{ "id": "1c7a9f65-5b61-40cf-9d8c-3850d99a21ad", "created_at": "2026-04-06T00:16:06.744053Z", "updated_at": "2026-04-10T03:26:55.368628Z", "deleted_at": null, "sha1_hash": "757c99ad870d6b6535943bdfbd61f33fb583d1ba", "title": "Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 858365, "plain_text": "Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks | Microsoft Security Blog\r\nBy Microsoft Defender Experts\r\nPublished: 2022-08-24 · Archived: 2026-04-05 13:52:47 UTC\r\nMicrosoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in\r\nintrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and\r\nextortion, and other threat actors to evade detection. We’ve seen these actors use Sliver with—or as a replacement\r\nfor—Cobalt Strike. Given Cobalt Strike’s popularity as an attack tool, defenses against it have also improved over\r\ntime. Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier\r\nfor entry.\r\nFirst made public in late 2019 and advertised to security professionals, Sliver is an open-source framework that’s\r\navailable on GitHub and includes many common C2 framework features such as support for multiple\r\nsimultaneous operators, multiple listener types, user-developed extensions, and payload generation. Since\r\nDecember 2020, we’ve observed threat actors adopting Sliver into their arsenal.\r\nAmong its adopters is the prolific ransomware-as-service (RaaS) affiliate DEV-0237. More recently, we’ve seen\r\ncybercrime actors historically tied to human-operated ransomware now deliver Sliver and various post-compromise tools using Bumblebee malware (also known as COLDTRAIN) as an initial access loader. Customers\r\ncan learn more about Bumblebee in our Threat Analytics report available in the Microsoft 365 Defender portal.\r\nIn this blog, we share how the researchers behind Microsoft Defender Experts for Hunting analyzed Sliver and\r\nused both lab-simulated attacks and real-world threat activity to create hunting queries to surface Sliver and other\r\nC2 frameworks.\r\nThreat hunting: Part art(ifact), all science\r\nFor security researchers, there’s a distinction between hunting and detection. For novel threats, researchers try to\r\nstrike a balance between high-fidelity detection rules identifying a specific, known malware family, threat actor, or\r\nclass of behavior and low-fidelity hunting rules, which generate more false positives but also more generically\r\ncapture a technique and its derivatives.\r\nThe following sections illustrate the art and science of how these lower-fidelity rules help threat hunters measure\r\nand contextualize suspicious observations to find novel or stealthy threats.\r\nSleuthing Sliver\r\nThreat actors use C2 frameworks to manage their access to compromised hosts and networks during an intrusion.\r\nA C2 framework usually includes a server that accepts connections from implants on a compromised system, and\r\na client application that allows the C2 operators to interact with the implants and launch malicious commands.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 1 of 11\n\nMany threat actors integrate public, open-source C2 framework options into their arsenal because these have a low\r\nbarrier to entry and offer several advantages for attackers like low cost, ease of modification, and difficult\r\nattribution. As previously mentioned, Sliver is one such open-source framework. Although Sliver is somewhat\r\nnew, the TTPs it implements are common across many frameworks.\r\nBelow are examples of how Defender Experts hunt for these TTPs to identify Sliver and other emerging C2\r\nframeworks in customer environments.\r\nInfrastructure\r\nSliver, like many C2 frameworks, supports various network protocols such as DNS, HTTP/TLS, MTLS, and TCP.\r\nIt can also accept implant or operator connections and host files to impersonate a benign web server.\r\nThe first step in testing any C2 framework is starting listeners and scanning them to identify anomalies. Some\r\ncommon artifacts are unique HTTP header combinations and JARM hashes, the latter of which are active\r\nfingerprinting techniques for TLS servers. RiskIQ has shared such a methodology for Sliver and Bumblebee\r\ndetection.\r\nPayloads\r\nSince Sliver is written in the Go programming language (GoLang), its implants are cross-platform compatible. By\r\ndefault, operators can generate implants in several formats, including:\r\nShellcode\r\nExecutable\r\nShared library/DLL\r\nService\r\nSliver also supports stagers—smaller payloads with few built-in features that are primarily intended to retrieve\r\nand launch a full implant. Stagers are used by many C2 frameworks to minimize the malicious code that’s\r\nincluded in an initial payload (for example, in a phishing email). This can make file-based detection more\r\nchallenging.\r\nHowever, operators don’t need to use Sliver’s default DLL or executable payloads. Motivated threat actors can\r\ngenerate a Sliver shellcode and embed it in custom loaders like Bumblebee that then runs the Sliver implant on a\r\ncompromised system. Detection engineers can create loader-specific detections or, if the shellcode isn’t\r\nobfuscated, rules for the shellcode payload that is embedded in the loader.