Sliver

Sliver is an open source, cross-platform, red team command and control framework written in Golang.[1]

ID: S0633
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Achute Sharma, Keysight; Ayan Saha, Keysight
Version: 1.0
Created: 30 July 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sliver has the ability to support C2 communications over HTTP/S.[3][1][2]

.004 Application Layer Protocol: DNS

Sliver can support C2 communications over DNS.[3][1][4]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[5]

Enterprise T1001 .002 Data Obfuscation: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.[5]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[6]

.002 Encrypted Channel: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[3][1][6]

Enterprise T1041 Exfiltration Over C2 Channel

Sliver can exfiltrate files from the victim using the download command.[7]

Enterprise T1083 File and Directory Discovery

Sliver can enumerate files on a target system.[8]

Enterprise T1105 Ingress Tool Transfer

Sliver can upload files from the C2 server to the victim machine using the upload command.[9]

Enterprise T1027 Obfuscated Files or Information

Sliver can encrypt strings at compile time.[1][2]

Enterprise T1055 Process Injection

Sliver can inject code into local and remote processes.[1][2]

Enterprise T1113 Screen Capture

Sliver can take screenshots of the victim’s active display.[10]

Enterprise T1016 System Network Configuration Discovery

Sliver has the ability to gather network configuration information.[11]

Enterprise T1049 System Network Connections Discovery

Sliver can collect network connection information.[12]

Groups That Use This Software

ID Name References
G0016 APT29

[3][13]

References