package sliverpb

Get desktop application:
View/edit binary Protocol Buffers messages

optional Response Response = 9

string FilePath = 1
string ProfileName = 2
optional Request Request = 9

string ID = 1
int64 Interval = 2
int64 Jitter = 3
optional Register Register = 4
int64 NextCheckin = 5

BeaconTasks - DO NOT CONFUSE WITH clientpb.BeaconTasks

string ID = 1
repeated Envelope Tasks = 2
int64 NextCheckin = 3

bytes Output = 1
bool ServerStore = 2
optional Response Response = 9

string Name = 1
bool ServerStore = 2
bytes Args = 3
string Export = 4
optional Request Request = 9

string Path = 1
optional Request Request = 9

optional Response Response = 8
optional Request Request = 9

string Output = 1
optional Response Response = 9

optional Request Request = 9

Used in: DNSPoll

string ID = 1
uint32 Size = 2

repeated DNSBlockHeader blocks = 1

DNS Specific messages

bytes Key = 1

string Path = 1
string Encoder = 2
bool Exists = 3
int64 Start = 4
int64 Stop = 5
bytes Data = 6
bool IsDir = 7
int32 ReadFiles = 8
int32 UnreadableFiles = 10
optional Response Response = 9

string Path = 1
int64 Start = 2
int64 Stop = 3
bool Recurse = 4
optional Request Request = 9

(message has no fields)

repeated EnvVar Variables = 1
optional Response Response = 9

string Name = 1
optional Request Request = 9

EnvVar - Environment variable K/V

Used in: EnvInfo, SetEnvReq

string Key = 1
string Value = 2

Envelope - Used to encode implant<->server messages since we cannot use gRPC due to the various transports used.

Used in: BeaconTasks

int64 ID = 1
Envelope ID used to track request/response
uint32 Type = 2
Message type
bytes Data = 3
Actual message data
bool UnknownMessageType = 4
Set if the implant did not understand the message

uint32 Status = 1
bytes stdout_pb = 2
bytes stderr_pb = 3
uint32 Pid = 4
optional Response Response = 9

bytes Output = 1
optional Response Response = 9

bytes Assembly = 1
string Arguments = 2
string Process = 3
bool IsDLL = 4
string Arch = 5
string ClassName = 6
string Method = 7
string AppDomain = 8
uint32 PPid = 10
repeated string ProcessArgs = 11
bool InProcess = 12
In process specific fields
string Runtime = 13
bool AmsiBypass = 14
bool EtwBypass = 15
optional Request Request = 9

string Path = 1
repeated string Args = 2
bool Output = 3
string stdout_pb = 4
string stderr_pb = 5
uint32 PPid = 10
optional Request Request = 9

string Path = 1
repeated string Args = 2
bool Output = 3
string stdout_pb = 4
string stderr_pb = 5
bool UseToken = 6
uint32 PPid = 10
optional Request Request = 9

File - A basic file data type

string Name = 1
bytes Data = 2

Used in: Ls

string Name = 1
bool IsDir = 2
int64 Size = 3
int64 ModTime = 4
string Mode = 5
string Link = 6

repeated WindowsPrivilegeEntry PrivInfo = 1
string ProcessIntegrity = 2
string ProcessName = 3
optional Response Response = 9

optional Request Request = 9

GetSystem - The result of a InvokeGetSystemReq attempt

optional Response Response = 9

HTTP Sepecific message

bytes Key = 1

repeated NetInterface NetInterfaces = 1
optional Response Response = 9

IfconfigReq - Request the implant to list network interfaces

optional Request Request = 9

optional Response Response = 9

string Username = 1
optional Request Request = 9

bytes Data = 1
string process = 2
uint32 PPid = 10
repeated string ProcessArgs = 11
optional Request Request = 9

InvokeGetSystemReq - Implant-side version of GetSystemReq, this message contains the .Data based on the client's req.Config

bytes Data = 1
string HostingProcess = 2
optional Request Request = 9

bytes Data = 1
repeated string Arguments = 2
string Runtime = 3
bool AmsiBypass = 4
bool EtwBypass = 5
optional Request Request = 9

uint32 Pid = 1
bytes Data = 2
optional Request Request = 9

bytes Data = 1
string ProcessName = 2
string Args = 3
string EntryPoint = 4
bool Kill = 5
uint32 PPid = 10
repeated string ProcessArgs = 11
optional Request Request = 9

