID']._serialized_options = b'0\001' 27 | _TUNNELDATA.fields_by_name['TunnelID']._options = None 28 | _TUNNELDATA.fields_by_name['TunnelID']._serialized_options = b'0\001' 29 | _SHELLREQ.fields_by_name['TunnelID']._options = None 30 | _SHELLREQ.fields_by_name['TunnelID']._serialized_options = b'0\001' 31 | _SHELL.fields_by_name['TunnelID']._options = None 32 | _SHELL.fields_by_name['TunnelID']._serialized_options = b'0\001' 33 | _PORTFWDREQ.fields_by_name['TunnelID']._options = None 34 | _PORTFWDREQ.fields_by_name['TunnelID']._serialized_options = b'0\001' 35 | _PORTFWD.fields_by_name['TunnelID']._options = None 36 | _PORTFWD.fields_by_name['TunnelID']._serialized_options = b'0\001' 37 | _SOCKS.fields_by_name['TunnelID']._options = None 38 | _SOCKS.fields_by_name['TunnelID']._serialized_options = b'0\001' 39 | _SOCKSDATA.fields_by_name['TunnelID']._options = None 40 | _SOCKSDATA.fields_by_name['TunnelID']._serialized_options = b'0\001' 41 | _PIVOTHELLO.fields_by_name['PeerID']._options = None 42 | _PIVOTHELLO.fields_by_name['PeerID']._serialized_options = b'0\001' 43 | _PIVOTPEER.fields_by_name['PeerID']._options = None 44 | _PIVOTPEER.fields_by_name['PeerID']._serialized_options = b'0\001' 45 | _NETCONNPIVOT.fields_by_name['PeerID']._options = None 46 | _NETCONNPIVOT.fields_by_name['PeerID']._serialized_options = b'0\001' 47 | _PIVOTPEERFAILURE.fields_by_name['PeerID']._options = None 48 | _PIVOTPEERFAILURE.fields_by_name['PeerID']._serialized_options = b'0\001' 49 | _RPORTFWD.fields_by_name['TunnelID']._options = None 50 | _RPORTFWD.fields_by_name['TunnelID']._serialized_options = b'0\001' 51 | _RPORTFWDREQ.fields_by_name['TunnelID']._options = None 52 | _RPORTFWDREQ.fields_by_name['TunnelID']._serialized_options = b'0\001' 53 | _REGISTRYTYPE._serialized_start=14033 54 | _REGISTRYTYPE._serialized_end=14106 55 | _PIVOTTYPE._serialized_start=14108 56 | _PIVOTTYPE._serialized_end=14152 57 | _PEERFAILURETYPE._serialized_start=14154 58 | _PEERFAILURETYPE._serialized_end=14205 59 | _ENVELOPE._serialized_start=40 60 | _ENVELOPE._serialized_end=118 61 | _BEACONTASKS._serialized_start=120 62 | _BEACONTASKS._serialized_end=201 63 | _REGISTER._serialized_start=204 64 | _REGISTER._serialized_end=491 65 | _BEACONREGISTER._serialized_start=493 66 | _BEACONREGISTER._serialized_end=614 67 | _SESSIONREGISTER._serialized_start=616 68 | _SESSIONREGISTER._serialized_end=683 69 | _OPENSESSION._serialized_start=685 70 | _OPENSESSION._serialized_end=800 71 | _CLOSESESSION._serialized_start=802 72 | _CLOSESESSION._serialized_end=890 73 | _PING._serialized_start=892 74 | _PING._serialized_end=987 75 | _KILLREQ._serialized_start=989 76 | _KILLREQ._serialized_end=1049 77 | _PSREQ._serialized_start=1051 78 | _PSREQ._serialized_end=1094 79 | _PS._serialized_start=1096 80 | _PS._serialized_end=1176 81 | _TERMINATEREQ._serialized_start=1178 82 | _TERMINATEREQ._serialized_end=1256 83 | _TERMINATE._serialized_start=1258 84 | _TERMINATE._serialized_end=1320 85 | _IFCONFIGREQ._serialized_start=1322 86 | _IFCONFIGREQ._serialized_end=1371 87 | _IFCONFIG._serialized_start=1373 88 | _IFCONFIG._serialized_end=1468 89 | _NETINTERFACE._serialized_start=1470 90 | _NETINTERFACE._serialized_end=1547 91 | _LSREQ._serialized_start=1549 92 | _LSREQ._serialized_end=1606 93 | _LS._serialized_start=1609 94 | _LS._serialized_end=1758 95 | _FILEINFO._serialized_start=1760 96 | _FILEINFO._serialized_end=1858 97 | _CDREQ._serialized_start=1860 98 | _CDREQ._serialized_end=1917 99 | _PWDREQ._serialized_start=1919 100 | _PWDREQ._serialized_end=1963 101 | _PWD._serialized_start=1965 102 | _PWD._serialized_end=2022 103 | _RMREQ._serialized_start=2024 104 | _RMREQ._serialized_end=2115 105 | _RM._serialized_start=2117 106 | _RM._serialized_end=2173 107 | _MVREQ._serialized_start=2175 108 | _MVREQ._serialized_end=2244 109 | _MV._serialized_start=2246 110 | _MV._serialized_end=2314 111 | _MKDIRREQ._serialized_start=2316 112 | _MKDIRREQ._serialized_end=2376 113 | _MKDIR._serialized_start=2378 114 | _MKDIR._serialized_end=2437 115 | _DOWNLOADREQ._serialized_start=2439 116 | _DOWNLOADREQ._serialized_end=2548 117 | _DOWNLOAD._serialized_start=2551 118 | _DOWNLOAD._serialized_end=2748 119 | _UPLOADREQ._serialized_start=2750 120 | _UPLOADREQ._serialized_end=2857 121 | _UPLOAD._serialized_start=2859 122 | _UPLOAD._serialized_end=2919 123 | _PROCESSDUMPREQ._serialized_start=2921 124 | _PROCESSDUMPREQ._serialized_end=3003 125 | _PROCESSDUMP._serialized_start=3005 126 | _PROCESSDUMP._serialized_end=3070 127 | _RUNASREQ._serialized_start=3072 128 | _RUNASREQ._serialized_end=3171 129 | _RUNAS._serialized_start=3173 130 | _RUNAS._serialized_end=3234 131 | _IMPERSONATEREQ._serialized_start=3236 132 | _IMPERSONATEREQ._serialized_end=3306 133 | _IMPERSONATE._serialized_start=3308 134 | _IMPERSONATE._serialized_end=3359 135 | _REVTOSELFREQ._serialized_start=3361 136 | _REVTOSELFREQ._serialized_end=3411 137 | _REVTOSELF._serialized_start=3413 138 | _REVTOSELF._serialized_end=3462 139 | _CURRENTTOKENOWNERREQ._serialized_start=3464 140 | _CURRENTTOKENOWNERREQ._serialized_end=3522 141 | _CURRENTTOKENOWNER._serialized_start=3524 142 | _CURRENTTOKENOWNER._serialized_end=3597 143 | _INVOKEGETSYSTEMREQ._serialized_start=3599 144 | _INVOKEGETSYSTEMREQ._serialized_end=3693 145 | _GETSYSTEM._serialized_start=3695 146 | _GETSYSTEM._serialized_end=3744 147 | _MAKETOKENREQ._serialized_start=3746 148 | _MAKETOKENREQ._serialized_end=3848 149 | _MAKETOKEN._serialized_start=3850 150 | _MAKETOKEN._serialized_end=3899 151 | _TASKREQ._serialized_start=3901 152 | _TASKREQ._serialized_end=4008 153 | _TASK._serialized_start=4010 154 | _TASK._serialized_end=4054 155 | _EXECUTEASSEMBLYREQ._serialized_start=4057 156 | _EXECUTEASSEMBLYREQ._serialized_end=4360 157 | _INVOKEEXECUTEASSEMBLYREQ._serialized_start=4363 158 | _INVOKEEXECUTEASSEMBLYREQ._serialized_end=4491 159 | _INVOKEINPROCEXECUTEASSEMBLYREQ._serialized_start=4494 160 | _INVOKEINPROCEXECUTEASSEMBLYREQ._serialized_end=4651 161 | _EXECUTEASSEMBLY._serialized_start=4653 162 | _EXECUTEASSEMBLY._serialized_end=4724 163 | _INVOKEMIGRATEREQ._serialized_start=4726 164 | _INVOKEMIGRATEREQ._serialized_end=4807 165 | _MIGRATE._serialized_start=4809 166 | _MIGRATE._serialized_end=4873 167 | _EXECUTEREQ._serialized_start=4876 168 | _EXECUTEREQ._serialized_end=5014 169 | _EXECUTEWINDOWSREQ._serialized_start=5017 170 | _EXECUTEWINDOWSREQ._serialized_end=5180 171 | _EXECUTE._serialized_start=5182 172 | _EXECUTE._serialized_end=5290 173 | _SIDELOADREQ._serialized_start=5293 174 | _SIDELOADREQ._serialized_end=5494 175 | _SIDELOAD._serialized_start=5496 176 | _SIDELOAD._serialized_end=5560 177 | _INVOKESPAWNDLLREQ._serialized_start=5563 178 | _INVOKESPAWNDLLREQ._serialized_end=5736 179 | _SPAWNDLLREQ._serialized_start=5739 180 | _SPAWNDLLREQ._serialized_end=5902 181 | _SPAWNDLL._serialized_start=5904 182 | _SPAWNDLL._serialized_end=5968 183 | _NETSTATREQ._serialized_start=5970 184 | _NETSTATREQ._serialized_end=6089 185 | _SOCKTABENTRY._serialized_start=6092 186 | _SOCKTABENTRY._serialized_end=6333 187 | _SOCKTABENTRY_SOCKADDR._serialized_start=6297 188 | _SOCKTABENTRY_SOCKADDR._serialized_end=6333 189 | _NETSTAT._serialized_start=6335 190 | _NETSTAT._serialized_end=6423 191 | _ENVREQ._serialized_start=6425 192 | _ENVREQ._serialized_end=6483 193 | _ENVINFO._serialized_start=6485 194 | _ENVINFO._serialized_end=6569 195 | _SETENVREQ._serialized_start=6571 196 | _SETENVREQ._serialized_end=6654 197 | _SETENV._serialized_start=6656 198 | _SETENV._serialized_end=6702 199 | _UNSETENVREQ._serialized_start=6704 200 | _UNSETENVREQ._serialized_end=6767 201 | _UNSETENV._serialized_start=6769 202 | _UNSETENV._serialized_end=6817 203 | _DNSSESSIONINIT._serialized_start=6819 204 | _DNSSESSIONINIT._serialized_end=6848 205 | _DNSPOLL._serialized_start=6850 206 | _DNSPOLL._serialized_end=6901 207 | _DNSBLOCKHEADER._serialized_start=6903 208 | _DNSBLOCKHEADER._serialized_end=6945 209 | _HTTPSESSIONINIT._serialized_start=6947 210 | _HTTPSESSIONINIT._serialized_end=6977 211 | _SCREENSHOTREQ._serialized_start=6979 212 | _SCREENSHOTREQ._serialized_end=7030 213 | _SCREENSHOT._serialized_start=7032 214 | _SCREENSHOT._serialized_end=7096 215 | _STARTSERVICEREQ._serialized_start=7099 216 | _STARTSERVICEREQ._serialized_end=7255 217 | _SERVICEINFO._serialized_start=7257 218 | _SERVICEINFO._serialized_end=7308 219 | _SERVICEINFOREQ._serialized_start=7310 220 | _SERVICEINFOREQ._serialized_end=7365 221 | _STOPSERVICEREQ._serialized_start=7367 222 | _STOPSERVICEREQ._serialized_end=7466 223 | _REMOVESERVICEREQ._serialized_start=7468 224 | _REMOVESERVICEREQ._serialized_end=7569 225 | _BACKDOORREQ._serialized_start=7571 226 | _BACKDOORREQ._serialized_end=7659 227 | _BACKDOOR._serialized_start=7661 228 | _BACKDOOR._serialized_end=7709 229 | _REGISTRYREADREQ._serialized_start=7711 230 | _REGISTRYREADREQ._serialized_end=7823 231 | _REGISTRYREAD._serialized_start=7825 232 | _REGISTRYREAD._serialized_end=7892 233 | _REGISTRYWRITEREQ._serialized_start=7895 234 | _REGISTRYWRITEREQ._serialized_end=8102 235 | _REGISTRYWRITE._serialized_start=8104 236 | _REGISTRYWRITE._serialized_end=8157 237 | _REGISTRYCREATEKEYREQ._serialized_start=8159 238 | _REGISTRYCREATEKEYREQ._serialized_end=8276 239 | _REGISTRYCREATEKEY._serialized_start=8278 240 | _REGISTRYCREATEKEY._serialized_end=8335 241 | _REGISTRYDELETEKEYREQ._serialized_start=8337 242 | _REGISTRYDELETEKEYREQ._serialized_end=8454 243 | _REGISTRYDELETEKEY._serialized_start=8456 244 | _REGISTRYDELETEKEY._serialized_end=8513 245 | _REGISTRYSUBKEYLISTREQ._serialized_start=8515 246 | _REGISTRYSUBKEYLISTREQ._serialized_end=8620 247 | _REGISTRYSUBKEYLIST._serialized_start=8622 248 | _REGISTRYSUBKEYLIST._serialized_end=8697 249 | _REGISTRYLISTVALUESREQ._serialized_start=8699 250 | _REGISTRYLISTVALUESREQ._serialized_end=8804 251 | _REGISTRYVALUESLIST._serialized_start=8806 252 | _REGISTRYVALUESLIST._serialized_end=8884 253 | _TUNNEL._serialized_start=8886 254 | _TUNNEL._serialized_end=8935 255 | _TUNNELDATA._serialized_start=8938 256 | _TUNNELDATA._serialized_end=9129 257 | _SHELLREQ._serialized_start=9131 258 | _SHELLREQ._serialized_end=9245 259 | _SHELL._serialized_start=9247 260 | _SHELL._serialized_end=9360 261 | _PORTFWDREQ._serialized_start=9362 262 | _PORTFWDREQ._serialized_end=9478 263 | _PORTFWD._serialized_start=9480 264 | _PORTFWD._serialized_end=9595 265 | _SOCKS._serialized_start=9597 266 | _SOCKS._serialized_end=9645 267 | _SOCKSDATA._serialized_start=9648 268 | _SOCKSDATA._serialized_end=9804 269 | _PIVOTSTARTLISTENERREQ._serialized_start=9807 270 | _PIVOTSTARTLISTENERREQ._serialized_end=9939 271 | _PIVOTSTOPLISTENERREQ._serialized_start=9941 272 | _PIVOTSTOPLISTENERREQ._serialized_end=10011 273 | _PIVOTLISTENER._serialized_start=10014 274 | _PIVOTLISTENER._serialized_end=10175 275 | _PIVOTHELLO._serialized_start=10177 276 | _PIVOTHELLO._serialized_end=10276 277 | _PIVOTSERVERKEYEXCHANGE._serialized_start=10278 278 | _PIVOTSERVERKEYEXCHANGE._serialized_end=10340 279 | _PIVOTPEER._serialized_start=10342 280 | _PIVOTPEER._serialized_end=10387 281 | _PIVOTPEERENVELOPE._serialized_start=10390 282 | _PIVOTPEERENVELOPE._serialized_end=10520 283 | _PIVOTPING._serialized_start=10522 284 | _PIVOTPING._serialized_end=10548 285 | _NETCONNPIVOT._serialized_start=10550 286 | _NETCONNPIVOT._serialized_end=10607 287 | _PIVOTPEERFAILURE._serialized_start=10609 288 | _PIVOTPEERFAILURE._serialized_end=10701 289 | _PIVOTLISTENERSREQ._serialized_start=10703 290 | _PIVOTLISTENERSREQ._serialized_end=10758 291 | _PIVOTLISTENERS._serialized_start=10760 292 | _PIVOTLISTENERS._serialized_end=10858 293 | _WGPORTFORWARDSTARTREQ._serialized_start=10860 294 | _WGPORTFORWARDSTARTREQ._serialized_end=10961 295 | _WGPORTFORWARD._serialized_start=10963 296 | _WGPORTFORWARD._serialized_end=11061 297 | _WGPORTFORWARDSTOPREQ._serialized_start=11063 298 | _WGPORTFORWARDSTOPREQ._serialized_end=11133 299 | _WGSOCKSSTARTREQ._serialized_start=11135 300 | _WGSOCKSSTARTREQ._serialized_end=11202 301 | _WGSOCKS._serialized_start=11204 302 | _WGSOCKS._serialized_end=11292 303 | _WGSOCKSSTOPREQ._serialized_start=11294 304 | _WGSOCKSSTOPREQ._serialized_end=11358 305 | _WGTCPFORWARDERSREQ._serialized_start=11360 306 | _WGTCPFORWARDERSREQ._serialized_end=11416 307 | _WGSOCKSSERVERSREQ._serialized_start=11418 308 | _WGSOCKSSERVERSREQ._serialized_end=11473 309 | _WGTCPFORWARDER._serialized_start=11475 310 | _WGTCPFORWARDER._serialized_end=11542 311 | _WGSOCKSSERVER._serialized_start=11544 312 | _WGSOCKSSERVER._serialized_end=11590 313 | _WGSOCKSSERVERS._serialized_start=11592 314 | _WGSOCKSSERVERS._serialized_end=11688 315 | _WGTCPFORWARDERS._serialized_start=11690 316 | _WGTCPFORWARDERS._serialized_end=11791 317 | _RECONFIGUREREQ._serialized_start=11793 318 | _RECONFIGUREREQ._serialized_end=11918 319 | _RECONFIGURE._serialized_start=11920 320 | _RECONFIGURE._serialized_end=11971 321 | _POLLINTERVALREQ._serialized_start=11973 322 | _POLLINTERVALREQ._serialized_end=12048 323 | _POLLINTERVAL._serialized_start=12050 324 | _POLLINTERVAL._serialized_end=12102 325 | _SSHCOMMANDREQ._serialized_start=12105 326 | _SSHCOMMANDREQ._serialized_end=12307 327 | _SSHCOMMAND._serialized_start=12309 328 | _SSHCOMMAND._serialized_end=12391 329 | _GETPRIVSREQ._serialized_start=12393 330 | _GETPRIVSREQ._serialized_end=12442 331 | _WINDOWSPRIVILEGEENTRY._serialized_start=12445 332 | _WINDOWSPRIVILEGEENTRY._serialized_end=12586 333 | _GETPRIVS._serialized_start=12589 334 | _GETPRIVS._serialized_end=12735 335 | _REGISTEREXTENSIONREQ._serialized_start=12737 336 | _REGISTEREXTENSIONREQ._serialized_end=12849 337 | _REGISTEREXTENSION._serialized_start=12851 338 | _REGISTEREXTENSION._serialized_end=12908 339 | _CALLEXTENSIONREQ._serialized_start=12910 340 | _CALLEXTENSIONREQ._serialized_end=13029 341 | _CALLEXTENSION._serialized_start=13031 342 | _CALLEXTENSION._serialized_end=13121 343 | _LISTEXTENSIONSREQ._serialized_start=13123 344 | _LISTEXTENSIONSREQ._serialized_end=13178 345 | _LISTEXTENSIONS._serialized_start=13180 346 | _LISTEXTENSIONS._serialized_end=13249 347 | _RPORTFWDSTOPLISTENERREQ._serialized_start=13251 348 | _RPORTFWDSTOPLISTENERREQ._serialized_end=13324 349 | _RPORTFWDSTARTLISTENERREQ._serialized_start=13327 350 | _RPORTFWDSTARTLISTENERREQ._serialized_end=13473 351 | _RPORTFWDLISTENER._serialized_start=13476 352 | _RPORTFWDLISTENER._serialized_end=13628 353 | _RPORTFWDLISTENERS._serialized_start=13630 354 | _RPORTFWDLISTENERS._serialized_end=13734 355 | _RPORTFWDLISTENERSREQ._serialized_start=13736 356 | _RPORTFWDLISTENERSREQ._serialized_end=13794 357 | _RPORTFWD._serialized_start=13796 358 | _RPORTFWD._serialized_end=13912 359 | _RPORTFWDREQ._serialized_start=13914 360 | _RPORTFWDREQ._serialized_end=14031 361 | # @@protoc_insertion_point(module_scope) 362 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | base58==2.1.1 2 | pyshark==0.5.3 3 | chacha20poly1305==0.0.3 -------------------------------------------------------------------------------- /sliver_decrypt.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Kev Breen, Immersive Labs 2 | # https://github.com/Immersive-Labs-Sec/SliverC2-Forensics 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a copy 5 | # of this software and associated documentation files (the "Software"), to deal 6 | # in the Software without restriction, including without limitation the rights 7 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | # copies of the Software, and to permit persons to whom the Software is 9 | # furnished to do so, subject to the following conditions: 10 | 11 | # The above copyright notice and this permission notice shall be included in all 12 | # copies or substantial portions of the Software. 13 | 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 20 | # SOFTWARE. 21 | import argparse 22 | import base64 23 | import gzip 24 | import re 25 | import json 26 | from binascii import hexlify, unhexlify 27 | 28 | from chacha20poly1305 import ChaCha20Poly1305 29 | import base58 30 | from protobufs import dns_pb2, sliver_pb2 31 | 32 | encoders = { 33 | 34 | 13: "b64", 35 | 31: "words", 36 | 22: "png", 37 | 43: "b58", 38 | 45: "gzip-words", 39 | 49: "gzip", 40 | 64: "gzip-b64", 41 | 65: "b32", 42 | 92: "hex" 43 | 44 | } 45 | 46 | 47 | msg_types = { 48 | 0: "NOP", 49 | 1: "TOTP", 50 | 2: "Init", 51 | 3: "Poll", 52 | 4: "close", 53 | 6: "manifest", 54 | 7: "Data to implant", 55 | 8: "Data from implant", 56 | 9: "clear", 57 | 58 | } 59 | 60 | 61 | base64_standard = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 62 | base64_modified = "a0b2c5def6hijklmnopqr_st-uvwxyzA1B3C4DEFGHIJKLM7NO9PQR8ST+UVWXYZ" 63 | 64 | base32_standard = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567' 65 | base32_modified = 'ab1c2d3e4f5g6h7j8k9m0npqrtuvwxyz' 66 | 67 | base58_standard = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz' 68 | base58_modified = '213465789aBcDeFgHjKLMNPQRSTUVWXYZAbCdEfGhiJkmnopqrstuvwxyz' 69 | 70 | 71 | def decrypt_chacha(key, data): 72 | """Decrypt and Decompress Sliver Payload""" 73 | cip = ChaCha20Poly1305(key) 74 | nonce = data[:12] 75 | ciphertext = data[12:] 76 | compressed = cip.decrypt(nonce, ciphertext) 77 | return gzip.decompress(compressed) 78 | 79 | 80 | def parse_output(decrypted): 81 | envelope = sliver_pb2.Envelope() 82 | envelope.ParseFromString(decrypted) 83 | print(f' [-] Message Type: {envelope.Type}') 84 | print('[=] Message Data') 85 | print(envelope.Data) 86 | 87 | 88 | def decode_nonce(nonce_value): 89 | """Takes a nonce value from a HTTP Request and returns the encoder that was used""" 90 | nonce_value = int(re.sub('[^0-9]','', nonce_value)) 91 | encoder_id = nonce_value % 101 92 | return encoders[encoder_id] 93 | 94 | 95 | def decode_b64(slv_data, compressed=False): 96 | """Uses the modifed alphabet from Sliver C2 to decode Base64""" 97 | table = slv_data.maketrans(base64_modified, base64_standard) 98 | std_data = slv_data.translate(table) 99 | padded = f"{std_data}{'=' * (len(std_data) % 4)}" 100 | decoded = base64.standard_b64decode(padded) 101 | if compressed: 102 | decoded = decode_gzip(decoded) 103 | return decoded 104 | 105 | 106 | def decode_b32(slv_data): 107 | """Uses the modifed alphabet from Sliver C2 to decode Base32""" 108 | table = slv_data.maketrans(base32_modified, base32_standard) 109 | std_data = slv_data.translate(table) 110 | 111 | # Correctly Pad the encoded string 112 | while len(std_data) % 8 != 0: 113 | std_data = std_data + b'=' 114 | 115 | decoded = base64.b32decode(std_data) 116 | return