Sliver

Sliver is an open-source, cross-platform tool created by Senior Security Associate Joe DeMesy and Security Associate Ronan Kervella. It was introduced at SummerCon in June 2019 and is currently in beta. Sliver supports command and control (C2) over Mutual-TLS, HTTP(S), and DNS and can be used as part of a cyber attack, similar to tools like nc or nmap. The software provides a practical framework for adversary simulation and has gained popularity among threat actors, especially after law enforcement attempted to shut down 'cracked' versions of another offensive toolkit, Cobalt Strike, in the latter half of 2023. The primary purpose of Sliver is to allow red teams to maintain access and control over a compromised system after gaining initial entry. This makes it a valuable tool for post-exploitation activity, as detailed by researchers with Cybereason in January. One particular variant of the Sliver tool, named KrustyLoader by Synacktiv researcher Théo Letailleur, downloads and executes a backdoor coded in Golang, acting as a stealthy and easily controlled backdoor. Despite its potential for misuse, Sliver is not inherently malicious. It's licensed under GPLv3, though some subcomponents have separate licenses. Its creators encourage contributions to its ongoing development. However, caution is advised due to its current beta status. To aid in detection and extraction of indicators of compromise (IoCs), Letailleur offers hashes, a Yara rule, and a script in his analysis. Furthermore, Volexity's analysis uncovered 12 nearly identical Rust payloads downloaded to compromised appliances that execute a variant of the Sliver tool.