Sliver
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sliver has the ability to support C2 communications over HTTP/S.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
.004 | Application Layer Protocol: DNS |
Sliver can support C2 communications over DNS.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2 DNS) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.(Citation: GitHub Sliver HTTP) |
Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
Sliver can encode binary data into a .PNG file for C2 communication.(Citation: GitHub Sliver HTTP) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.(Citation: GitHub Sliver Encryption) |
.002 | Encrypted Channel: Asymmetric Cryptography |
Sliver can use mutual TLS and RSA cryptography to exchange a session key.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver Encryption) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
(Citation: Cisco Talos Avos Jun 2022) |
||
G1021 | Cinnamon Tempest |
(Citation: Microsoft Ransomware as a Service) |
G0016 | APT29 |
(Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: Secureworks IRON HEMLOCK Profile) |
References
- Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
- Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
- BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
- BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
- BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
- BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.