Threat actors are switching away from the Cobalt Strike suite of penetration testing tools in favor of less similar frameworks. Sliver toolkit, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel.
However, by examining the toolkit, how it functions, and its components, hunting queries can find malicious Sliver activity.
Migrating away from Cobalt Strike
Cobalt Strike has gained prominence in recent years as a weapon for attack used by different threat actors, such as ransomware operations, to drop “beacons” on infiltrated networks that facilitate lateral movement to high-value systems.
Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.
Threat actors have developed alternatives as Cobalt Strike’s defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation programme meant to avoid security products, as seen by Palo Alto Networks.
According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at cybersecurity firms in their attacks.
Microsoft has noticed that nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors are now adopting and integrating the Sliver command-and-control (C2) infrastructure in intrusion campaigns to elude detection.
Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, was connected to several ransomware developers.
The gang in past used malware like BazarLoader and TrickBot to distribute ransomware payloads from a variety of ransomware operators, including Ryuk, Conti, Hive, Conti, and BlackCat.
State-sponsored actors in Russia, especially APT29 (also known as Cozy Bear, The Dukes, and Grizzly Steppe), have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK’s Government Communications Headquarters (GCHQ).
Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.
Hunting for Sliver-based activity
Despite being a new threat, the Sliver framework and other stealthier attacks can both be detected for their harmful behavior.
Defenders can utilize Microsoft’s set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks.
Threat hunters can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols (DNS, HTTP/TLS, MTLS, and TCP), and accepts implants/operator connections. The hunters can host files to imitate a legitimate web server.
Unique HTTP header combinations and JARM hashes, which are active fingerprinting methods for TLS servers (RiskIQ’s Sliver and Bumblebee methodology), are two examples of common artefacts.
Microsoft also provided guidance on identifying Sliver payloads (shellcode, executables, shared libraries/DLLs, and services) produced using the C2 framework’s standard, non-customized codebase.
If the shellcode isn’t obfuscated, detection engineers can develop rules for the shellcode payload that is incorporated in the loader or loader-specific detections [like Bumblebee].
Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don’t have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.
Scanning the memory could enable researchers to extract details such as configuration data:
Microsoft states that in addition to using extensions and aliases, the toolkit also uses.NET apps, beacon object files (BFOs), and other third-party tooling for command injection.
The framework additionally uses PsExect to execute commands that permit lateral movement.
Microsoft has developed a set of hunting queries for the aforementioned commands that may be used in the Microsoft 365 Defender site to help organizations covered by Defender identify Sliver activity in their environment.
Microsoft stated hunting advice and offered detection rule sets are for the Sliver codebase, which is currently made public. Utilizing tailored variations is probably going to affect detection made using Microsoft’s queries.
