S0633: Sliver
Analyst context for executives and security teams
Sliver matters because it is an open-source, cross-platform command-and-control framework that can support post-compromise operations on Windows, Linux, and macOS. For leaders, the business issue is not the tool name alone; it is whether the organization can recognize C2, tool staging, discovery, credential access, privilege escalation, collection, and exfiltration behaviors that may occur through a legitimate-looking or easily modified framework.
Executive priority
Prioritize Sliver as a readiness test for endpoint, network, and incident response coverage across major operating systems. ATT&CK relationships connect Sliver to a ransomware intrusion campaign and multiple threat groups, so executives should ask whether teams can prove visibility into C2 channels, credential theft from LSASS, tool transfer, discovery activity, privilege escalation attempts, and data movement over existing C2. This is useful for resilience planning, audit evidence, and control prioritization because it validates whether defenses cover behaviors rather than only known malware signatures.
Technical view
ATT&CK does not provide a Sliver-specific detection section, so SOC and detection teams should validate coverage through the related techniques. Focus on Windows, Linux, and macOS telemetry for application-layer C2, web and DNS communications, encoded or obfuscated content, internal proxy behavior, ingress tool transfer, file and network discovery, screen capture, process injection, access token manipulation, UAC bypass, PowerShell execution, LSASS memory access, and exfiltration over C2. Because Sliver is open source and includes an armory package manager for staging and downloading additional tools and payloads, detection should combine host behavior, network patterns, and file/tool transfer evidence rather than depend on static indicators.
Likely telemetry
- Endpoint process creation and command-line telemetry across Windows, Linux, and macOS
- PowerShell execution logs and script block or command content where available
- Windows security and EDR events for LSASS access, token manipulation, UAC bypass indicators, and process injection
- Network flow, proxy, HTTP/S, WebSocket-relevant, and DNS telemetry for application-layer C2 behavior
- File creation, download, staging, compilation, and execution evidence related to transferred tools or payloads
Detection direction
- Validate behavior-based analytics mapped to the related ATT&CK techniques rather than relying only on Sliver names, hashes, or signatures.
- Tune C2 detections for web and DNS traffic carefully because those protocols are common; prioritize unusual destinations, beacon-like patterns, encoded payload characteristics, and unexpected host-to-host proxying when supported by local telemetry.
- Correlate host discovery commands, tool transfer, process injection, credential access, and outbound communications into incident-level stories to reduce false positives from administrative activity.
- Check for blind spots on Linux and macOS, not only Windows, because the official platform field lists all three.
- Confirm whether detections cover post-compromise use of open-source tools in ransomware-relevant scenarios, using the ATT&CK relationship to campaign C0018 as context without assuming local exposure.
Mitigation priorities
- Establish baseline visibility first: endpoint logging, DNS/proxy/network telemetry, and centralized collection across Windows, Linux, and macOS.
- Harden identity and endpoint controls around LSASS access, token manipulation, privileged execution, and UAC-related elevation paths where applicable.
- Restrict and monitor unnecessary outbound application-layer traffic, DNS patterns, and internal proxying paths while accounting for business-approved services.
- Control tool ingress and execution through application control, least privilege, and monitoring of downloads, staging directories, compilers, scripting engines, and administrative utilities.
- Prepare IR playbooks that triage C2 discovery, credential access, tool transfer, collection, and exfiltration evidence together rather than treating each alert independently.
Analyst notes and limits
The strongest decision value is to use Sliver as a cross-platform C2 coverage benchmark. ATT&CK identifies Sliver as an open-source Golang C2 framework with an armory package manager and maps it to many post-compromise techniques. Relationships also show use by campaign C0018 and groups APT29, TA551, and Cinnamon Tempest, but those relationships should be treated as ATT&CK context, not proof of current activity in any environment.
The supplied ATT&CK object has no official detection text, no aliases, and no object-level tactics. This take is therefore derived from the official description, platform list, external references, and relationship mappings. Local telemetry, approved administration patterns, egress architecture, and endpoint control capabilities are required to determine actual detection coverage or risk.
Sliver
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | Sliver obfuscates configuration and other static files using native Go libraries such as `garble` and `gobfuscate` to inhibit configuration analysis and static detection.CitationMicrosoft Sliver 2022 |
| Enterprise | T1055 | Process Injection | Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine.CitationMicrosoft Sliver 2022CitationCybereason Sliver UndatedCitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver C2 |
| Enterprise | T1083 | File and Directory Discovery | Sliver can enumerate files on a target system.CitationGitHub Sliver File System August 2021 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.CitationCybereason Sliver Undated |
| Enterprise | T1001.002 | Steganography Sub-technique | Sliver can encode binary data into a .PNG file for C2 communication.CitationGitHub Sliver HTTP |
| Enterprise | T1134 | Access Token Manipulation | Sliver has the ability to manipulate user tokens on targeted Windows systems.CitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver C2 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Sliver has built-in functionality to launch a Powershell command prompt.CitationCybereason Sliver Undated |
| Enterprise | T1071.004 | DNS Sub-technique | Sliver can support C2 communications over DNS.CitationCybersecurity Advisory SVR TTP May 2021CitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver C2 DNSCitationCybereason Sliver UndatedCitationMicrosoft Sliver 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Sliver can encrypt strings at compile time.CitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver C2 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Sliver can use mutual TLS and RSA cryptography to exchange a session key.CitationCybersecurity Advisory SVR TTP May 2021CitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver EncryptionCitationCybereason Sliver UndatedCitationMicrosoft Sliver 2022 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | Sliver has the ability to gather network configuration information.CitationGitHub Sliver Ifconfig |
| Enterprise | T1113 | Screen Capture | Sliver can take screenshots of the victim’s active display.CitationGitHub Sliver Screen |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sliver has the ability to support C2 communications over HTTP and HTTPS.CitationCybersecurity Advisory SVR TTP May 2021CitationBishop Fox Sliver Framework August 2019CitationGitHub Sliver C2CitationCybereason Sliver UndatedCitationMicrosoft Sliver 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.CitationGitHub Sliver Encryption |
| Enterprise | T1071 | Application Layer Protocol | Sliver can utilize the Wireguard VPN protocol for command and control.CitationCybereason Sliver Undated |
| Enterprise | T1558.001 | Golden Ticket Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Sliver can exfiltrate files from the victim using the |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Sliver can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.CitationCybereason Sliver Undated |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.CitationGitHub Sliver HTTP |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Sliver has a built-in `procdump` command allowing for retrieval of memory from processes such as `lsass.exe` for credential harvesting.CitationCybereason Sliver Undated |
| Enterprise | T1049 | System Network Connections Discovery | Sliver can collect network connection information.CitationGitHub Sliver Netstat |
Groups, software, and campaigns
G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
G0127: TA551
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0018: C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 25a32a49d7fd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bishop Fox Sliver Framework August 2019
Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
Open source URL -
[2]
Cybereason Sliver Undated
Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
Open source URL -
[3]
mitre-attack S0633Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.