\r\nWhen responding to a suspected intrusion, security analysts may find themselves with a malware payload with\r\nlittle context. Quickly extracting key configuration details from the malware like C2 address, network\r\nconfigurations, and other implant details is a crucial step in hunting for affected devices in the network.\r\nMany implants, including Sliver, heavily obfuscate or encrypt useful information to prolong analysis and detection\r\nattempts. Sliver, like other implants based on GoLang, uses public libraries for this purpose. Current\r\nimplementations use the garble library while earlier versions use the gobfuscate library. Several researchers have\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 2 of 11\n\ncreated tools to assist with “de-obfuscating” strings in payloads, but it is still a fairly manual process[1]\r\n and not all\r\nlibraries are supported.\r\nIn such cases, we can extract configurations we are interested in more easily when they’re loaded into memory.\r\nSliver must de-obfuscate and decrypt its configurations to use them, so we can scan memory for these values and\r\nextract them programmatically to get results like configuration data, as illustrated in Figure 1 below:\r\nFigure 1. Sample configuration extraction from a Sliver test implant\r\nThere are similar public de-obfuscation tools for Cobalt Strike, such as Apr4h/CobaltStrikeScan and\r\nCCob/BeaconEye.\r\nSome malware will attempt to obfuscate or encrypt configurations in memory as well. Cobalt Strike’s\r\n“sleep_mask” is a good example of this. However, it’s important to note that even in these cases, the malware\r\nmust decrypt the configurations when it wants to check in with the C2 server for new instructions. Thus,\r\nextracting configurations from memory requires intentional timing.\r\nCode execution\r\nSliver includes a variety of built-in techniques and post-exploitation functionality. One of the most common\r\nunderlying techniques used by C2 operators and frameworks is process injection, which is a method of running\r\narbitrary code within the address space of a separate live process.\r\nAttackers use process injection for defense evasion, access, or privilege elevation, distancing risky code execution,\r\nand many other reasons. As Microsoft researchers explained: “[P]rocess injection gives attackers the ability to run\r\nmalicious code that masquerades as legitimate programs. With code injection, attackers don’t have to use custom\r\nprocesses that can quickly be detected. Instead, they insert malicious code into common trusted processes (e.g.,\r\nexplorer.exe, regsvr32.exe, svchost.exe, etc.), giving their operations an increased level of stealth and persistence.”\r\nFigure 2 below illustrates how process injection typically works:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 3 of 11\n\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 4 of 11\n\nFigure 2. How process injection works\r\nJust like any other C2 framework, Sliver utilizes process injection as a core part of many default commands or\r\ncapabilities, such as:\r\nmigrate (command) – migrate into a remote process\r\nspawndll (command) – load and run a reflective DLL in a remote process\r\nsideload (command) – load and run a shared object (shared library/DLL) in a remote process\r\nmsf-inject (command) – inject a Metasploit Framework payload into a process\r\nexecute-assembly (command) – load and run a .NET assembly in a child process\r\ngetsystem (command) – spawn a new Sliver session as the NT AUTHORITY\\SYSTEM user\r\nextensions/aliases – Beacon Object Files (BOFs), .NET apps, and other third-party tooling\r\nSliver also uses common process injection implementations. For example, as of this writing, the built-in Sliver\r\nmigrate command migrates to a remote process using a classic combination of VirtualAllocEx,\r\nWriteProcessMemory, VirtualProtectEx, and finally CreateRemoteThread Windows API calls. Other commands\r\nsuch as Sideload, SpawnDll, and Execute-Assembly also rely on this combination. This sequence of injection-related API calls is well documented, and Microsoft Defender for Endpoint generates alerts like A process was\r\ninjected with potentially malicious code based on the combination of such API calls:\r\nFigure 3. Example of Microsoft Defender for Endpoint alerts for injection-related API calls\r\nAside from process injection, Sliver provides additional familiar techniques such as lateral movement via a\r\nPsExec command. Defender for Endpoint generates multiple alerts on such default techniques:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 5 of 11\n\nFigure 4. Example of Microsoft Defender for Endpoint alerts for default service installation created\r\nby PsExec command\r\nSurfacing Sliver threat activity\r\nBased on our analysis of the Sliver framework, Defender Experts designed advanced hunting queries to surface\r\nSliver-related threat activity. These hunting queries leverage Kusto Query Language (KQL), a query language\r\nspecifically designed to work with large datasets in Azure. Unless otherwise noted, the detection and hunting\r\nguidance in this blog are designed for official, non-customized Sliver codebase available as of this writing.