Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

ID: S0633
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Achute Sharma, Keysight; Ayan Saha, Keysight; Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.0
Created: 30 July 2021
Last Modified: 24 March 2025

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.[2]

Enterprise T1134 Access Token Manipulation

Sliver has the ability to manipulate user tokens on targeted Windows systems.[1][3]

Enterprise T1071 Application Layer Protocol

Sliver can utilize the Wireguard VPN protocol for command and control.[2]

.001 Web Protocols

Sliver has the ability to support C2 communications over HTTP and HTTPS.[4][1][3][2][5]

.004 DNS

Sliver can support C2 communications over DNS.[4][1][6][2][5]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sliver has built-in functionality to launch a Powershell command prompt.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.[7]

Enterprise T1001 .002 Data Obfuscation: Steganography

Sliver can encode binary data into a .PNG file for C2 communication.[7]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[8]

.002 Encrypted Channel: Asymmetric Cryptography

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[4][1][8][2][5]

Enterprise T1041 Exfiltration Over C2 Channel

Sliver can exfiltrate files from the victim using the download command.[9]

Enterprise T1083 File and Directory Discovery

Sliver can enumerate files on a target system.[10]

Enterprise T1105 Ingress Tool Transfer

Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.[11][2]

Enterprise T1027 Obfuscated Files or Information

Sliver obfuscates configuration and other static files using native Go libraries such as garble and gobfuscate to inhibit configuration analysis and static detection.[5]

.004 Compile After Delivery

Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.[2]

.013 Encrypted/Encoded File

Sliver can encrypt strings at compile time.[1][3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sliver has a built-in procdump command allowing for retrieval of memory from processes such as lsass.exe for credential harvesting.[2]

Enterprise T1055 Process Injection

Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.[5][2][1][3]

Enterprise T1090 .001 Proxy: Internal Proxy

Sliver has a built-in SOCKS5 proxying capability allowing for Sliver clients to proxy network traffic through other clients within a victim network.[2]

Enterprise T1113 Screen Capture

Sliver can take screenshots of the victim’s active display.[12]

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Sliver incorporates the Rubeus framework to allow for Kerberos ticket manipulation, specifically for forging Kerberos Golden Tickets.[2]

Enterprise T1016 System Network Configuration Discovery

Sliver has the ability to gather network configuration information.[13]

Enterprise T1049 System Network Connections Discovery

Sliver can collect network connection information.[14]

Groups That Use This Software

Campaigns

ID Name Description
C0018 C0018

[17]

References