sliver-session

Execute commands within an active Sliver implant session. All commands require a session field identifying the target implant.

Note

For developers: The sliver and sliver-session command families use a legacy type + cmd discrimination pattern and should not be replicated. New commands must define a unique type literal and handle sub-behavior branching via cmd in the executor. See Adding a New Command for details.

session

Name of the Sliver implant session to operate in. The implant must have been generated and deployed previously via the sliver generate_implant command.

Type:

str

Required:

True

File System

ls

List files and directories on the remote host.

commands:
  - type: sliver-session
    cmd: ls
    remote_path: /etc
    session: implant-name

remote_path

Path to list all files.

Type:

str

Required:

True

cd

Change the working directory of the active session.

commands:
  - type: sliver-session
    cmd: cd
    remote_path: /home
    session: implant-name

remote_path

Path to change to

Type:

str

Required:

True

mkdir

Create a remote directory.

commands:
  - type: sliver-session
    cmd: mkdir
    remote_path: /tmp/somedirectory
    session: implant-name

remote_path

Path to the directory to create.

Type:

str

Required:

True

pwd

Print working directory of the active session.

commands:
  - type: sliver-session
    cmd: pwd
    session: implant-name

rm

Delete a remote file or directory.

commands:
  - type: sliver-session
    cmd: rm
    remote_path: /tmp/somefile
    session: implant-name

remote_path

Path to the file to remove.

Type:

str

Required:

True

recursive

Recursively remove files

Type:

bool

Default:

False

force

Ignore safety and forcefully remove files.

Type:

bool

Default:

False

download

Download a file or directory from the remote system. Directories will be downloaded as a gzipped tar-file.

commands:
  - type: sliver-session
    cmd: download
    remote_path: /root
    recurse: True
    session: implant-name

remote_path

Path to the file or directory to download.

Type:

str

Required:

True

local_path

Local path where the downloaded file will be saved.

Type:

str

Required:

False

Default:

.

recurse

Recursively downloaded all files in a directory.

Type:

bool

Default:

False

upload

Upload a file to the remote system.

commands:
  - type: sliver-session
    cmd: upload
    remote_path: /tmp/somefile
    local_path: /home/user/somefile
    session: implant-name

remote_path

Destination path on the remote host.

Type:

str

Required:

True

local_path

Path to the local file to upload.

Type:

str

is_ioc

Mark the uploaded file as an indicator of compromise (IOC) for tracking purposes.

Type:

bool

Default:

False

Network

netstat

Display network connection information for the remote host.

commands:
  - type: sliver-session
    cmd: netstat
    tcp: True
    udp: True
    ipv4: True
    ipv6: False
    listening: True
    session: implant-name

tcp

Display information about TCP sockets.

Type:

bool

Default:

True

udp

Display information about UDP sockets.

Type:

bool

Default:

True

ipv4

Display information about IPv4 sockets.

Type:

bool

Default:

True

ipv6

Display information about IPv6 sockets.

Type:

bool

Default:

True

listening

Display information about listening sockets

Type:

bool

Default:

True

ifconfig

Display network interface configuration of the remote host.

commands:
  - type: sliver-session
    cmd: ifconfig
    session: implant-name

Processes

ps

List processes of the remote system.

commands:
  - type: sliver-session
    cmd: ps
    session: implant-name

execute

Execute a program on the remote host.

commands:
  - type: sliver-session
    cmd: execute
    exe: /usr/bin/grep
    args:
      - root
      - /etc/passwd
    output: True
    session: implant-name

exe

Command to execute.

Type:

str

Required:

True

args

List of command arguments.

Type:

List[str]

output

Capture command output.

Type:

bool

Default:

True

terminate

Kill a process on the remote host by PID.

commands:
  - type: sliver-session
    cmd: terminate
    pid: 1234
    session: implant-name

pid

PID of the process to kill.

Type:

int

Required:

True

force

Disregard safety and kill the process.

Type:

bool

Default:

False

Memory

process_dump

Dump the memory of a running process to a local file.

commands:
  - type: sliver-session
    cmd: process_dump
    pid: 102
    local_path: /home/user/some_service.dump
    session: implant-name

pid

Target PID.

Type:

int

Required:

True

local_path

Save to file.

Type:

str

Required:

True