100 Days of YARA – Day 36: Sliver Adversary Emulation Framework

Sliver is another C2 framework written by the folks at Bishop Fox: https://github.com/BishopFox/sliver

I have encountered this in the real world used by penetration testers as well as criminals. This is also popular at attack/defend CTFs.

rule sliver_client : c2 implant
{
	meta:
		description = "Bishop Fox's Sliver C2 Implant"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "github.com/bishopfox/sliver/client"

	condition:
		all of them and filesize < 50MB
}

rule sliver_server : c2
{
	meta:
		description = "Bishop Fox's Sliver C2 Server"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "RunSliver"

	condition:
		all of them and filesize > 50MB
}

YARA Rules Index

One thought on “100 Days of YARA – Day 36: Sliver Adversary Emulation Framework”

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

One thought on “100 Days of YARA – Day 36: Sliver Adversary Emulation Framework”

Leave a Reply Cancel reply