The attack security tool used by penetration testers is also being used by threat actors from the ransomware and cyberespionage domains.
The business of penetration testing and security testing is huge and a lot of different tools are available in the market, or even free, to help penetration testers. Some attack security frameworks have become very popular, such as Metasploit or Cobalt Strike. They are widely used by red team but also by threat actorsincluding state-sponsored grants.
Among those frameworks, Sliver appeared in 2019 as an open source framework available on Github and advertised for security professionals.
What is Sliver and what is it used for?
Sliver’s creators describe it as “an open cross-platform rival emulation/red team framework” that supports “C2 over mutual TLS (mTLS), WireGuard, HTTP(S) and DNS and is compiled dynamic with asymmetric encryption keys for each binary . “
The framework is available for Linux, MacOS and Microsoft Windows operating systems and possibly more, as the entire framework is written in the Go programming language (also known as Golang), which can be compiled on many systems different because Golang is cross-platform compatible.
Typical use cases for using such a framework include compromising a target, deploying one or several implants inside different terminals or servers belonging to the compromised network. , then use the framework for command and control interactions (C2).
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
Network communication & implants powered by Sliver
Sliver supports several different network protocols for communication between the implant and its C2 server: DNS, HTTP/TLS, MTLS and TCP can be used.
Sliver users can create cross-platform implants in a number of formats, including shellcode, executables, shared libraries/DLLs, or services.
Sliver also provides the ability to use delayers via the staging protocol over TCP and HTTP(S). A slot machine is a smaller payload with features primarily designed to take and launch larger implantable devices. Pagers are often used in the early stages of an attack, when an attacker wants to minimize the size of the malicious code to use as the initial payload.
Microsoft stated in a report that attackers don’t necessarily use Sliver’s default DLLs or executable payloads. Motivated attackers can use Sliver-generated shell code that they embed in custom loaders such as Beewill then run the Sliver implant on the compromised system.
Fragile implants can be disturbed, making their detection more difficult. Additionally, even when detected, tampering can significantly increase analysis time for defenders. Sliver makes use of gobfuscate library, publicly available on Github. As Microsoft researchers have stated, decoding obfuscated code with that library is “a fairly manual process” that is unlikely to be automated.
An efficient way to obtain important information from such an implant is to analyze its configuration as it is decoded in memory.
Sliver also provides different techniques for executing code. One of the most common practices used by many frameworks involves inserting code in the address space of a separate live process. This allows attackers to avoid detection and sometimes obtain higher privileges among other benefits.
Side-to-side movements can also be performed with Sliver. Lateral movements include executing code on different computers from the same compromised network. Sliver does this using PsExec command, which often raises some warnings in endpoint security solutions.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
Using Sliver in the wild
Microsoft security experts pointed out that they have observed that the Sliver framework is being actively used in intrusion campaigns by even cyber spies. nation-state threat actors such as APT29 / Cozy Bear and ransomware groupin addition to other financially oriented threat actors.
Team Cymru Was observed a steady increase in Sliver samples was detected during Q1 2022 and shared a few case studies.
Sliver is sometimes seen as a replacement for Cobalt Strike, another penetration testing framework. It is also sometimes used in conjunction with Cobalt Strike.
The popularity and increased use of Cobalt Strike by threat actors over the years has made defenses against it more effective. That increase in detectability will likely prompt more threat actors to use lesser-known frameworks like Sliver.
Fragment detection and protection against it
Microsoft shared query can be run inside the Microsoft 365 Defender portal to detect non-official Sliver codebases available at the time of writing. Microsoft also shared JARM hash function, JARM is an active Transport Layer Security (TLS) server fingerprint storage engine.
The UK’s National Cyber Security Center also shared YARA rules for Sliver detection. All of these can be useful for detecting Sliver but may fail with future versions or modified versions of the tool that attackers may develop. All of those items must be continuously hunted through security solutions in the corporate network capable of testing endpoints and servers for these specific Indicators of Compromise (IOC).
Multi-Factor Authentication (MFA) need to be deployed on any Internet-connected system or service, especially for RDP or VPN connections. User privileges should also be limited and administrative privileges should only be provided to employees who really need it.
All systems must be updated and patched, to avoid being compromised by a common vulnerability that makes using Sliver possible.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
