1. Home
  2. Software
  3. Sliver

Sliver

Sliver is an open source, cross-platform, red team command and control framework written in Golang.[1]

ID: S0633
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Achute Sharma, Keysight; Ayan Saha, Keysight
Version: 1.0
Created: 30 July 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sliver has the ability to support C2 communications over HTTP/S.[3][1][2]
.004 Application Layer Protocol: DNS

Sliver can support C2 communications over DNS.[3][1][4]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[5]
Enterprise T1001 .002 Data Obfuscation: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.[5]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[6]
.002 Encrypted Channel: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[3][1][6]
Enterprise T1041 Exfiltration Over C2 Channel

Sliver can exfiltrate files from the victim using the download command.[7]
Enterprise T1083 File and Directory Discovery

Sliver can enumerate files on a target system.[8]
Enterprise T1105 Ingress Tool Transfer

Sliver can upload files from the C2 server to the victim machine using the upload command.[9]
Enterprise T1027 Obfuscated Files or Information

Sliver can encrypt strings at compile time.[1][2]
Enterprise T1055 Process Injection

Sliver can inject code into local and remote processes.[1][2]
Enterprise T1113 Screen Capture

Sliver can take screenshots of the victim’s active display.[10]
Enterprise T1016 System Network Configuration Discovery

Sliver has the ability to gather network configuration information.[11]
Enterprise T1049 System Network Connections Discovery

Sliver can collect network connection information.[12]

Groups That Use This Software

ID Name References
G0016 APT29

[3]

References

  1. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  2. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  3. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  4. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  5. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  6. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
  1. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
  2. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  3. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
  4. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
  5. BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
  6. BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.