KillSessionReq - Request the implant to kill a session

bool Force = 1
optional Request Request = 9

message ListExtensions

sliver.proto:1068

repeated string Names = 1
optional Response Response = 9

message ListExtensionsReq

sliver.proto:1064

optional Request Request = 9

repeated Token Tokens = 1
optional Response Response = 9

optional Request Request = 9

string Path = 1
bool Exists = 2
repeated FileInfo Files = 3
string timezone = 4
int32 timezoneOffset = 5
optional Response Response = 9

string Path = 1
optional Request Request = 9

optional Response Response = 9

string Username = 1
string Password = 2
string Domain = 3
uint32 LogonType = 4
optional Request Request = 9

bool Success = 1
optional Response Response = 9

string Path = 1
optional Response Response = 9

string Path = 1
optional Request Request = 9

string Src = 1
string Dst = 2
optional Response Response = 9

string Src = 1
string Dst = 2
optional Request Request = 9

Used in: PivotListener

int64 PeerID = 1
string RemoteAddress = 2

Used in: Ifconfig

int32 Index = 1
string Name = 2
string MAC = 3
repeated string IPAddresses = 4

repeated SockTabEntry Entries = 1
optional Response Response = 9

bool TCP = 1
bool UDP = 2
bool IP4 = 3
bool IP6 = 5
bool Listening = 6
optional Request Request = 9

repeated string C2s = 1
int64 Delay = 2
optional Response Response = 8
optional Request Request = 9

Used in: PivotPeerFailure

SEND_FAILURE = 0
DISCONNECT = 1

Ping - Not ICMP, just sends a rount trip message to an implant to see if it's still responding.

int32 Nonce = 1
optional Response Response = 8
Ping is special
optional Request Request = 9

bytes PublicKey = 1
int64 PeerID = 2
string PublicKeySignature = 3
bytes SessionKey = 4

Used in: PivotListeners

uint32 ID = 1
PivotType Type = 2
string BindAddress = 3
repeated NetConnPivot Pivots = 4
optional Response Response = 9

repeated PivotListener Listeners = 1
optional Response Response = 9

optional Request Request = 9

Used in: PivotPeerEnvelope

int64 PeerID = 1
string Name = 2

repeated PivotPeer Peers = 1
uint32 Type = 2
bytes PivotSessionID = 3
bytes Data = 4
int64 PeerFailureAt = 5

int64 PeerID = 1
PeerFailureType Type = 2
string Err = 3

uint32 Nonce = 1

int64 OriginID = 1
bytes SessionKey = 2

PivotType Type = 1
string BindAddress = 2
repeated bool Options = 3
optional Request Request = 9

uint32 ID = 1
optional Request Request = 9

Used in: PivotListener, PivotStartListenerReq

TCP = 0
UDP = 1
NamedPipe = 2

optional Response Response = 9

PollIntervalReq - Request the implant to update it's poll intervbal

int64 PollInterval = 1
optional Request Request = 9

uint32 Port = 1
int32 Protocol = 2
string Host = 3
uint64 TunnelID = 8
Bind to this tunnel
optional Response Response = 9

uint32 Port = 1
int32 Protocol = 2
string Host = 3
uint64 TunnelID = 8
Bind to this tunnel
optional Request Request = 9

Process - A basic process data type

Used in: Ps, SockTabEntry

int32 Pid = 1
int32 Ppid = 2
string Executable = 3
string Owner = 4
string Architecture = 7
int32 SessionID = 5
repeated string CmdLine = 6

bytes Data = 1
optional Response Response = 9

int32 Pid = 1
int32 Timeout = 2
optional Request Request = 9

repeated Process Processes = 1
optional Response Response = 9

PsReq - Request the implant to list ses of a remote session.

optional Request Request = 9

string Path = 1
optional Response Response = 9

optional Request Request = 9

Used in: TunnelData

uint32 Port = 1
int32 Protocol = 2
string Host = 3
uint64 TunnelID = 8
Bind to this tunnel
optional Response Response = 9

uint32 Port = 1
int32 Protocol = 2
string Host = 3
uint64 TunnelID = 8
Bind to this tunnel
optional Request Request = 9

optional Response Response = 9

ReconfigureReq - Request the implant to reconfigure itself

int64 ReconnectInterval = 1
int64 BeaconInterval = 2
int64 BeaconJitter = 3
optional Request Request = 9

