SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sliver (Back to overview)

Sliver


According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.

References
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-02-06AhnLabASEC
@online{asec:20230206:sliver:4683d40, author = {ASEC}, title = {{Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations}}, date = {2023-02-06}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/47088/}, language = {English}, urldate = {2023-03-20} } Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations
Sliver
2022-11-03Github (chronicle)Chronicle
@online{chronicle:20221103:gcti:dc42ba8, author = {Chronicle}, title = {{GCTI Open Source Detection Signatures}}, date = {2022-11-03}, organization = {Github (chronicle)}, url = {https://github.com/chronicle/GCTI}, language = {English}, urldate = {2022-11-25} } GCTI Open Source Detection Signatures
Cobalt Strike Sliver
2022-10-03Check PointMarc Salinas Fernandez
@online{fernandez:20221003:bumblebee:25732bf, author = {Marc Salinas Fernandez}, title = {{Bumblebee: increasing its capacity and evolving its TTPs}}, date = {2022-10-03}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/}, language = {English}, urldate = {2022-10-07} } Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-24MicrosoftMicrosoft Security Experts
@online{experts:20220824:looking:599689a, author = {Microsoft Security Experts}, title = {{Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks}}, date = {2022-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks}, language = {English}, urldate = {2022-08-30} } Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
BumbleBee Sliver
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-04-29Team CymruJoshua Picolet
@online{picolet:20220429:sliver:44c5312, author = {Joshua Picolet}, title = {{Sliver Case Study: Assessing Common Offensive Security Tools The Use of the Sliver C2 Framework for Malicious Purposes}}, date = {2022-04-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools}, language = {English}, urldate = {2022-11-02} } Sliver Case Study: Assessing Common Offensive Security Tools The Use of the Sliver C2 Framework for Malicious Purposes
Sliver
2021-12-07TelsyTelsy Research Team
@online{team:20211207:nobelium:543fe63, author = {Telsy Research Team}, title = {{NOBELIUM again or eCrime operation?}}, date = {2021-12-07}, organization = {Telsy}, url = {https://www.telsy.com/download/5900/?uid=b797afdcfb}, language = {English}, urldate = {2022-01-25} } NOBELIUM again or eCrime operation?
Sliver
2021-05-07NCSC UKNCSC UK
@techreport{uk:20210507:further:896e2eb, author = {NCSC UK}, title = {{Further TTPs associated with SVR cyber actors}}, date = {2021-05-07}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf}, language = {English}, urldate = {2022-06-04} } Further TTPs associated with SVR cyber actors
Sliver
2019-01-17Github (BishopFox)BishopFox
@online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } Sliver Implant Framework
Sliver
Yara Rules
[TLP:WHITE] win_sliver_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_sliver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 488d3d59917900 4889c8 e8???????? ebe5 e8???????? eb80 }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   488d3d59917900       | cmp                 edx, esi
            //   4889c8               | jne                 0x9a2
            //   e8????????           |                     
            //   ebe5                 | dec                 esp
            //   e8????????           |                     
            //   eb80                 | mov                 dword ptr [ecx + 0x30], ecx

        $sequence_1 = { ebd5 31c0 ebd1 31c0 ebcd 750e 4883bc249001000001 }
            // n = 7, score = 100
            //   ebd5                 | mov                 dword ptr [ecx + 0x40], ebp
            //   31c0                 | dec                 ecx
            //   ebd1                 | shl                 ecx, 4
            //   31c0                 | inc                 edi
            //   ebcd                 | mov                 dword ptr [edx + ecx], esp
            //   750e                 | inc                 ebx
            //   4883bc249001000001     | mov    byte ptr [edx + ecx + 4], 0

        $sequence_2 = { 7404 488b4008 0f57c0 0f11842488000000 4889842488000000 488b442458 4889842490000000 }
            // n = 7, score = 100
            //   7404                 | dec                 eax
            //   488b4008             | mov                 dword ptr [esp], ecx
            //   0f57c0               | dec                 eax
            //   0f11842488000000     | lea                 ecx, [esp + 0x28]
            //   4889842488000000     | dec                 eax
            //   488b442458           | mov                 dword ptr [esp + 8], ecx
            //   4889842490000000     | dec                 eax

        $sequence_3 = { eb8f 488b4c2450 488b542448 e9???????? 0fb67310 488d3ddb9c7700 0fb6343e }
            // n = 7, score = 100
            //   eb8f                 | mov                 eax, dword ptr [eax]
            //   488b4c2450           | dec                 eax
            //   488b542448           | mov                 ecx, dword ptr [eax]
            //   e9????????           |                     
            //   0fb67310             | jbe                 0xe1d
            //   488d3ddb9c7700       | dec                 eax
            //   0fb6343e             | sub                 esp, 0x20

