Part 2 - Detecting C2 Activity
A hands-on SOC lab for detecting and analyzing C2 activity using Sliver and LimaCharlie, covering payload execution, process monitoring, and network forensics
Last updated
A hands-on SOC lab for detecting and analyzing C2 activity using Sliver and LimaCharlie, covering payload execution, process monitoring, and network forensics
Last updated
In this guide, we will generate a C2 payload using Sliver and deploy it to a Windows VM for further testing.
First, connect to your Ubuntu VM:
Once connected, switch to the root user and navigate to the Sliver directory:
Run the following command to start Sliver:
Within the Sliver shell, generate the C2 payload using your Linux VM’s IP:
Sliver C2 to create a payload for command-and-control (C2) operations. Take note of the randomly generated payload filename, as you will need it later.
To confirm the payload was successfully created, run:
Now, exit the Sliver shell:
To easily download the payload onto the Windows VM, we will use Python to start a temporary web server:
Switch to the Windows VM, open Administrative PowerShell and download the payload by running:
(Replace [Linux_VM_IP] and [payload_name] with the actual values.)
Before executing the payload, create a snapshot of your Windows VM for safety.
📌 Snapshot Name: Malware staged
Now that the payload is on the Windows VM, we must switch back to the Linux VM SSH session and enable the Sliver HTTP server to catch the callback.
Terminate the temporary web server we started earlier by pressing:
Start the Sliver C2 framework again:
Within the Sliver shell, start an HTTP listener:
If you get an error starting the HTTP listener, try rebooting the Linux VM and retrying.
On the Windows VM, open an Administrative PowerShell prompt and run the C2 payload from its download location:
(Ensure you are running this from an Administrator command prompt.)
Within a few moments, your session should check in on the Sliver server.
Back on the Linux VM, list active sessions:
Take note of the Session ID.
To control the compromised system, use the session:
(Replace [session_id] with your actual session ID.)
Now that we have access, let's run some basic reconnaissance commands.
If you see SeDebugPrivilege, you have administrative rights.
Sliver highlights its own process in green.
rphcp.exe is the LimaCharlie EDR service executable
Sliver highlights its own process in green
And any defensive tools in red.
This is how attackers become aware of what security products a victim system may be using.
Navigate to the LimaCharlie web UI.
Click on "Sensors" in the left-side menu.
Select your active Windows sensor.
In the left-side menu for this sensor, click on "Processes."
Explore the returned process tree.
Hover over process icons to understand their representations.
Familiarize yourself with common system processes.
Reference resources like the "Hunt Evil" poster from SANS and EchoTrail.
Signed processes are typically benign but can be abused (LOLBINs).
Unusual, unsigned processes can be potential threats.
Look for processes with active network connections.
Notice how quickly we are able to identify the destination IP this process is communicating with.
Click the "Network" tab in the left-side menu.
Examine active network connections.
Use Ctrl+F to search for your implant name or C2 IP address.
Click the "File System" tab in the left-side menu.
Browse to the implant's running directory (e.g., C:\Users\pc1\Downloads).
Check the hash of the suspicious executable.
Scan the hash with VirusTotal.
Tip: VirusTotal checks only known file hashes. If a file isn't found, it may be newly created—treat it as suspicious.
Click the "Timeline" tab in the left-side menu.
View near real-time telemetry and event logs.
Filter the timeline using known IOCs (implant name, C2 IP, etc.).
Identify:
The moment the implant was created.
Its launch time.
The network connections it established.
Check events related to your implant, like "SENSITIVE_PROCESS_ACCESS" from privilege enumeration—useful for detection rules later.