Used in: BeaconRegister, SessionRegister

string Name = 1
string Hostname = 2
string Uuid = 3
string Username = 4
string Uid = 5
string Gid = 6
string Os = 7
string Arch = 8
int32 Pid = 9
string Filename = 10
string ActiveC2 = 11
string Version = 12
int64 ReconnectInterval = 13
string ProxyURL = 14
string ConfigID = 16
int64 PeerID = 17
string Locale = 18

optional Response Response = 9

string Name = 1
bytes Data = 2
string OS = 3
string Init = 4
optional Request Request = 9

optional Response Response = 9

string Hive = 1
string Path = 2
string Key = 3
string Hostname = 4
optional Request Request = 9

optional Response Response = 9

string Hive = 1
string Path = 2
string Key = 3
string Hostname = 4
optional Request Request = 9

string Hive = 1
string Path = 2
string Hostname = 4
Keep the same ID as the other registry operations
optional Request Request = 9

string Value = 1
optional Response Response = 9

string Hive = 1
string Path = 2
string Key = 3
string Hostname = 4
optional Request Request = 9

repeated string Subkeys = 1
optional Response Response = 9

string Hive = 1
string Path = 2
string Hostname = 4
Keep the same ID as the other registry operations
optional Request Request = 9

Registry - Registry related messages

Unknown = 0
Binary = 1
String = 2
DWORD = 3
QWORD = 4

repeated string ValueNames = 1
optional Response Response = 9

optional Response Response = 9

string Hive = 1
string Path = 2
string Key = 3
string Hostname = 4
string StringValue = 5
bytes ByteValue = 6
uint32 DWordValue = 7
uint64 QWordValue = 8
uint32 Type = 10
optional Request Request = 9

optional ServiceInfoReq ServiceInfo = 1
optional Request Request = 9

Request - Common fields used in all gRPC requests

Used in: BackdoorReq, CallExtensionReq, CdReq, CloseSession, CurrentTokenOwnerReq, DownloadReq, EnvReq, ExecuteAssemblyReq, ExecuteReq, ExecuteWindowsReq, GetPrivsReq, IfconfigReq, ImpersonateReq, InvokeExecuteAssemblyReq, InvokeGetSystemReq, InvokeInProcExecuteAssemblyReq, InvokeMigrateReq, InvokeSpawnDllReq, KillReq, ListExtensionsReq, ListTokensReq, LsReq, MakeTokenReq, MkdirReq, MvReq, NetstatReq, OpenSession, Ping, PivotListenersReq, PivotStartListenerReq, PivotStopListenerReq, PollIntervalReq, PortfwdReq, ProcessDumpReq, PsReq, PwdReq, RPortfwdReq, ReconfigureReq, RegisterExtensionReq, RegistryCreateKeyReq, RegistryDeleteKeyReq, RegistryListValuesReq, RegistryReadReq, RegistrySubKeyListReq, RegistryWriteReq, RemoveServiceReq, RevToSelfReq, RmReq, RportFwdListenersReq, RportFwdStartListenerReq, RportFwdStopListenerReq, RunAsReq, SSHCommandReq, ScreenshotReq, SetEnvReq, ShellReq, SideloadReq, SocksData, SpawnDllReq, StartServiceReq, StopServiceReq, TaskReq, TerminateReq, UnsetEnvReq, UploadReq, WGPortForwardStartReq, WGPortForwardStopReq, WGSocksServersReq, WGSocksStartReq, WGSocksStopReq, WGTCPForwardersReq

bool Async = 1
int64 Timeout = 2
string BeaconID = 8
string SessionID = 9

Response - Common fields used in all gRPC responses. Note that the Err field only used when the implant needs to return an error to the server. Client<->Server comms should use normal gRPC error handling.

