What originally served as a Cobalt Strike substitute has evolved into a popular C2 platform for threat actors. All essential capabilities for adversary simulation are being offered by Sliver, an open-source, cross-platform adversary emulation/red team framework. These include staged and stageless payloads, multiplayer mode, compile-time obfuscation, dynamic code generation, and Let’s Encrypt integration.
Sliver is a cross-platform post-exploitation framework built on Golang and created by cybersecurity startup BishopFox for use by security experts in red team operations. The framework has an extension package manager called armory that makes it simple to install (automatically compile) a variety of third-party tools, including BOFs and.NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and more).
Features Of Sliver
- Generating code dynamically.
- Obfuscation at compile time.
- Remote and local process injection.
- Anti-anti-anti-forensics.
- mTLS HTTP(S), and DNS secure C2.
- Migration of Windows processes.
- Manipulation of user tokens on Windows.
- Multiplayer-mode.
- C2 over HTTP is produced procedurally (work in progress).
- Integration with Let’s Encrypt.
- Execution of.NET assemblies in memory.
- DNS Blue Canary Team Detection.
Threat Actors Are Utilizing Sliver
Research teams worldwide have seen multiple danger groups utilizing Sliver. Cybereason’s GSOC squad recently discovered the Exotic Lily organization to be disseminating BumbleBee loader malware utilizing LNK files.
Attackers used various tools during the month-long AvosLocker campaign in June 2022, including Cobalt Strike, Sliver, and numerous commercial network scanners. The same month, PupyRAT, Pantegana, and Sliver open-source malware families were discovered to be distributed by a threat actor known as DriftingCloud.
For considerably greater flexibility, TA551, aka, Shathak, implemented the framework right after the initial infection vector in October 2021. This architecture was being used by the Russian hacking group APT29, also known as SVR, in May 2021 to guarantee persistence on a hacked network.
The framework develops distinct network and system signatures, facilitating efficient infrastructure server discovery and fingerprinting. Users are advised to navigate to Behavioral Execution Prevention (BEP) in the sensor policy and set both BEP and Variant Payload Prevention to Prevent to detect Sliver C2 attacks. They are advised to carefully handle materials from outside sources, such as emails and online browsing.
Why Is Cobalt Strike Being Laid Back?
Sliver, an open-source C2 framework, is attracting the attention of hackers since they have been seen utilizing it in cyberattacks in place of Cobalt Strike. Cybercriminals use Cobalt Strike beacons on infected networks to enable lateral mobility following a network intrusion.
Compared to Cobalt Strike, Sliver features a far higher number of built-in modules, making it more straightforward for threat actors to exploit systems and use tooling to get access. Security analysts have steadily strengthened their countermeasures to such Cobalt Strike occurrences, leading to more penetration testing tools being discovered. Threat actors were forced to choose an alternative as a result.
On the other side, Cobalt Strike is a bring-your-own-payload or module tool. Sliver makes it easier for attackers to enter. Greater customization is possible in terms of how payloads are delivered and how attacks can be modified to bypass defenses.
Sliver is a free, open-source project accessible on GitHub, in contrast to Cobalt Strike, which is commercial and necessitates threat actors to crack the license mechanism each time a new version is released.
Conclusion
Threat actors are becoming more interested in Sliver, a legal command-and-control (C2) framework that has emerged as an open-source substitute for Cobalt Strike and Metasploit. Sliver is a cross-platform post-exploitation framework built on Golang and created by cybersecurity startup BishopFox for use by security experts in red team operations. The research was conducted by Cybereason, which released a thorough investigation of its internal operations last week.
