Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.[2] |
Enterprise | T1134 | Access Token Manipulation |
Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][3] |
|
Enterprise | T1071 | Application Layer Protocol |
Sliver can utilize the Wireguard VPN protocol for command and control.[2] |
|
.001 | Web Protocols |
Sliver has the ability to support C2 communications over HTTP and HTTPS.[4][1][3][2][5] |
||
.004 | DNS |
Sliver can support C2 communications over DNS.[4][1][6][2][5] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Sliver has built-in functionality to launch a Powershell command prompt.[2] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[7] |
Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
Sliver can encode binary data into a .PNG file for C2 communication.[7] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[8] |
.002 | Encrypted Channel: Asymmetric Cryptography |
Sliver can use mutual TLS and RSA cryptography to exchange a session key.[4][1][8][2][5] |
||
Enterprise | T1041 | Exfiltration Over C2 Channel |
Sliver can exfiltrate files from the victim using the |
|
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1105 | Ingress Tool Transfer |
Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the |
|
Enterprise | T1027 | Obfuscated Files or Information |
Sliver obfuscates configuration and other static files using native Go libraries such as |
|
.004 | Compile After Delivery |
Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.[2] |
||
.013 | Encrypted/Encoded File | |||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Sliver has a built-in |
Enterprise | T1055 | Process Injection |
Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.[5][2][1][3] |
|
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.[2] |
Enterprise | T1113 | Screen Capture |
Sliver can take screenshots of the victim’s active display.[12] |
|
Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.[2] |
Enterprise | T1016 | System Network Configuration Discovery |
Sliver has the ability to gather network configuration information.[13] |
|
Enterprise | T1049 | System Network Connections Discovery |