Sliver offensive security framework increasingly used by threat actors

The offensive security tool used by penetration testers is also used by threat actors from the ransomware and cyber espionage spheres.

Image: Adobe Stock

The market for penetration testing and security auditing is huge, and there are many different tools available on the market, or even free of charge, to help penetration testers. Some of these offensive security frameworks have become very popular, such as Metasploit Where Cobalt Strike. They are widely used by red teams but also by threat actors, including those sponsored by nation states.

Among these frameworks, Sliver appeared in 2019 as an open-source framework available on Github and announced to security professionals.

What is Sliver and what is it used for?

The creators of Sliver describe it as “an open source cross-platform adversary/red team emulation framework” that supports “C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and is dynamically compiled with binary asymmetric encryption keys.”

The framework is available for Linux, MacOS and Microsoft Windows operating systems and maybe more, because the whole framework is written in Go programming language (also known as Golang), which can be compiled on many different systems because Golang is cross-platform compatible.

The typical use case for such a framework is to compromise a target, deploy one or more implants inside different terminals or servers belonging to the compromised network, and then use the framework for command and control interactions. (C2).

SEE: Mobile Device Security Policy (TechRepublic Premium)

Sliver supported network communications and implants

Sliver supports several different network protocols to communicate between the implant and its C2 server: DNS, HTTP/TLS, MTLS and TCP can be used.

Sliver users can build cross-platform implants in multiple formats, including shellcode, executable, shared library/DLL, or service.

Sliver also offers the ability to use intermediaries via the meterpreter staging protocol over TCP and HTTP(S). Stagers are smaller payloads with functionality primarily designed to retrieve and launch larger implants. Stagers are typically used in the early phase of an attack, when the attacker wants to minimize the size of malicious code to use as the initial payload.

Microsoft said in a recent report that attackers do not necessarily need to use Sliver’s default DLL or executable payloads. Motivated attackers can use shellcode generated by Sliver which they will embed into custom loaders such as Bumblebee, which will then run the Sliver implant on the compromised system.

Ribbon implants can be obscured, making them more difficult to detect. Additionally, even detected, Obfuscation can significantly increase analysis time for Defenders. Sliver uses the obscure library, publicly available on Github. As Microsoft researchers have stated, the deobfuscation code that has been obfuscated with this library is “still a fairly manual process” that can hardly be automated.

An effective way to obtain critical information from such an implant is to analyze its configuration once it is deobfuscated in memory.

Sliver also provides different techniques for running code. One of the most common used by many frameworks is to inject code into the address space of a separate live process. This allows attackers to evade detection and sometimes gain higher privileges, among other benefits.

Lateral movements can also be performed using Sliver. Lateral movements involve executing code on different computers on the same compromised network. Sliver does this using the legit PsExec command, which often generates multiple alerts in endpoint security solutions.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Use of Sliver in nature

Microsoft security experts indicate that they have observed the Sliver framework being actively used in intrusion campaigns carried out by both cyber espionage state threat actors like APT29/Cozy Bear and ransomware groupsin addition to other threat actors with a financial vocation.

Team Cymru observed a steady increase in Sliver samples detected in the first quarter of 2022 and shared some case studies.

Sliver has sometimes been seen as a replacement for Cobalt Strike, another penetration testing framework. Sometimes it was also used in conjunction with Cobalt Strike.

The popularity and increase in the use of Cobalt Strike by threat actors over the past few years has made defense against it more effective. This increase in detection will likely drive more malicious actors to use lesser-known frameworks such as Sliver.

Ribbon detection and protection

Microsoft Stocks queries which can be run in the Microsoft 365 Defender Portal to detect official non-custom Sliver codebases available at the time of writing. Microsoft too share JARM hashes, JARM being an active Transport Layer Security (TLS) server fingerprinting tool.

The UK’s National Cyber ​​Security Center has also share YARA rules for detecting Sliver. All of these could be useful for detecting Sliver, but could fail with future versions or modified versions of the tool that attackers may develop. All of these should be continuously researched through security solutions in corporate networks that have the ability to check endpoints and servers for these specific Indicators of Compromise (IOCs).

Multi-Factor Authentication (MFA) should be deployed on any Internet-facing system or service, especially for RDP or VPN connections. User privileges should also be limited, and administrative privileges should only be granted to employees who really need them.

All systems must be kept up to date and patched, to avoid being compromised by a common vulnerability that would make Sliver possible.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

About Jon Moses

Check Also

IBM launches fourth-generation LinuxONE servers

IBM has unveiled the next generation of its LinuxONE server, which uses the Telum processor …