nuclei-templates/network/jarm/c2/sliver-c2-jarm.yaml

id: sliver-c2-jarm

info:
  name: Sliver C2 JARM - Detect
  author: pussycat0x
  severity: info
  description: |
    Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.
  reference:
    - https://github.com/cedowens/C2-JARM
    - https://github.com/BishopFox/sliver
  metadata:
    max-request: 1
  tags: jarm,network,c2,ir,osint,cti,sliver,tcp
tcp:
  - inputs:
      - data: 2E
        type: hex
    host:
      - "{{Hostname}}"
    matchers:
      - type: dsl
        dsl:
          - "jarm(Hostname) == '2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883'"
# digest: 4a0a00473045022018dd9500e710457321d625b7b74209aeb095ae87f0353c9020addb607a09dbf4022100c699e22865da4f133768907d62a3c86318ac75965e4ce416b1f516da9e0a9248:922c64590222798bb761d5b6d8e72950
C2 Jarm - Detect 2023-07-14 08:02:24 +00:00			`id: sliver-c2-jarm`

			`info:`
			`name: Sliver C2 JARM - Detect`
			`author: pussycat0x`
			`severity: info`
			`description: \|`
			`Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.`
			`reference:`
			`- https://github.com/cedowens/C2-JARM`
			`- https://github.com/BishopFox/sliver`
TemplateMan Update [Tue Jul 18 08:23:15 UTC 2023] :robot: 2023-07-18 08:23:15 +00:00			`metadata:`
			`max-request: 1`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`tags: jarm,network,c2,ir,osint,cti,sliver,tcp`
C2 Jarm - Detect 2023-07-14 08:02:24 +00:00			`tcp:`
			`- inputs:`
			`- data: 2E`
			`type: hex`
			`host:`
			`- "{{Hostname}}"`
			`matchers:`
			`- type: dsl`
			`dsl:`
templateman update 2023-10-14 11:27:55 +00:00			`- "jarm(Hostname) == '2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883'"`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a00473045022018dd9500e710457321d625b7b74209aeb095ae87f0353c9020addb607a09dbf4022100c699e22865da4f133768907d62a3c86318ac75965e4ce416b1f516da9e0a9248:922c64590222798bb761d5b6d8e72950`