1. Home
  2. Software
  3. Sliver

Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

ID: S0633
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Achute Sharma, Keysight; Ayan Saha, Keysight; Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.0
Created: 30 July 2021
Last Modified: 24 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.[2]
Enterprise T1134 Access Token Manipulation

Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][3]
Enterprise T1071 Application Layer Protocol

Sliver can utilize the Wireguard VPN protocol for command and control.[2]
.001 Web Protocols

Sliver has the ability to support C2 communications over HTTP and HTTPS.[4][1][3][2][5]
.004 DNS

Sliver can support C2 communications over DNS.[4][1][6][2][5]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sliver has built-in functionality to launch a Powershell command prompt.[2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[7]
Enterprise T1001 .002 Data Obfuscation: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.[7]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[8]
.002 Encrypted Channel: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[4][1][8][2][5]
Enterprise T1041 Exfiltration Over C2 Channel

Sliver can exfiltrate files from the victim using the download command.[9]
Enterprise T1083 File and Directory Discovery

Sliver can enumerate files on a target system.[10]
Enterprise T1105 Ingress Tool Transfer

Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.[11][2]
Enterprise T1027 Obfuscated Files or Information

Sliver obfuscates configuration and other static files using native Go libraries such as garble and gobfuscate to inhibit configuration analysis and static detection.[5]
.004 Compile After Delivery

Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.[2]
.013 Encrypted/Encoded File

Sliver can encrypt strings at compile time.[1][3]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sliver has a built-in procdump command allowing for retrieval of memory from processes such as lsass.exe for credential harvesting.[2]
Enterprise T1055 Process Injection

Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.[5][2][1][3]
Enterprise T1090 .001 Proxy: Internal Proxy

Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.[2]
Enterprise T1113 Screen Capture

Sliver can take screenshots of the victim’s active display.[12]
Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.[2]
Enterprise T1016 System Network Configuration Discovery

Sliver has the ability to gather network configuration information.[13]
Enterprise T1049 System Network Connections Discovery

Sliver can collect network connection information.[14]

Groups That Use This Software

ID Name References
G1021 Cinnamon Tempest

[15]
G0127 TA551

[2]
G0016 APT29

[4][16]

Campaigns

ID Name Description
C0018 C0018

[17]

References

  1. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  2. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
  3. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  4. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  5. Microsoft Security Experts. (2022, August 24). Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks. Retrieved March 24, 2025.
  6. BishopFox. (n.d.). Sliver DNS C2 . Retrieved September 15, 2021.
  7. BishopFox. (n.d.). Sliver HTTP(S) C2. Retrieved September 16, 2021.
  8. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
  9. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
  1. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  2. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
  3. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
  4. BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.
  5. BishopFox. (n.d.). Sliver Netstat. Retrieved September 16, 2021.
  6. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  7. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
  8. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.