What is Sliver? An Emerging C2 Framework

Sliver is a modern, open-source Command and Control (C2) framework developed by the security company Bishop Fox. Originally built as a legitimate tool for penetration testers and red teams, Sliver has gained popularity for its flexibility, scalability, and ease of use. Unfortunately, like many C2 frameworks, it has also been adopted by cybercriminals and nation-state threat actors.

Key Features of Sliver

Sliver offers several capabilities that make it attractive to both defenders (for testing) and adversaries (for real-world attacks):

• Cross-Platform Support – Works across Windows, Linux, and macOS environments, making it highly versatile.

• Encrypted Communication – Supports mutual TLS, WireGuard, and other encrypted channels to secure traffic between compromised hosts and the C2 server.

• Multiple Implant Types – Provides various “implants” or agents that can be deployed in different formats, including executables, shellcode, and shared libraries.

• Collaboration and Automation – Designed for team operations, Sliver allows multiple operators to work together and integrates well with automated workflows.

• Stealth and Evasion – Its communication methods and modular design make it difficult for defenders to detect, particularly when it uses common protocols like HTTPS or DNS.

How It’s Used

• Red Team Operations: Sliver is widely adopted in security testing to simulate advanced adversaries and measure organizational resilience. Its open-source nature makes it accessible and customizable.

• Adversarial Use: Threat actors have begun leveraging Sliver in real-world attacks, sometimes as an alternative to Cobalt Strike due to its availability and lower profile. Reports have linked Sliver to espionage campaigns and ransomware intrusions.

Defensive Considerations

Detecting Sliver activity can be challenging due to its encrypted and customizable traffic. Defenders should look for unusual beaconing behavior, unexpected TLS certificates, and anomalous outbound traffic. Threat intelligence feeds increasingly include indicators tied to Sliver servers and payloads.

Final Thoughts

Sliver is a rising star in the world of C2 frameworks. Its open-source accessibility and advanced features make it valuable for defenders conducting realistic attack simulations. However, its misuse by malicious actors highlights why organizations must stay vigilant. Understanding Sliver’s capabilities helps security teams better detect and respond to potential intrusions.