1. Home
  2. Software
  3. Sliver

Sliver

Sliver is an open source, cross-platform, red team command and control framework written in Golang.[1]

ID: S0633
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Achute Sharma, Keysight; Ayan Saha, Keysight
Version: 1.2
Created: 30 July 2021
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[2]
.002 加密通道: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[3][1][2]
Enterprise T1113 屏幕捕获

Sliver can take screenshots of the victim’s active display.[4]
Enterprise T1071 .001 应用层协议: Web Protocols

Sliver has the ability to support C2 communications over HTTP/S.[3][1][5]
.004 应用层协议: DNS

Sliver can support C2 communications over DNS.[3][1][6]
Enterprise T1001 .002 数据混淆: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.[7]
Enterprise T1132 .001 数据编码: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[7]
Enterprise T1083 文件和目录发现

Sliver can enumerate files on a target system.[8]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Sliver can encrypt strings at compile time.[1][5]
Enterprise T1049 系统网络连接发现

Sliver can collect network connection information.[9]
Enterprise T1016 系统网络配置发现

Sliver has the ability to gather network configuration information.[10]
Enterprise T1134 访问令牌操控

Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][5]
Enterprise T1105 输入工具传输

Sliver can upload files from the C2 server to the victim machine using the upload command.[11]
Enterprise T1055 进程注入

Sliver can inject code into local and remote processes.[1][5]
Enterprise T1041 通过C2信道渗出

Sliver can exfiltrate files from the victim using the download command.[12]

Groups That Use This Software

ID Name References
G1021 Cinnamon Tempest

[13]
G0016 APT29

[3][14]

Campaigns

ID Name Description
C0018 C0018

[15]

References

  1. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  2. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
  3. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  4. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
  5. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  6. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  7. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  8. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  1. BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.
  2. BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
  3. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
  4. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
  5. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  6. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  7. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.