decoded 117 | 118 | 119 | def decode_b58(slv_data): 120 | """Uses the modifed alphabet from Sliver C2 to decode Base58""" 121 | table = slv_data.maketrans(base58_modified, base58_standard) 122 | std_data = slv_data.translate(table) 123 | decoded = base58.b58decode(std_data) 124 | return decoded 125 | 126 | 127 | def decode_words(word_list, compressed=False): 128 | """Decodes the sliver English Words Encoder without needing a wordlist""" 129 | decoded = [] 130 | for word in word_list.split(): 131 | 132 | value = 0 133 | for char in word: 134 | value += ord(char) 135 | value = value %256 136 | decoded.append(value) 137 | 138 | decoded = bytes(decoded) 139 | if compressed: 140 | decoded = decode_gzip(decoded) 141 | 142 | return decoded 143 | 144 | def decode_gzip(slv_data): 145 | "Uncompress standard gzip compression" 146 | 147 | # Some Polling messsages have a GZIP nonce but are not actuall compressed. 148 | try: 149 | return gzip.decompress(slv_data) 150 | except: 151 | return slv_data 152 | 153 | 154 | def decode_dns(possible_keys, file_data): 155 | encoded_payloads = file_data.split(b'\n') 156 | 157 | sessions = {} 158 | print("[+] Collecting Sessions") 159 | # reassemble each session based on session IDs 160 | for payload in encoded_payloads: 161 | # remove any `.` 162 | payload = payload.replace(b'.', b'') 163 | 164 | # First Try to determine the encoder 165 | encoder = 32 166 | 167 | for char in payload: 168 | if char not in base32_modified: 169 | encoder = 58 170 | 171 | decoded = None 172 | 173 | # Decode using the encoder we detected 174 | if encoder == 32: 175 | #print(' [-] Identified Base32 Encoder') 176 | decoded = decode_b32(payload) 177 | 178 | if encoder == 58: 179 | #print(' [-] Identified Base58 Encoder') 180 | decoded = decode_b58(payload) 181 | 182 | # Once we have decoded we need to parse out the encrypted data 183 | if decoded: 184 | dns_protobuf = dns_pb2.DNSMessage() 185 | dns_protobuf.ParseFromString(decoded) 186 | 187 | #print(dns_protobuf) 188 | 189 | if dns_protobuf.ID in sessions: 190 | sessions[dns_protobuf.ID]['segments'].append(dns_protobuf) 191 | else: 192 | sessions[dns_protobuf.ID] = { 193 | 'msg_type': dns_protobuf.Type, 194 | 'segments': [dns_protobuf] 195 | } 196 | 197 | 198 | # Parse Sessions 199 | print("[+] Parsing Session Data") 200 | for session_id, session in sessions.items(): 201 | print(f"[+] Session ID: {session_id}") 202 | segment_count = len(session['segments']) 203 | message_type = msg_types[session["msg_type"]] 204 | print(f' [-] Message Type: {message_type}') 205 | print(f' [-] Segments: {segment_count}') 206 | 207 | if message_type in ['TOTP', 'Poll', 'NOP']: 208 | # These message don't have a body 209 | continue 210 | 211 | #print(session['segments']) 212 | cipher_text = None 213 | 214 | # Init seems to have an extra session element a response from the server. 215 | if message_type == 'Init' and len(session['segments']) > 1: 216 | if len(session['segments'][0].Data) == session['segments'][0].Size: 217 | cipher_text = session['segments'][0].Data 218 | else: 219 | print('[!] Session missing payloads!') 220 | continue 221 | 222 | # Check we have all the parts 223 | if len(session['segments']) == 1: 224 | if len(session['segments'][0].Data) == session['segments'][0].Size: 225 | cipher_text = session['segments'][0].Data 226 | else: 227 | print('[!] Session missing payloads!') 228 | continue 229 | 230 | # Handle Multi Segment Sessions 231 | if not cipher_text: 232 | combined = b'' 233 | middle = {} 234 | for segment in session['segments']: 235 | middle[segment.Start] = segment.Data 236 | 237 | # Order our dict so we can reassemble 238 | middle = dict(sorted(middle.items())) 239 | for order, data in middle.items(): 240 | combined = combined + data 241 | cipher_text = combined 242 | #continue 243 | 244 | #print(f'Cipher Text: {cipher_text}') 245 | decrypted = None 246 | 247 | # Process the payload data 248 | for chacha_key in possible_keys: 249 | # Ensure key is correct length, only an issues with some regex queries. 