100 Days of YARA – Day 36: Sliver Adversary Emulation Framework

Sliver is another C2 framework written by the folks at Bishop Fox: https://github.com/BishopFox/sliver

I have encountered this in the real world used by penetration testers as well as criminals. This is also popular at attack/defend CTFs.

rule sliver_client : c2 implant
{
	meta:
		description = "Bishop Fox's Sliver C2 Implant"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "github.com/bishopfox/sliver/client"

	condition:
		all of them and filesize < 50MB
}

rule sliver_server : c2
{
	meta:
		description = "Bishop Fox's Sliver C2 Server"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "RunSliver"

	condition:
		all of them and filesize > 50MB
}

YARA Rules Index

One thought on “100 Days of YARA – Day 36: Sliver Adversary Emulation Framework

  1. Pingback: Week 05 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s