YARA rules for Sliver
2 rules · scoped to tool · back to Sliver
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule Sliver_Implant_32bit
{
meta:
description = "Sliver 32-bit implant (with and without --debug flag at compile)"
hash = "911f4106350871ddb1396410d36f2d2eadac1166397e28a553b28678543a9357"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "6bc4d7d1-64cf-5920-8f07-54a8a7a94f26"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
81 ?? 74 63 70 70 cmp dword ptr [ecx], 70706374h
.
.
.
81 ?? 04 69 76 6F 74 cmp dword ptr [ecx+4], 746F7669h
*/
$s_tcppivot = { 81 ?? 74 63 70 70 [2-20] 81 ?? 04 69 76 6F 74 }
// case "wg":
/*
66 81 ?? 77 67 cmp word ptr [eax], 6777h // "gw"
*/
$s_wg = { 66 81 ?? 77 67 }
// case "dns":
/*
66 81 ?? 64 6E cmp word ptr [eax], 6E64h // "nd"
.
.
.
80 ?? 02 73 cmp byte ptr [eax+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "http":
/*
81 ?? 68 74 74 70 cmp dword ptr [eax], 70747468h // "ptth"
*/
$s_http = { 81 ?? 68 74 74 70 }
// case "https":
/*
81 ?? 68 74 74 70 cmp dword ptr [ecx], 70747468h // "ptth"
.
.
.
80 ?? 04 73 cmp byte ptr [ecx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-20] 80 ?? 04 73 }
// case "mtls": NOTE: this one can be missing due to compilate time config
/*
81 ?? 6D 74 6C 73 cmp dword ptr [eax], 736C746Dh // "sltm"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
4 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}
rule Sliver_Implant_64bit
{
meta:
description = "Sliver 64-bit implant (with and without --debug flag at compile)"
hash = "2d1c9de42942a16c88a042f307f0ace215cdc67241432e1152080870fe95ea87"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
modified = "2025-03-21"
id = "b84db933-0e11-5871-821d-43697c015665"
strings:
// We look for the specific switch/case statement case values.
// case "tcppivot":
/*
48 ?? 74 63 70 70 69 76 6F 74 mov rcx, 746F766970706374h
*/
$s_tcppivot = { 48 ?? 74 63 70 70 69 76 6F 74 }
// case "namedpipe":
/*
48 ?? 6E 61 6D 65 64 70 69 70 mov rsi, 70697064656D616Eh // "pipdeman"
.
.
.
80 ?? 08 65 cmp byte ptr [rdx+8], 65h ; 'e'
*/
$s_namedpipe = { 48 ?? 6E 61 6D 65 64 70 69 70 [2-32] 80 ?? 08 65 }
// case "https":
/*
81 3A 68 74 74 70 cmp dword ptr [rdx], 70747468h // "ptth"
.
.
.
80 7A 04 73 cmp byte ptr [rdx+4], 73h ; 's'
*/
$s_https = { 81 ?? 68 74 74 70 [2-32] 80 ?? 04 73 }
// case "wg":
/*
66 81 3A 77 67 cmp word ptr [rdx], 6777h // "gw"
*/
$s_wg = {66 81 ?? 77 67}
// case "dns":
/*
66 81 3A 64 6E cmp word ptr [rdx], 6E64h // "nd"
.
.
.
80 7A 02 73 cmp byte ptr [rdx+2], 73h ; 's'
*/
$s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
// case "mtls": // This one may or may not be in the file, depending on the config flags.
/*
81 ?? 6D 74 6C 73 cmp dword ptr [rdx], 736C746Dh // "mtls"
*/
$s_mtls = { 81 ?? 6D 74 6C 73 }
$fp1 = "cloudfoundry" ascii fullword
$fp2 = "googleapi.Error" ascii
condition:
5 of ($s*)
and not 1 of ($fp*)
and not pe.number_of_signatures > 0
}