250 | chacha_key = chacha_key[:32] 251 | 252 | try: 253 | decrypted = decrypt_chacha(chacha_key, cipher_text) 254 | # Stop if we get a valid decryption 255 | break 256 | except Exception as err: 257 | #print(err) 258 | # Silently pass so the brute force is not noisy 259 | pass 260 | if decrypted: 261 | print(f' [-] Session Key: {hexlify(chacha_key).decode()}') 262 | parse_output(decrypted) 263 | else: 264 | print(" [!] Session Key: Unable to find a valid key for this session") 265 | 266 | 267 | def decode_http(possible_keys, file_data): 268 | session_key = None 269 | print('[+] Running HTTP Decoder') 270 | 271 | sessions = json.loads(file_data) 272 | 273 | for session in sessions: 274 | decrypted = None 275 | encoder = session.get('encoder') 276 | payload_data = session.get('body') 277 | 278 | print(f'[+] Processing: {session.get("request_uri")}') 279 | print(f' [-] Decoding: {encoder}') 280 | 281 | if encoder == 'hex': 282 | cipher_text = unhexlify(payload_data) 283 | elif encoder == 'words': 284 | cipher_text = decode_words(payload_data) 285 | elif encoder == 'gzip-words': 286 | cipher_text = decode_words(payload_data, compressed=True) 287 | elif encoder == 'b64': 288 | cipher_text = decode_b64(payload_data) 289 | elif encoder == 'gzip-b64': 290 | cipher_text = decode_b64(payload_data, compressed=True) 291 | elif encoder == 'b32': 292 | cipher_text = decode_b32(payload_data) 293 | elif encoder == 'gzip': 294 | cipher_text = decode_gzip(payload_data) 295 | 296 | if not cipher_text: 297 | print(f'[!] No Cipher Text found in message for encoder {encoder}') 298 | return 299 | 300 | for chacha_key in possible_keys: 301 | # Ensure key is correct length, only an issues with some regex queries. 302 | chacha_key = chacha_key[:32] 303 | decrypted = None 304 | try: 305 | decrypted = decrypt_chacha(chacha_key, cipher_text) 306 | # Stop if we get a valid decryption 307 | break 308 | except Exception as err: 309 | #print(err) 310 | # Silently pass so the brute force is not noisy 311 | pass 312 | 313 | if decrypted: 314 | # Update our possible keys to the valid key so we dont brute force every payload 315 | possible_keys = [chacha_key] 316 | print(f' [-] Session Key: {hexlify(chacha_key).decode()}') 317 | try: 318 | parse_output(decrypted) 319 | except: 320 | pass 321 | else: 322 | print(" [!] Session Key: Unable to find a valid key for this session") 323 | 324 | 325 | if __name__ == '__main__': 326 | 327 | parser = argparse.ArgumentParser(description='Sliver C2 Decryptor') 328 | 329 | parser.add_argument( 330 | '--key', 331 | help='Session Key extracted from memory as hex', 332 | required=False) 333 | 334 | parser.add_argument( 335 | '--transport', 336 | help='Transport Mode', 337 | choices=['dns', 'http'], 338 | required=True 339 | ) 340 | 341 | parser.add_argument( 342 | '--file_path', 343 | help='path to file with encoded data', 344 | required=True 345 | ) 346 | 347 | parser.add_argument( 348 | '--force', 349 | help='Brute Force Key given a procdump file', 350 | required=False, 351 | default=False 352 | ) 353 | 354 | args = parser.parse_args() 355 | 356 | 357 | with open(args.file_path, 'rb') as input_file: 358 | file_data = input_file.read() 359 | 360 | if args.force and args.key: 361 | print('[!] If you have the key there is no need to brute force?!?') 362 | exit(0) 363 | 364 | if args.force: 365 | print(f'[+] Finding all possible keys in {args.force}') 366 | with open(args.force, 'rb') as input_file: 367 | proc_dump_data = input_file.read() 368 | # This is going to be a large list 369 | key_pattern = b'\x00\x00(.{32}).{3}\x00\xc0\x00' 370 | old_pattern = b'(.{32})[^\x00]{3}\x00\xc0\x00' 371 | possible_keys = re.findall(key_pattern, proc_dump_data, re.DOTALL) 372 | 373 | # Dedup 374 | possible_keys = list(dict.fromkeys(possible_keys)) 375 | 376 | # removat statisticly unlikley keys 377 | for key in possible_keys: 378 | if b'\x00\x00\x00' in key: 379 | possible_keys.remove(key) 380 | 381 | print(f' [-] Found {len(possible_keys)} possible keys') 382 | print(f' [*] Keys will be tested during first decryption attempt') 383 | 384 | else: 385 | possible_keys = [unhexlify(args.key)] 386 | 387 | if args.transport == 'dns': 388 | # Special Handling for DNS 389 | decode_dns(possible_keys, file_data) 390 | else: 391 | decode_http(possible_keys, file_data) 392 | 393 | 394 | -------------------------------------------------------------------------------- /sliver_memdump_parser.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Kev Breen, Immersive Labs 2 | # https://github.com/Immersive-Labs-Sec/SliverC2-Forensics 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a copy 5 | # of this software and associated documentation files (the "Software"), to deal 6 | # in the Software without restriction, including without limitation the rights 7 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | # copies of the Software, and to permit persons to whom the Software is 9 | # furnished to do so, subject to the following conditions: 10 | 11 | # The above copyright notice and this permission notice shall be included in all 12 | # copies or substantial portions of the Software. 13 | 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 20 | # SOFTWARE. 