Sliver is a legitimate open-source security tool. This is Goldberg's independent re-analysis of its malicious abuse and the detection that counters it, based on public reporting (Bishop Fox, Microsoft/NCSC, and threat-hunting research — see references).
Overview
Sliver is an open-source, cross-platform C2 framework written in Go, built as a robust alternative to Cobalt Strike. Its legitimacy and quality are precisely why adversaries adopted it: as commercial Cobalt Strike attracted heavy detection, threat actors — including APT29 and several ransomware groups — pivoted to Sliver for post-exploitation.
Capabilities
- Multi-protocol C2: mutual-TLS, WireGuard, HTTP(S), and DNS.
- Per-binary keys: implants are dynamically compiled with unique asymmetric encryption keys.
- Compile-time obfuscation: every generated binary is unique, defeating naïve hash- and signature-based detection.
- Standard post-exploitation: shell, file ops, process injection, pivoting, and extensible armory modules.
Why it's hard — and where it's soft
Unique per-build binaries and encrypted, multi-protocol C2 blunt static and simple network detection. But Go cuts both ways: the entire Go runtime and implant must be unpacked into memory to run, regardless of packing or staging — so memory analysis is a strong, packer-resistant detection surface.
Detection
- Memory: hunt for Sliver's in-memory Go artifacts; the runtime can't hide there even when the on-disk file is obfuscated.
- Canary domains: Sliver can embed compile-time canary domains that appear in cleartext in the binary (the real C2 is encrypted) — a useful triage indicator and tripwire.
- Network: profile the encrypted-beacon patterns and protocol mix (mTLS / DNS / WireGuard) against baselines; correlate JA3/JARM where applicable.
- Host: monitor for new persistence and registry/file artifacts dropped by a fresh, unsigned Go binary.
Remediation
- Isolate and capture memory before reimaging — implant capabilities and keys live in memory.
- Hunt the estate for the same canary domains / C2 fingerprints; assume lateral movement.
- Rotate credentials exposed during the dwell window; reimage from known-good media.