Sliver is an open-source adversary simulation framework written in Go, released by Bishop Security as an alternative to Cobalt Strike. What started as a red team tool has been adopted by a growing number of threat actors: Qilin ransomware affiliates, TA505, and multiple China-nexus espionage groups have all been observed deploying Sliver implants in production intrusions. Its cross-platform support (Windows, Linux, macOS), encrypted communications, and active development make it a persistent detection challenge.

This guide covers the principal detection opportunities: named pipe artefacts, process injection behaviour, network-level beacon patterns, and host-based telemetry for Sigma and KQL detections.

Why Sliver Is Hard to Detect by Signature

Sliver generates per-build implants with randomised configurations. Default named pipe names, canary domain patterns, and connection URLs are configurable, meaning static IOC lists degrade quickly. Effective detection relies on behavioural indicators rather than signature-based matching.

Sliver implants support multiple C2 protocols: mTLS, HTTPS, HTTP, WireGuard, DNS, and named-pipe transports. In most observed intrusions, HTTPS is the primary transport with DNS as fallback.

Named Pipe Detection

Sliver uses named pipes for inter-process communication when pivoting through a compromised host and for injection staging. Default pipe names include patterns like \\.\pipe\gopher, \\.\pipe\<random_string>, and pipes associated with Sliver’s pivot and portfwd capabilities.

Sigma — Sliver Named Pipe Creation:

title: Sliver C2 Named Pipe Creation
id: 8f3a9e21-bc4d-4f7a-9c12-e5d3f6a8b091
status: experimental
description: Detects named pipe creation patterns associated with Sliver C2 framework
references:
  - https://github.com/BishopFox/sliver
  - https://attack.mitre.org/techniques/T1071/
author: SOC Analyst Hub
date: 2026-06-09
logsource:
  category: pipe_created
  product: windows
detection:
  selection_default:
    PipeName|contains:
      - '\gopher'
      - '\sliverpipe'
  selection_random_short:
    # Sliver generates short random pipe names for staged sessions
    PipeName|re: '\\[a-z0-9]{4,8}$'
    Image|endswith:
      - '\notepad.exe'
      - '\svchost.exe'
      - '\explorer.exe'
      - '\rundll32.exe'
  condition: selection_default or selection_random_short
falsepositives:
  - Legitimate applications using short random named pipes
level: high
tags:
  - attack.command-and-control
  - attack.t1071
  - attack.t1055

Process Injection Artefacts

Sliver’s default implant uses process injection to migrate into a host process after initial execution. Common targets include notepad.exe, svchost.exe, and application processes already running on the host. The injection technique is typically reflective DLL loading or process hollowing.

Sigma — Suspicious Remote Thread Creation into Common Host Processes:

title: Sliver Process Injection via Remote Thread
id: 2c7b4f19-8e5a-4d2c-b3f7-a9e1c8d0f452
status: experimental
description: Detects Sliver-style remote thread injection into common LOLBin host processes
logsource:
  category: create_remote_thread
  product: windows
detection:
  selection:
    TargetImage|endswith:
      - '\notepad.exe'
      - '\mspaint.exe'
      - '\calc.exe'
      - '\svchost.exe'
    SourceImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\mshta.exe'
      - '\regsvr32.exe'
  filter_system:
    SourceImage|startswith: 'C:\Windows\System32\'
    TargetImage|startswith: 'C:\Windows\System32\svchost.exe'
  condition: selection and not filter_system
falsepositives:
  - Debugging tools, some AV products
level: high
tags:
  - attack.defense-evasion
  - attack.t1055.001
  - attack.t1055.012

HTTPS Beacon Pattern Detection

Sliver’s HTTPS transport uses a configurable polling interval (default: randomised jitter around a base sleep). The beacon issues regular HTTPS GET or POST requests to the C2 server. Detection focus: unusual beaconing regularity from non-browser processes, and HTTPS to IPs rather than domain names.

Sigma — Sliver HTTPS Beacon from Non-Browser Process:

title: Sliver HTTPS C2 Beacon Pattern
id: 5a2e8c16-7f4b-4a9d-c1e3-b8d2f5a7c904
status: experimental
description: Detects regular HTTPS connections from processes that should not be making web requests
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationPort:
      - 443
      - 8443
      - 4443
    Image|endswith:
      - '\notepad.exe'
      - '\calc.exe'
      - '\mspaint.exe'
      - '\svchost.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
  filter_legit:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection and not filter_legit
falsepositives:
  - Applications with unexpected update mechanisms
level: high
tags:
  - attack.command-and-control
  - attack.t1071.001

KQL — Microsoft Sentinel Detection

Sliver Named Pipe and Injection Correlation (Microsoft Defender for Endpoint):

let SliverInjectionProcs = dynamic(["notepad.exe","mspaint.exe","svchost.exe","calc.exe","explorer.exe"]);
let SliverSourceProcs = dynamic(["powershell.exe","cmd.exe","wscript.exe","mshta.exe","regsvr32.exe"]);

DeviceEvents
| where ActionType == "CreateRemoteThreadApiCall"
| extend TargetProc = tostring(parse_json(AdditionalFields).TargetProcessFileName)
| extend TargetProcName = tolower(tostring(split(TargetProc, "\\")[-1]))
| where TargetProcName in (SliverInjectionProcs)
| where tolower(InitiatingProcessFileName) in (SliverSourceProcs)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, 
          InitiatingProcessCommandLine, TargetProcName
| order by TimeGenerated desc

Sliver Beacon Regularity Detection:

DeviceNetworkEvents
| where RemotePort in (443, 8443, 4443)
| where InitiatingProcessFileName !in~ ("chrome.exe","firefox.exe","msedge.exe",
                                          "svchost.exe","lsass.exe","services.exe")
| where RemoteIPType == "Public"
| summarize ConnectionCount = count(), 
            FirstSeen = min(TimeGenerated), 
            LastSeen = max(TimeGenerated),
            IPs = make_set(RemoteIP)
    by DeviceName, InitiatingProcessFileName, RemoteIP
| where ConnectionCount > 10
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| where DurationMinutes > 30
| extend ConnectionsPerHour = (ConnectionCount * 60.0) / DurationMinutes
// Regular beaconing: roughly consistent connections per hour from non-browser process
| where ConnectionsPerHour between (1.0 .. 30.0)
| order by ConnectionCount desc

Threat Intelligence Context

Sliver has appeared in incident reports from multiple vendors covering ransomware operations and espionage campaigns. In Qilin ransomware incidents, Sliver is deployed post-VPN compromise for persistent access during the dwell period before encryption. Mandiant observed Sliver in UNC4841 (China-nexus) intrusions. CISA’s advisory AA23-319A (Rhysida) also documents Sliver alongside Cobalt Strike as a post-access tool.

Key distinguishing artefacts from Cobalt Strike: Sliver generates Go runtime-specific process memory artefacts (goroutine stacks, Go standard library exports visible in memory dumps), and its staging does not use the same named pipes as Cobalt Strike’s default profile.

Hunting Approach

Beyond reactive detection rules, prioritise hunting for:

  1. Short-lived elevated processes spawning network connections — Go binaries spawned by Office or script interpreters are high-priority
  2. Cross-process memory writes followed by HTTPS — process write events correlated with subsequent network activity from the target process
  3. New service installations executing unsigned Go binaries — Sliver can establish persistence via Windows services

For Linux hunting, focus on ptrace-based injection, /proc/<pid>/mem writes, and unusual listening sockets from Go-linked binaries.