21 | import argparse 22 | import os 23 | import re 24 | import json 25 | 26 | base64_alphabet = r'[A-Za-z0-9-_]' 27 | base64_pattern = r'(?:(?:{}{{4}})*(?:{}{{2}}==|{}{{3}}=)?)'.format(base64_alphabet, base64_alphabet, base64_alphabet) 28 | 29 | 30 | def is_valid_hex_string(match): 31 | char_match = match.decode('utf-8') 32 | has_digit = any(c.isdigit() for c in char_match) 33 | has_letter = any(c.isalpha() for c in char_match) 34 | return has_digit and has_letter 35 | 36 | def duplicate_check(sessions, target_value): 37 | for s in sessions: 38 | if 'body' in s and s['body'] == target_value.decode(): 39 | return True 40 | 41 | return False 42 | 43 | 44 | def extract_http(raw_data): 45 | sessions = [] 46 | 47 | print(f'[+] Scanning for Word encoded payloads') 48 | 49 | words_pattern = rb'\x00((?:(?:\s*[A-Z]+(?:\s|$)){9,}\S+?))(?=\x00)' 50 | 51 | words = re.findall(words_pattern, raw_data) 52 | for encoded in words: 53 | sessions.append( 54 | { 55 | "request_uri": "In Memory Capture", 56 | "body": encoded.decode(), 57 | "encoder": "words" 58 | 59 | } 60 | ) 61 | 62 | print(f'[+] Scanning for Hex encoded payloads') 63 | hex_pattern = rb'[0-9a-f]{20,}' 64 | 65 | 66 | matches = re.findall(hex_pattern, raw_data) 67 | 68 | filtered_matches = [match for match in matches if is_valid_hex_string(match)] 69 | 70 | for encoded in filtered_matches: 71 | if not duplicate_check(sessions, encoded): 72 | sessions.append( 73 | { 74 | "request_uri": "In Memory Capture", 75 | "body": encoded.decode(), 76 | "encoder": "hex" 77 | 78 | } 79 | ) 80 | 81 | print(f' [-] Found {len(sessions)} probable Sliver Payloads') 82 | 83 | with open('memory-sessions.json', 'w') as json_file: 84 | json.dump(sessions, json_file) 85 | 86 | # sliver-dns.the-briar-patch.cc 87 | 88 | def extract_dns(raw_data, domain_name): 89 | print(f'[+] Scanning for DNS traffic') 90 | dns_pattern = f'\x00([213465789aBcDeFgHjKLMNPQRSTUVWXYZAbCdEfGhiJkmnopqrstuvwxyz.]{{5,254}})\.{domain_name}\.' 91 | 92 | encoded_payloads = re.findall(dns_pattern.encode(), raw_data) 93 | 94 | print(f" [-] Found {len(encoded_payloads)} Possible encoded values") 95 | print(f" [-] Writing encoded payloads to dns-{domain_name}.txt") 96 | with open(f'dns-{domain_name}.txt', 'w') as output_file: 97 | for payload in encoded_payloads: 98 | output_file.write(f'{payload.decode()}\n') 99 | 100 | if __name__ == '__main__': 101 | 102 | parser = argparse.ArgumentParser(description='Extract Sliver C2 from a memory dump file') 103 | 104 | parser.add_argument( 105 | '--dumpfile', 106 | help='Path to dump file', 107 | required=True) 108 | 109 | parser.add_argument( 110 | '--filter', 111 | help='Filter for HTTP, or DNS', 112 | choices=['http', 'dns'], 113 | dest='packet_filter', 114 | required=True) 115 | 116 | parser.add_argument( 117 | '--domain_name', 118 | help='DNS Filter requires the C2 domain name', 119 | default=None, 120 | required=False) 121 | 122 | args = parser.parse_args() 123 | 124 | 125 | if args.packet_filter == 'dns' and not args.domain_name: 126 | print('[!] You must provice the domain name for DNS extraction') 127 | exit() 128 | 129 | if not os.path.exists(args.dumpfile): 130 | print('[!] Error reading dumpfile {args.dumpfile}') 131 | 132 | with open(args.dumpfile, 'rb') as input_file: 133 | raw_data = input_file.read() 134 | 135 | print('[!] Important Notes:') 136 | print(' [*] There will be duplicate entries') 137 | print(' [*] We make assumptions about the encoder. We can not tell if its a gzip varient') 138 | 139 | if args.packet_filter == 'http': 140 | extract_http(raw_data) 141 | elif args.packet_filter == 'dns': 142 | extract_dns(raw_data, args.domain_name) 143 | -------------------------------------------------------------------------------- /sliver_pcap_parser.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 Kev Breen, Immersive Labs 2 | # https://github.com/Immersive-Labs-Sec/SliverC2-Forensics 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a copy 5 | # of this software and associated documentation files (the "Software"), to deal 6 | # in the Software without restriction, including without limitation the rights 7 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | # copies of the Software, and to permit persons to whom the Software is 9 | # furnished to do so, subject to the following conditions: 10 | 11 | # The above copyright notice and this permission notice shall be included in all 12 | # copies or substantial portions of the Software. 13 | 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 20 | # SOFTWARE. 