From 3abdffb50fa41622faaed6a6fb0d2f6dd6803be8 Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Thu, 11 Apr 2024 10:30:03 -0300
Subject: [PATCH] Create sliver-c2.yaml

---
 ssl/c2/sliver-c2.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 ssl/c2/sliver-c2.yaml

diff --git a/ssl/c2/sliver-c2.yaml b/ssl/c2/sliver-c2.yaml
new file mode 100644
index 0000000000..07bdef32fd
--- /dev/null
+++ b/ssl/c2/sliver-c2.yaml
@@ -0,0 +1,33 @@
+id: sliver-c2
+
+info:
+  name: Sliver C2 - Detect
+  author: johnk3r
+  severity: info
+  description: |
+    Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server
+  reference: |
+    https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
+  metadata:
+    verified: "true"
+    max-request: 1
+    shodan-query: ssl:"multiplayer" tag:c2
+  tags: c2,ssl,ir,osint,malware,sliver
+ssl:
+  - address: "{{Host}}:{{Port}}"
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: issuer_cn
+        words:
+          - "operators"
+
+      - type: word
+        part: subject_dn
+        words:
+          - "CN=multiplayer"
+
+    extractors:
+      - type: json
+        json:
+          - " .issuer_cn"