\r\nCustomers can run the following queries in the Microsoft 365 Defender portal. These queries are examples of how\r\nhunters can key in on unique default configurations implemented by Sliver.\r\nFigure 5. Running advanced hunting queries in Microsoft 365 Defender\r\nGetSystem\r\nThe following query finds potential launch of the built-in GetSystem command, where the default target process of\r\nspoolsv.exe is used as the target process for injection. The query looks for SeDebug privileges being added to a\r\nprocess, followed by that same process creating a remote thread in spoolsv.exe within 30 seconds.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 6 of 11\n\n// SeDebugPrivilege constant used to identify if this privilege is enabled in Token\r\nlet SeDebugPriv = 1048576;\r\nDeviceEvents\r\n| where FileName == 'spoolsv.exe'\r\n| where ActionType == 'CreateRemoteThreadApiCall'\r\n| where InitiatingProcessFileName !~ 'csrss.exe'\r\n| project InitiatingProcessId, DeviceId, CreateTime=Timestamp, FileName\r\n| join kind=inner (\r\nDeviceEvents\r\n| where ActionType == 'ProcessPrimaryTokenModified'\r\n| extend TokenModTime = Timestamp\r\n) on DeviceId, InitiatingProcessId\r\n| where TokenModTime between ((CreateTime - 30s) .. CreateTime)\r\n| extend JSON=parse_json(AdditionalFields)\r\n// This line looks for SeDebugPrivilege being the ONLY privilege changed, which is how it is\r\nimplemented in Sliver\r\n| where binary_xor(tolong(JSON.OriginalTokenPrivEnabled),tolong(JSON.CurrentTokenPrivEnabled)) ==\r\nSeDebugPriv\r\n// Optionally comment out the above and use this line, which is more generic and simply checks for\r\nSeDebugPrivilege not being initially enabled\r\n//| where binary_and(tolong(JSON.OriginalTokenPrivEnabled), SeDebugPriv) == 0\r\n| where binary_and(tolong(JSON.CurrentTokenPrivEnabled), SeDebugPriv) != 0 // Confirming\r\nSeDebugPrivilege is enabled in Current Token\r\n| extend TargetProcessFileName=FileName\r\n| project-reorder DeviceName, InitiatingProcessFileName, TargetProcessFileName, InitiatingProcessId\r\nShell\r\nThe following query finds the default, unique PowerShell command used when Sliver creates an interactive shell\r\nwith the ‘Shell’ command.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 7 of 11\n\nDeviceProcessEvents\r\n| where ProcessCommandLine == 'powershell.exe -NoExit -Command [Console]::OutputEncoding=\r\n[Text.UTF8Encoding]::UTF8'\r\nSideload/SpawnDll/Execute-Assembly\r\nThe Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The\r\nfollowing query finds process creation events where the same process creates and injects into notepad.exe within\r\n10 seconds.\r\nDeviceProcessEvents\r\n| where ActionType == 'ProcessCreated'\r\n| where ProcessCommandLine =~ 'notepad.exe'\r\n| distinct InitiatingProcessId, DeviceId\r\n| join kind=inner (\r\nDeviceEvents\r\n| where ActionType == 'CreateRemoteThreadApiCall'\r\n| where ProcessCommandLine == 'notepad.exe'\r\n| where Timestamp between (ProcessCreationTime .. (ProcessCreationTime+10s))\r\n) on DeviceId, InitiatingProcessId\r\nPsExec\r\nThe following query finds default values for the ImagePath, DisplayName, and Description of the service\r\ninstalled on the remote system when using Sliver’s PsExec command.\r\nDeviceRegistryEvents\r\n| where ActionType == 'RegistryValueSet'\r\n| where (RegistryValueName == 'ImagePath' and RegistryValueData matches regex @'^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe') or\r\n(RegistryValueName == 'DisplayName' and RegistryValueData == 'Sliver') or\r\n(RegistryValueName == 'Description' and RegistryValueData == 'Sliver implant')\r\nThe following query is an alternative method of searching on the same service properties but within service\r\ninstallation events instead of registry keys.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 8 of 11\n\nDeviceEvents\r\n| where ActionType == 'ServiceInstalled'\r\n| extend JSON = parse_json(AdditionalFields)\r\n| where (FolderPath endswith_cs @':\\windows\\temp' and FileName matches regex @'^[a-zA-Z0-9]\r\n{10}\\.exe') or (JSON.ServiceName == 'Sliver')\r\nBuilding resilience against future attacks with threat hunting\r\nOur analysis of Sliver’s source code and functionality reveals hunting opportunities that can also be adapted for\r\nuse against other malware frameworks. In addition, Sliver and many other C2 frameworks are yet another example\r\nof how threat actors are continually attempting to evade automated security detections. Threat hunting provides an\r\nadded layer to other security mitigations and can help address areas of defense evasion. By focusing research\r\nefforts on the underlying attacker techniques used within Sliver, detections and threat hunting strategies are more\r\nresilient to future changes in attacker toolsets implementing those techniques.\r\nDefender Experts is part of Microsoft’s global network of more than 8,500 security experts that further enriches\r\nour vast cross-domain signals and lets us deliver coordinated threat defense in our security products and solutions.