Sliver Detection Ideas

sliver_detection.md

Sliver C2 Detection Research

Blog Posts

• https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
• https://community.netwitness.com/t5/netwitness-community-blog/sliver-c2-network-and-endpoint-detection-with-netwitness/ba-p/689643

Discussions

• https://twitter.com/svch0st/status/1562752142066470918?lang=en

Defaults

Process Injection (through Execute-Assembly w/o --in-process)

Default process created is notepad.exe through CreateRemoteThread.

Remote Ports

mtls: 8888 wireguard: 51820

PSExec

Default service name is "Sliver" with description like "Sliver implant" with a PathName starting with C:\Windows\Temp\