21 | import argparse 22 | from binascii import unhexlify 23 | import os 24 | import re 25 | import gzip 26 | import json 27 | 28 | import pyshark 29 | 30 | 31 | encoders = { 32 | 33 | 13: "b64", 34 | 31: "words", 35 | 22: "png", 36 | 43: "b58", 37 | 45: "gzip-words", 38 | 49: "gzip", 39 | 64: "gzip-b64", 40 | 65: "b32", 41 | 92: "hex" 42 | 43 | } 44 | 45 | def decode_nonce(nonce_value): 46 | """Takes a nonce value from a HTTP Request and returns the encoder that was used""" 47 | nonce_value = int(re.sub('[^0-9]','', nonce_value)) 48 | encoder_id = nonce_value % 101 49 | if encoder_id in encoders: 50 | return encoders[encoder_id] 51 | else: 52 | return None 53 | 54 | 55 | def extract_http(packets, domain_name): 56 | print(f'[+] Filtering for HTTP traffic') 57 | payload_counter = 0 58 | 59 | if not os.path.exists('captures'): 60 | os.mkdir('captures') 61 | 62 | sessions = [] 63 | print('[+] Collecting Sessions') 64 | for packet in packets: 65 | packet_data = { 66 | 'request_uri': '' 67 | } 68 | 69 | if hasattr(packet.http, 'request_method'): 70 | packet_data['request_method'] = packet.http.request_method 71 | if hasattr(packet.http, 'request_full_uri'): 72 | packet_data['request_uri'] = packet.http.request_full_uri 73 | if hasattr(packet.http, 'file_data'): 74 | packet_data['body'] = packet.http.file_data 75 | 76 | # Extract the HTTP response data 77 | if hasattr(packet.http, 'response_for_uri'): 78 | packet_data['request_uri'] = packet.http.response_for_uri 79 | if hasattr(packet.http, 'response_code'): 80 | packet_data['response_code'] = packet.http.response_code 81 | if hasattr(packet.http, 'file_data'): 82 | packet_data['body'] = packet.http.file_data 83 | 84 | # Filter against our domain 85 | if domain_name not in packet_data['request_uri']: 86 | continue 87 | 88 | # Parse the query params from the URI 89 | # We can not use 'request_uri_query' as it doesnt exist on req and resp 90 | encoder = None 91 | 92 | if '?' in packet_data['request_uri']: 93 | query_params = packet_data['request_uri'].split('?')[1] 94 | for possible in query_params.split('='): 95 | try: 96 | encoder = decode_nonce(possible) 97 | packet_data['encoder'] = encoder 98 | except Exception as err: 99 | pass 100 | 101 | # Append to our sessions 102 | if packet_data.get('body', None) and encoder: 103 | sessions.append(packet_data) 104 | 105 | 106 | print(f' [-] Found {len(sessions)} probable Sliver Payloads') 107 | 108 | with open('http-sessions.json', 'w') as json_file: 109 | json.dump(sessions, json_file) 110 | 111 | print('[!] Extraction Complete, if you have a key or process dump use the sliver-decrypy.py script') 112 | 113 | 114 | def extract_dns(packets, domain_name): 115 | print(f'[+] Filtering for DNS traffic') 116 | encoded_payloads = [] 117 | payload_counter = 0 118 | for p in packets: 119 | if hasattr(p.dns, 'resp_name'): 120 | # responses also include the request data so ignore 121 | continue 122 | 123 | if domain_name in p.dns.qry_name: 124 | payload_counter += 1 125 | 126 | encoded_value = p.dns.qry_name.split(domain_name)[0] 127 | encoded_payloads.append(encoded_value) 128 | 129 | print(f" [-] Found {payload_counter} Possible encoded values") 130 | # DNS Needs recombining before we can decrypt the values correctly 131 | # So we put them all in to a single file 132 | print(f" [-] Writing encoded payloads to dns-{domain_name}.txt") 133 | with open(f'dns-{domain_name}.txt', 'w') as output_file: 134 | for payload in encoded_payloads: 135 | output_file.write(f'{payload}\n') 136 | print('[!] Extraction Complete, if you have a key or process dump use the sliver-decrypy.py script') 137 | 138 | 139 | 140 | if __name__ == '__main__': 141 | 142 | parser = argparse.ArgumentParser(description='Extract Sliver C2 from a PCAP file') 143 | 144 | parser.add_argument( 145 | '--pcap', 146 | help='Path to pcap file', 147 | required=True) 148 | 149 | parser.add_argument( 150 | '--filter', 151 | help='Filter for HTTP, or DNS', 152 | choices=['http', 'dns'], 153 | dest='packet_filter', 154 | required=True) 155 | 156 | parser.add_argument( 157 | '--domain_name', 158 | help='Filter traffic to a specific DNS or IP address', 159 | default=None, 160 | required=True) 161 | 162 | args = parser.parse_args() 163 | 164 | 165 | #if args.packet_filter == 'dns' and not args.domain_name: 166 | # print('[!] You must provice the domain name for DNS extraction') 167 | # exit() 168 | 169 | packets = pyshark.FileCapture(args.pcap, display_filter=args.packet_filter) 170 | 171 | if args.packet_filter == 'http': 172 | extract_http(packets, args.domain_name) 173 | elif args.packet_filter == 'dns': 174 | extract_dns(packets, args.domain_name) 175 | --------------------------------------------------------------------------------