Used in: Backdoor, CallExtension, CloseSession, CurrentTokenOwner, Download, EnvInfo, Execute, ExecuteAssembly, GetPrivs, GetSystem, Ifconfig, Impersonate, ListExtensions, ListTokens, Ls, MakeToken, Migrate, Mkdir, Mv, Netstat, OpenSession, Ping, PivotListener, PivotListeners, PollInterval, Portfwd, ProcessDump, Ps, Pwd, RPortfwd, Reconfigure, RegisterExtension, RegistryCreateKey, RegistryDeleteKey, RegistryRead, RegistrySubKeyList, RegistryValuesList, RegistryWrite, RevToSelf, Rm, RportFwdListener, RportFwdListeners, RunAs, SSHCommand, Screenshot, ServiceInfo, SetEnv, Shell, Sideload, SpawnDll, Task, Terminate, UnsetEnv, Upload, WGPortForward, WGSocks, WGSocksServers, WGTCPForwarders

string Err = 1
bool Async = 2
string BeaconID = 8
string TaskID = 9

optional Response Response = 9

optional Request Request = 9

string Path = 1
optional Response Response = 9

string Path = 1
bool Recursive = 2
bool Force = 3
optional Request Request = 9

Used in: RportFwdListeners

uint32 ID = 1
string BindAddress = 2
uint32 bindPort = 3
string forwardAddress = 4
uint32 forwardPort = 5
optional Response Response = 9

repeated RportFwdListener Listeners = 1
optional Response Response = 9

optional Request Request = 9

string BindAddress = 1
uint32 BindPort = 2
uint32 forwardPort = 3
string forwardAddress = 4
optional Request Request = 9

uint32 ID = 1
optional Request Request = 9

string Output = 1
optional Response Response = 9

string Username = 1
string ProcessName = 2
string Args = 3
string Domain = 4
string Password = 5
bool HideWindow = 6
bool NetOnly = 7
optional Request Request = 9

string stdout_pb = 1
string stderr_pb = 2
optional Response Response = 9

string Username = 1
string Hostname = 2
uint32 Port = 3
string Command = 4
string Password = 5
bytes PrivKey = 6
string Krb5Conf = 7
bytes Keytab = 8
string Realm = 10
optional Request Request = 9

bytes Data = 1
optional Response Response = 9

ScreenshotReq - Request the implant take a screenshot

optional Request Request = 9

optional Response Response = 9

Used in: RemoveServiceReq, StopServiceReq

string ServiceName = 1
string Hostname = 2

string ID = 1
optional Register Register = 2

optional Response Response = 9

optional EnvVar Variable = 1
optional Request Request = 9

Shell - Request the implant open a realtime shell tunnel

string Path = 1
bool EnablePTY = 2
uint32 Pid = 3
uint64 TunnelID = 8
optional Response Response = 9

ShellReq - Request the implant open a realtime shell tunnel

string Path = 1
bool EnablePTY = 2
uint32 Pid = 3
uint64 TunnelID = 8
Bind to this tunnel
optional Request Request = 9

string Result = 1
optional Response Response = 9

bytes Data = 1
string ProcessName = 2
string Args = 3
string EntryPoint = 4
bool Kill = 5
bool isDLL = 6
bool isUnicode = 7
uint32 PPid = 10
repeated string ProcessArgs = 11
optional Request Request = 9

message SockTabEntry

sliver.proto:536

Used in: Netstat

optional SockTabEntry.SockAddr LocalAddr = 1
optional SockTabEntry.SockAddr RemoteAddr = 2
string SkState = 3
uint32 UID = 4
optional Process Process = 5
string Protocol = 6

message SockTabEntry.SockAddr

sliver.proto:537

Used in: SockTabEntry

string Ip = 1
uint32 Port = 2

*** Socks ***

uint64 TunnelID = 8
string SessionID = 9

bytes Data = 1
bool CloseConn = 2
string Username = 3
string Password = 4
uint64 Sequence = 5
uint64 TunnelID = 8
optional Request Request = 9

string Result = 1
optional Response Response = 9

bytes Data = 1
string ProcessName = 2
uint32 Offset = 3
string Args = 4
bool Kill = 5
uint32 PPid = 10
repeated string ProcessArgs = 11
optional Request Request = 9

string ServiceName = 1
string ServiceDescription = 2
string BinPath = 3
string Hostname = 4
string Arguments = 5
optional Request Request = 9