\r\nAs seen in our research on Sliver, our monitoring of the threat landscape informs advanced, high-fidelity KQL\r\nqueries that are then thoroughly tested to form the basis of our Defender Experts Notifications. These notifications\r\nare designed to identify the most important risks, and provide technical information, as well as hunting and\r\nmitigation guidance.\r\nOur insights from threat hunting and monitoring also feed into products like Microsoft Defender for Endpoint that\r\nthen alert customers to malicious activity seen with C2 frameworks like Sliver. The following titles in the security\r\ncenter can indicate threat activity on their networks:\r\nRansomware-linked emerging threat activity group detected\r\nSuspicious behavior by cmd.exe was observed\r\nSuspicious sequence of exploration activities\r\nSuspicious data transfer\r\nSuspicious System Network Configuration Discovery\r\nProcess hollowing detected\r\nA process was injected with potentially malicious code\r\nSuspicious Peripheral Device Discovery\r\nAbnormal Remote Service Execution\r\nSuspicious file dropped\r\nSuspicious command launched from a remote location\r\nSuspicious files or content obfuscation/de-obfuscation activity\r\nMicrosoft customers can also apply the following security mitigations to reduce the impact of Sliver and other\r\nsimilar threats:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 9 of 11\n\nTurn on network protection. Network protection helps prevent users from accessing dangerous domains\r\nand IP addresses. Check your perimeter firewall and proxy to restrict servers from making arbitrary\r\nconnections to the internet to browse or download files. Such restrictions help inhibit malware downloads\r\nand C2 activity including mobile devices.\r\nUse Microsoft Defender Firewall, which, along with your network firewall, prevents remote procedure call\r\n(RPC) and service message block (SMB) communication along endpoints whenever possible. This limits\r\nlateral movement and other attack activities.\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nCheck your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with\r\nmalware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against\r\nnew threats and polymorphic variants. Configure Office 365 to recheck links on click and delete sent mail\r\nin response to newly acquired threat intelligence.\r\nOrganizations can also follow these general best practices to make their networks resilient against attacks:\r\nHarden the cloud. As attackers move towards cloud resources, it’s important to secure cloud resources\r\nand identities as well as on-premises accounts. Security teams should focus on hardening security identity\r\ninfrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud\r\nadmins/tenant admins with the same level of security and credential hygiene as Domain Admins.\r\nClose security blind spots. Organizations should verify that their security tools are running in optimum\r\nconfiguration and perform regular network scans to ensure a security product protects all systems.\r\nReduce the attack surface. Establish attack surface reduction rules to prevent common attack techniques\r\nused by C2 frameworks.\r\nEvaluate the perimeter. Organizations must identify and secure perimeter systems that attackers might\r\nuse to access the network. Public scanning interfaces can be used to augment data.\r\nHarden internet-facing assets. Attackers use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage to get the C2 framework onto the target systems. They also rapidly\r\nadopt new vulnerabilities. To further reduce exposure, organizations can use endpoint detection and\r\nresponse (EDR) products with threat and vulnerability management capabilities, such as Microsoft\r\nDefender for Endpoint, to discover, prioritize, and remediate vulnerabilities and misconfigurations.\r\nTo find out how you can extend your ability to defend and manage your security with managed services from\r\nMicrosoft, learn more about Microsoft Security Experts.\r\nAppendix\r\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects Sliver threat components as the following malware:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 10 of 11\n\nTrojan:Linux/Sliver.A\r\nTrojan:Win64/Sliver.D\r\nTrojanDownloader:PowerShell/Splinter.A\r\nBehavior:Win32/Splinter.A\r\nVirTool:Win32/SPLINTER.A\r\nVirTool:Win64/Splinter.A\r\nMicrosoft Defender Antivirus also detects Bumblebee loader as the following malware:\r\nTrojan:Win64/Bumblebee\r\nTrojan:Win64/BumbleBeeLoader\r\nTrojan:PowerShell/Bumblebee\r\n[1]Automated string de-gobfuscation, Kryptos Logic\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-f\r\nrameworks/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/" ], "report_names": [ "looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434566, "ts_updated_at": 1775791615, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/757c99ad870d6b6535943bdfbd61f33fb583d1ba.pdf", "text": "https://archive.orkl.eu/757c99ad870d6b6535943bdfbd61f33fb583d1ba.txt", "img": "https://archive.orkl.eu/757c99ad870d6b6535943bdfbd61f33fb583d1ba.jpg" } }