Skip to content

S0633 Sliver

Sliver is an open source, cross-platform, red team command and control framework written in Golang.1

Item Value
ID S0633
Associated Names
Version 1.1
Created 30 July 2021
Last Modified 17 January 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Sliver has the ability to manipulate user tokens on targeted Windows systems.14
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sliver has the ability to support C2 communications over HTTP/S.1014
enterprise T1071.004 DNS Sliver can support C2 communications over DNS.10112
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.5
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography Sliver can encode binary data into a .PNG file for C2 communication.5
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.8
enterprise T1573.002 Asymmetric Cryptography Sliver can use mutual TLS and RSA cryptography to exchange a session key.1018
enterprise T1041 Exfiltration Over C2 Channel Sliver can exfiltrate files from the victim using the download command.7
enterprise T1083 File and Directory Discovery Sliver can enumerate files on a target system.6
enterprise T1105 Ingress Tool Transfer Sliver can upload files from the C2 server to the victim machine using the upload command.11
enterprise T1027 Obfuscated Files or Information Sliver can encrypt strings at compile time.14
enterprise T1055 Process Injection Sliver can inject code into local and remote processes.14
enterprise T1113 Screen Capture Sliver can take screenshots of the victim’s active display.3
enterprise T1016 System Network Configuration Discovery Sliver has the ability to gather network configuration information.9
enterprise T1049 System Network Connections Discovery Sliver can collect network connection information.2

Groups That Use This Software

ID Name References
G0016 APT29 1014