optional ServiceInfoReq ServiceInfo = 1
optional Request Request = 9

optional Response Response = 9

string Encoder = 1
bool RWXPages = 2
uint32 Pid = 3
bytes Data = 4
optional Request Request = 9

int32 Pid = 1
optional Response Response = 9

TerminateReq - Request the implant terminate a remote processes

int32 Pid = 1
bool Force = 2
optional Request Request = 9

Used in: ListTokens

int64 TokenId = 1
int64 LogonSessionId = 2
int32 LogonType = 3
string Username = 4
int32 TokenType = 5
int32 TokenImpLevel = 6
int32 PrivilegesCount = 7
int32 TokenIntegrity = 8

Tunnel - Tunnel related messages

uint64 TunnelID = 8
string SessionID = 9

bytes Data = 1
bool Closed = 2
uint64 Sequence = 3
uint64 Ack = 4
bool Resend = 5
bool CreateReverse = 6
optional RPortfwd rportfwd = 7
uint64 TunnelID = 8
string SessionID = 9

optional Response Response = 9

string Name = 1
optional Request Request = 9

string Path = 1
optional Response Response = 9

string Path = 1
string Encoder = 2
bytes Data = 3
bool IsIOC = 4
optional Request Request = 9

optional WGTCPForwarder Forwarder = 1
optional Response Response = 9

*** Wiregard ***

int32 LocalPort = 1
string RemoteAddress = 2
optional Request Request = 9

int32 ID = 1
optional Request Request = 9

optional WGSocksServer Server = 1
optional Response Response = 9

Used in: WGSocks, WGSocksServers

int32 ID = 1
string LocalAddr = 2

repeated WGSocksServer Servers = 1
optional Response Response = 9

optional Request Request = 9

int32 Port = 1
optional Request Request = 9

int32 ID = 1
optional Request Request = 9

Used in: WGPortForward, WGTCPForwarders

int32 ID = 1
string LocalAddr = 2
string RemoteAddr = 3

repeated WGTCPForwarder Forwarders = 1
optional Response Response = 9

optional Request Request = 9

message WindowsPrivilegeEntry

sliver.proto:1016

Used in: GetPrivs

string Name = 1
string Description = 2
bool Enabled = 3
bool EnabledByDefault = 4
bool Removed = 5
bool UsedForAccess = 6

package sliverpb

message Backdoor

optional Response Response = 9

message BackdoorReq

string FilePath = 1

string ProfileName = 2

optional Request Request = 9

message BeaconRegister

string ID = 1

int64 Interval = 2

int64 Jitter = 3

optional Register Register = 4

int64 NextCheckin = 5

message BeaconTasks

string ID = 1

repeated Envelope Tasks = 2

int64 NextCheckin = 3

message CallExtension

bytes Output = 1

bool ServerStore = 2

optional Response Response = 9

message CallExtensionReq

string Name = 1

bool ServerStore = 2

bytes Args = 3

string Export = 4

optional Request Request = 9

message CdReq

string Path = 1

optional Request Request = 9

message CloseSession

optional Response Response = 8

optional Request Request = 9

message CurrentTokenOwner

string Output = 1

optional Response Response = 9

message CurrentTokenOwnerReq

optional Request Request = 9

message DNSBlockHeader

string ID = 1

uint32 Size = 2

message DNSPoll

repeated DNSBlockHeader blocks = 1

message DNSSessionInit

bytes Key = 1

message Download

string Path = 1

string Encoder = 2

bool Exists = 3

int64 Start = 4

int64 Stop = 5

bytes Data = 6

bool IsDir = 7

int32 ReadFiles = 8

int32 UnreadableFiles = 10

optional Response Response = 9

message DownloadReq

string Path = 1

int64 Start = 2

int64 Stop = 3

bool Recurse = 4

optional Request Request = 9

message Empty

message EnvInfo

repeated EnvVar Variables = 1

optional Response Response = 9

message EnvReq

string Name = 1

optional Request Request = 9

message EnvVar

string Key = 1

string Value = 2

message Envelope

int64 ID = 1

uint32 Type = 2

bytes Data = 3

bool UnknownMessageType = 4

message Execute

uint32 Status = 1

bytes stdout_pb = 2