Sliver
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.(Citation: Cybereason Sliver Undated) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sliver has the ability to support C2 communications over HTTP and HTTPS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022) |
| .004 | Application Layer Protocol: DNS |
Sliver can support C2 communications over DNS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2 DNS)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Sliver has built-in functionality to launch a Powershell command prompt.(Citation: Cybereason Sliver Undated) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.(Citation: GitHub Sliver HTTP) |
| Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
Sliver can encode binary data into a .PNG file for C2 communication.(Citation: GitHub Sliver HTTP) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.(Citation: GitHub Sliver Encryption) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Sliver can use mutual TLS and RSA cryptography to exchange a session key.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver Encryption)(Citation: Cybereason Sliver Undated)(Citation: Microsoft Sliver 2022) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Sliver has a built-in `procdump` command allowing for retrieval of memory from processes such as `lsass.exe` for credential harvesting.(Citation: Cybereason Sliver Undated) |
| Enterprise | T1027 | .004 | Obfuscated Files or Information: Compile After Delivery |
Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.(Citation: Cybereason Sliver Undated) |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
||
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.(Citation: Cybereason Sliver Undated) |
| Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.(Citation: Cybereason Sliver Undated) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
|
(Citation: Cisco Talos Avos Jun 2022) |
||
| G1021 | Cinnamon Tempest |
(Citation: Microsoft Ransomware as a Service) |
| G0127 | TA551 |
(Citation: Cybereason Sliver Undated) |
| G0016 | APT29 |
(Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: Secureworks IRON HEMLOCK Profile) |
References
- Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
- Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
- Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
- Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
- BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
- BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.