Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: Cybereason Sliver Undated)
ID: S0633
Type: TOOL
Platforms: Windows
Version: 2.0
Created: 30 Jul 2021
Last Modified: 24 Mar 2025

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.(Citation: Cybereason Sliver Undated)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sliver has the ability to support C2 communications over HTTP and HTTPS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022)

.004 Application Layer Protocol: DNS

Sliver can support C2 communications over DNS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2 DNS)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sliver has built-in functionality to launch a Powershell command prompt.(Citation: Cybereason Sliver Undated)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.(Citation: GitHub Sliver HTTP)

Enterprise T1001 .002 Data Obfuscation: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.(Citation: GitHub Sliver HTTP)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.(Citation: GitHub Sliver Encryption)

.002 Encrypted Channel: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver Encryption)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sliver has a built-in `procdump` command allowing for retrieval of memory from processes such as `lsass.exe` for credential harvesting.(Citation: Cybereason Sliver Undated)

Enterprise T1027 .004 Obfuscated Files or Information: Compile After Delivery

Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.(Citation: Cybereason Sliver Undated)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2)

Enterprise T1090 .001 Proxy: Internal Proxy

Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.(Citation: Cybereason Sliver Undated)

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.(Citation: Cybereason Sliver Undated)

Groups That Use This Software

ID Name References

(Citation: Cisco Talos Avos Jun 2022)

G1021 Cinnamon Tempest

(Citation: Microsoft Ransomware as a Service)

G0127 TA551

(Citation: Cybereason Sliver Undated)

G0016 APT29

(Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: Secureworks IRON HEMLOCK Profile)

References

  1. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
  2. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  3. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  4. Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025.
  5. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  6. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  7. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  8. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  9. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  10. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  11. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
  12. BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
  13. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
  14. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
  15. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
  16. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  17. BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.