SliverC2
Sliver is a command-and-control framework by BishopFox. In the provided content, it is associated with Windows process injection and lateral movement behavior. Splunk analytics describe process injection into commonly abused processes using Sysmon Event ID 10, with suspicious GrantedAccess values including 0x40, 0x1fffff, and 0x1f3fff against targets such as notepad.exe, wordpad.exe, calc.exe, lsass.exe, svchost.exe, chrome.exe, edge.exe, firefox.exe, dllhost.exe, spoolsv.exe, regsvr32.exe, and others. The content notes this may represent an initial payload executing malicious code and, if malicious, could enable arbitrary code execution, privilege escalation, or persistence. A separate analytic identifies likely Sliver lateral movement via its PsExec module through creation of a Windows service named "sliver" with the description "Sliver Implant," detected via Windows System Event Log Event ID 7045. This behavior may indicate remote command execution, persistence, maintenance of control over a compromised Windows system, and further network compromise. High-confidence indicators mentioned in the content include the service name "sliver," the service description "Sliver Implant," and the above process-injection telemetry patterns. The content also states that this tradecraft has been associated in Splunk detections with multiple threat groups and ransomware operators including APT38, APT39, APT41, BlackByte, Blue Mockingbird, Chimera, FIN6, FIN7, INC Ransom, Ke3chang, Medusa Group, Moonstone Sleet, Silence, Velvet Ant, Wizard Spider, and Rocke.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
15 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module.
Privilege Escalation
1 techniqueThe following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe... This behavior is often associated with the SliverC2 framework by BishopFox.
Stealth
1 techniqueThe following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe... This behavior is often associated with the SliverC2 framework by BishopFox.
Command and Control
1 techniqueThe following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port... processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A command-and-control framework/implant used for lateral movement, remote command execution, and persistence on compromised Windows systems, including service creation via its PsExec module.
A command-and-control framework associated here with process injection into commonly abused Windows processes to execute malicious code, potentially enabling arbitrary code execution, privilege escalation, or persistent access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.