Threat Profile
| Characteristic | Details |
|---|---|
| Threat Name | Sliver |
| Threat Type | Command & Control (C2) Framework / Remote Access Tool |
| Platform | Windows (also available for Linux, macOS) |
| File Type | Windows PE Executable |
| Primary Purpose | Remote system control, data exfiltration, lateral movement |
| First Documented | 2019 (legitimate tool), weaponized by threat actors 2021+ |
| Detection Names | Generic.Sliver, HackTool.Win32.Sliver, PUA.Sliver, C2.Sliver |
| Communication Methods | DNS, TCP, HTTP, HTTPS, mTLS (mutual TLS) |
| Target Victims | Small to medium businesses, healthcare, professional services, individual high-value targets |
| Origin | Open-source project (Bishop Fox), misused by cybercriminals and APT groups |
| Severity Level | High to Critical (full remote control capability) |
| Persistence Methods | Scheduled tasks, registry Run keys, service installation, WMI event subscriptions |
How It Spreads
Sliver doesn't spread itself like traditional viruses—instead, threat actors manually deploy it after gaining initial access to your system through other means. This makes it a "second-stage" threat that indicates you've already been compromised through a separate vulnerability or attack vector. The attackers use Sliver specifically because it gives them persistent, stealthy access to continue their operations over weeks or months. The framework's legitimate origins make it particularly dangerous. Because Sliver was built for authorized penetration testing, its network traffic and behaviors are designed to blend in with normal system activity. Security researchers have observed threat actors deploying Sliver after phishing campaigns, exploiting unpatched software vulnerabilities, or purchasing access from initial access brokers on dark web forums. Once inside your network, attackers use Sliver to establish a reliable communication channel back to their command servers. Common distribution methods include: - **Phishing emails** containing malicious attachments or links that download Sliver implants after initial payload execution - **Software supply chain attacks** where legitimate applications are trojanized to include Sliver components - **Exploitation of public-facing services** like RDP, VPNs, or web applications with known vulnerabilities - **Social engineering attacks** convincing users to run "system update" files or "security patches" that are actually Sliver installers - **Compromised installer packages** distributed through file-sharing sites or torrents claiming to be legitimate software - **Lateral movement from already-infected machines** on your network using stolen credentials - **Drive-by downloads** from compromised websites targeting specific industries or regions - **USB devices** left in parking lots or mailed to offices as part of targeted attacksWhat It Does On Your Machine
Once Sliver establishes itself on your system, it creates a persistent backdoor that gives attackers nearly complete control over your computer. The implant runs quietly in the background, checking in with the attacker's command server at regular intervals to receive new instructions. This communication can happen over multiple protocols—DNS queries that look like normal web browsing, HTTPS connections that appear to be legitimate encrypted traffic, or even TCP connections disguised as routine network activity. The modular design of Sliver means attackers can load additional capabilities on demand without installing more files on your disk. They can execute commands, browse your file system, capture screenshots, log keystrokes, dump passwords from memory, and establish tunnels to other machines on your network. Small business owners should be particularly concerned because Sliver excels at lateral movement—once it's on one machine, attackers can use it as a launching point to compromise your entire network, including servers, databases, and backup systems. What makes Sliver especially troubling is its ability to evade detection through polymorphic implants—each generated payload has different code signatures, making signature-based antivirus detection nearly impossible. The framework supports multiple concurrent callback methods, so even if you block one communication channel, the implant automatically switches to another. Sandbox analysis becomes difficult because Sliver can detect virtual environments and simply remain dormant when it suspects it's being analyzed.Manual Removal — Step by Step
Disconnect and Document
Immediately disconnect the infected computer from your network—unplug the ethernet cable and disable Wi-Fi. Do NOT shut down the machine yet if possible, as this may destroy forensic evidence. Take photos of any suspicious process names in Task Manager (Ctrl+Shift+Esc). Note any recent unusual activity, new programs installed, or security warnings you dismissed.
Boot into Safe Mode with Networking
Restart your computer and press F8 repeatedly during startup (or Shift+F8 on newer systems). Select "Safe Mode with Networking" from the boot menu. This prevents most startup programs from launching, including many persistence mechanisms Sliver might use. If you cannot access Safe Mode, the infection may have disabled this functionality—bring the machine to our shop immediately.
