S0633 Sliver
Sliver is an open source, cross-platform, red team command and control framework written in Golang.1
| Item | Value |
|---|---|
| ID | S0633 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 30 July 2021 |
| Last Modified | 17 January 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | Sliver has the ability to manipulate user tokens on targeted Windows systems.14 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sliver has the ability to support C2 communications over HTTP/S.1014 |
| enterprise | T1071.004 | DNS | Sliver can support C2 communications over DNS.10112 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.5 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | Sliver can encode binary data into a .PNG file for C2 communication.5 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.8 |
| enterprise | T1573.002 | Asymmetric Cryptography | Sliver can use mutual TLS and RSA cryptography to exchange a session key.1018 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Sliver can exfiltrate files from the victim using the download command.7 |
| enterprise | T1083 | File and Directory Discovery | Sliver can enumerate files on a target system.6 |
| enterprise | T1105 | Ingress Tool Transfer | Sliver can upload files from the C2 server to the victim machine using the upload command.11 |
| enterprise | T1027 | Obfuscated Files or Information | Sliver can encrypt strings at compile time.14 |
| enterprise | T1055 | Process Injection | Sliver can inject code into local and remote processes.14 |
| enterprise | T1113 | Screen Capture | Sliver can take screenshots of the victim’s active display.3 |
| enterprise | T1016 | System Network Configuration Discovery | Sliver has the ability to gather network configuration information.9 |
| enterprise | T1049 | System Network Connections Discovery | Sliver can collect network connection information.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1014 |
References
-
Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021. ↩↩↩↩↩↩↩
-
BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver. Retrieved September 15, 2021. ↩↩↩↩
-
BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021. ↩↩
-
BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021. ↩
-
BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021. ↩↩
-
BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩↩↩↩
-
BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021. ↩
-
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. ↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