Pen testing
C2
Sliver is an open source, cross platform adversary emulation and red team framework from Bishop Fox. It’s for testing across multiple operating systems, Windows, macOS and Linux. Sliver’s implants support command and control (C2) over multiple protocols, Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS, so you have flexibility and security in your testing environments.
Introduced as a alternative to commercial tools like Cobalt Strike, Sliver has gained popularity among both security professionals and threat actors. Its modular design allows you to extend its capabilities with an extension package manager called Armory, so you can add in your own third party tools. This makes Sliver a great choice for full spectrum testing.
Features and Capabilities
Sliver has all the features you need for adversary simulation, in-memory payload execution, dynamic code generation and process injection. Its implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority, so it’s secure during operations. Sliver also has multiplayer mode so multiple operators can work together during an engagement.
Adoption by Threat Actors
While Sliver was designed for legitimate security use, its open source nature has led to adoption by threat actors. APT29 (also known as Cozy Bear) have used Sliver in their intrusion campaigns to build out robust C2 infrastructures. This is a dual use framework and we should be monitoring its use in the wild.
Sliver is kept up to date with regular updates and new features. The latest stable release is 1.5.42 which has fixes for C2 and other stuff.
Segment your network to limit movement.
Deploy IDS/IPS to detect and track C2.
Keep systems up to date and patched.
Hunt for threats.
Often used in penetration tests but abused by attackers targeting IT infrastructure and critical systems.
Used by professional red teams and advanced persistent threat groups for stealthy operations.