Identify Suspicious Processes and Files
Open Task Manager and carefully review all running processes. Look for executables with legitimate-sounding names (svchost.exe, chrome.exe, explorer.exe) running from unusual locations like AppData\Local\Temp, Users\Public, or the root of C:\. Right-click suspicious processes, select "Open file location," and document the full path. Sliver implants often masquerade as system files but run from user directories.
Check Scheduled Tasks and Startup Items
Open Task Scheduler (type "taskschd.msc" in the Run dialog) and review the Task Scheduler Library. Look for tasks with generic names like "SystemUpdate," "UserTask," or tasks referencing executables in unusual locations. Also check msconfig (type "msconfig" in Run) under the Startup tab, and review HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in Registry Editor (regedit) for suspicious startup entries.
Run Multiple Security Scans
Download and run Malwarebytes, HitmanPro, and ESET Online Scanner from a clean device and transfer via USB. Run full system scans with each tool—Sliver's polymorphic nature means one scanner might miss what another catches. Do NOT rely solely on your existing antivirus, as Sliver is specifically designed to evade signature-based detection. Save all scan logs to an external drive.
Remove Identified Threats and Clean Registry
Quarantine or delete all flagged files. Manually delete the executable files you documented in Step 3 if they weren't caught by scanners. Remove any scheduled tasks and registry entries you identified in Step 4. Be extremely careful in Registry Editor—only delete entries you're certain are malicious. If you're uncertain about any file or registry key, stop here and bring the machine to our shop.
Reset Network Settings and Flush DNS
Sliver can modify network configurations to maintain persistence. Open Command Prompt as Administrator and run: "netsh winsock reset", "netsh int ip reset", and "ipconfig /flushdns". Then run "netsh advfirewall reset" to restore firewall defaults. Restart your computer after completing these commands.
Change All Passwords from a Clean Device
Assume all credentials stored on the infected machine have been compromised. Using a separate, clean computer or phone, immediately change passwords for email, banking, business systems, and any accounts you accessed from the infected machine. Enable two-factor authentication wherever possible. Change your Wi-Fi password as well.
Monitor for Reinfection and Lateral Movement
Even after removal, monitor the machine closely for 72 hours. Watch for unusual network activity, unexpected processes, or the return of deleted files. Check other computers on your network for similar symptoms—Sliver infections rarely exist in isolation. If any suspicious activity returns, the implant may have established multiple persistence mechanisms you missed.
Consider Professional Forensic Analysis
Manual removal of Sliver is extremely difficult even for experienced users because of its modular design and sophisticated evasion techniques. If you're dealing with business data, client information, or financial records, professional forensic analysis is strongly recommended. We can perform memory dumps, analyze network logs, identify data exfiltration, and ensure complete eradication of all backdoor components.
Prevention
- Implement network segmentation: Separate guest networks, employee workstations, and critical servers into different VLANs with firewall rules between them. This limits lateral movement if one machine becomes compromised.
- Deploy endpoint detection and response (EDR) solutions: Traditional antivirus isn't enough against frameworks like Sliver. EDR tools monitor for behavioral anomalies, process injection, and command-and-control communications rather than just signature matches.
- Maintain strict application whitelisting: Only allow approved executables to run on business systems. Implement Software Restriction Policies or AppLocker to prevent unauthorized programs from executing, especially from user-writable directories like AppData and Temp folders.
- Monitor outbound network traffic: Configure your firewall to log and alert on unusual outbound connections, particularly HTTPS traffic to uncommon destinations, DNS queries to newly registered domains, or connections on non-standard ports.
- Conduct regular security awareness training: Teach employees to recognize phishing attempts, verify software downloads from official sources only, and report suspicious emails or system behavior immediately before clicking or opening attachments.
- Keep all systems and software updated: Enable automatic updates for Windows, browsers, and all applications. Sliver is often deployed after exploiting known vulnerabilities that have available patches—don't give attackers easy entry points.
- Implement multi-factor authentication everywhere: Even if credentials are stolen from an infected machine, MFA prevents attackers from accessing your accounts remotely. Use authenticator apps rather than SMS when possible.
- Establish offline backup systems: Maintain encrypted backups that are disconnected from the network after completion. Sliver infections often precede ransomware deployment—accessible backups will be encrypted along with your live data.