S0633 Sliver
Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, “armory,” for staging and downloading additional tools and payloads to the primary C2 framework.21
| Item | Value |
|---|---|
| ID | S0633 |
| Associated Names | |
| Type | TOOL |
| Version | 2.0 |
| Created | 30 July 2021 |
| Last Modified | 24 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.1 |
| enterprise | T1134 | Access Token Manipulation | Sliver has the ability to manipulate user tokens on targeted Windows systems.24 |
| enterprise | T1071 | Application Layer Protocol | Sliver can utilize the Wireguard VPN protocol for command and control.1 |
| enterprise | T1071.001 | Web Protocols | Sliver has the ability to support C2 communications over HTTP and HTTPS.82413 |
| enterprise | T1071.004 | DNS | Sliver can support C2 communications over DNS.82713 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Sliver has built-in functionality to launch a Powershell command prompt.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.6 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | Sliver can encode binary data into a .PNG file for C2 communication.6 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.9 |
| enterprise | T1573.002 | Asymmetric Cryptography | Sliver can use mutual TLS and RSA cryptography to exchange a session key.82913 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Sliver can exfiltrate files from the victim using the download command.13 |
| enterprise | T1083 | File and Directory Discovery | Sliver can enumerate files on a target system.5 |
| enterprise | T1105 | Ingress Tool Transfer | Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.121 |
| enterprise | T1027 | Obfuscated Files or Information | Sliver obfuscates configuration and other static files using native Go libraries such as garble and gobfuscate to inhibit configuration analysis and static detection.3 |
| enterprise | T1027.004 | Compile After Delivery | Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | Sliver can encrypt strings at compile time.24 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Sliver has a built-in procdump command allowing for retrieval of memory from processes such as lsass.exe for credential harvesting.1 |
| enterprise | T1055 | Process Injection | Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.3124 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.1 |
| enterprise | T1113 | Screen Capture | Sliver can take screenshots of the victim’s active display.11 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.001 | Golden Ticket | Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.1 |
| enterprise | T1016 | System Network Configuration Discovery | Sliver has the ability to gather network configuration information.10 |
| enterprise | T1049 | System Network Connections Discovery | Sliver can collect network connection information.14 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1021 | Cinnamon Tempest | 16 |
| G0127 | TA551 | 1 |
| G0016 | APT29 | 817 |
References
-
Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021. ↩↩↩↩↩↩↩
-
Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025. ↩↩↩↩↩
-
BishopFox. (n.d.). Sliver. Retrieved September 15, 2021. ↩↩↩↩
-
BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021. ↩
-
BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021. ↩↩
-
BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩↩↩↩
-
BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021. ↩↩
-
BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021. ↩
-
BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021. ↩
-
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. ↩
-
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. ↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