        $sequence_4 = { ebd4 4889442410 90 488d05bf553e00 48890424 e8???????? 488b7c2408 }
            // n = 7, score = 100
            //   ebd4                 | dec                 eax
            //   4889442410           | mov                 dword ptr [esp + 0x90], ebx
            //   90                   | dec                 eax
            //   488d05bf553e00       | mov                 dword ptr [esp + 0x98], edx
            //   48890424             | xorps               xmm0, xmm0
            //   e8????????           |                     
            //   488b7c2408           | movups              xmmword ptr [esp + 0xa0], xmm0

        $sequence_5 = { ebea 90 b801000000 488d0d17948600 8701 488b05???????? 48890424 }
            // n = 7, score = 100
            //   ebea                 | mov                 dword ptr [esp], ecx
            //   90                   | mov                 byte ptr [esp + 8], al
            //   b801000000           | jge                 0x8a5
            //   488d0d17948600       | nop                 
            //   8701                 | dec                 eax
            //   488b05????????       |                     
            //   48890424             | mov                 eax, dword ptr [esp + 0xa8]

        $sequence_6 = { ebae 48894c2458 48895c2448 4889442440 488d050b972300 48890424 4c89442408 }
            // n = 7, score = 100
            //   ebae                 | sub                 esp, 0x30
            //   48894c2458           | dec                 eax
            //   48895c2448           | mov                 dword ptr [esp + 0x28], ebp
            //   4889442440           | dec                 eax
            //   488d050b972300       | lea                 ebp, [esp + 0x28]
            //   48890424             | nop                 
            //   4c89442408           | dec                 eax

        $sequence_7 = { ebd1 90 488d05f9140d00 48890424 e8???????? 488b7c2408 48c747084a000000 }
            // n = 7, score = 100
            //   ebd1                 | dec                 eax
            //   90                   | lea                 eax, [0xaba16]
            //   488d05f9140d00       | ja                  0xd5c
            //   48890424             | dec                 ebp
            //   e8????????           |                     
            //   488b7c2408           | lea                 ebx, [edx + 1]
            //   48c747084a000000     | dec                 esp

        $sequence_8 = { eb94 4883f80c 750d 488b8c2468010000 488b01 eb81 90 }
            // n = 7, score = 100
            //   eb94                 | lea                 eax, [0x357e0a]
            //   4883f80c             | jbe                 0x14a7
            //   750d                 | dec                 eax
            //   488b8c2468010000     | sub                 esp, 0x20
            //   488b01               | dec                 eax
            //   eb81                 | mov                 dword ptr [esp + 0x18], ebp
            //   90                   | dec                 eax

        $sequence_9 = { e9???????? 65488b0c2528000000 488b8900000000 483b6110 0f86ca000000 4883ec50 48896c2448 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   65488b0c2528000000     | dec    eax
            //   488b8900000000       | lea                 ecx, [0x26bbfa]
            //   483b6110             | dec                 eax
            //   0f86ca000000         | mov                 edx, dword ptr [esp + 0x168]
            //   4883ec50             | dec                 eax
            //   48896c2448           | mov                 dword ptr [edx], ecx

    condition:
        7 of them and filesize < 18211840
}
[TLP:WHITE] win_sliver_w0   (20221012 | Detects Sliver implant cross-platform adversary emulation/red team)
rule win_sliver_w0 {
    meta:
        author = "ditekSHen"
        description = "Detects Sliver implant cross-platform adversary emulation/red team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver"
        malpedia_rule_date = "20221011"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "github.com/bishopfox/sliver/protobuf/sliverpbb." ascii
        $s1 = ".commonpb.ResponseR" ascii
        $s2 = ".PortfwdProtocol" ascii
        $s3 = ".WGTCPForwarder" ascii
        $s4 = ".WGSocksServerR" ascii
        $s5 = ".PivotEntryR" ascii
        $s6 = ".BackdoorReq" ascii
        $s7 = ".ProcessDumpReq" ascii
        $s8 = ".InvokeSpawnDllReq" ascii
        $s9 = ".SpawnDll" ascii
        $s10 = ".TCPPivotReq" ascii
    condition:
        (uint16(0) == 0x5a4d or uint16(0) == 0x457f or uint16(0) == 0xfacf) and (1 of ($x*) or 5 of ($s*))
}
Download all Yara Rules