Wednesday, May 29, 2024

Threat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

In favor of similar frameworks less familiar to threat actors, threat actors are ditching Cobalt Strike penetration testing. There has been a surge of interest recently in an open-source, cross-platform kit called Sliver that has emerged after Brute Ratel.

By analyzing the toolkit, its operation, and its components, hunting queries can be used to detect malicious activity involving Sliver. A number of nation-state threat actors have been adopting and integrating the Sliver C2 framework into their intrusion campaigns.

The Migration from Cobalt Strike

It has become increasingly popular in recent years for various threat actors to use Cobalt Strike as an attack tool against various kinds of systems.

By using this toolkit, defenses have learned to detect and stop attacks based on the information they collect. The reason for this is to avoid detection by EDR and antivirus solutions, which is why hackers are trying other options.

Threat actors have found alternatives to the Cobalt Strike as a result of the stronger defenses that have been deployed against it. They went and switched over to Brute Ratel, a tool that simulates adversarial attacks with the aim of evading security products.

Microsoft tracks the adoption of Sliver by one group as DEV-0237. FIN12, as well as several other ransomware operators, have been implicated in the gang’s activities.

Several ransomware operators have distributed malware payloads from the gang in the past, including the following:-

  • BazarLoader
  • TrickBot

Threat Hunting

Although the Sliver framework is regarded as a novel threat, there are ways to detect malicious activity originating from it as well as from stealthier threats that cannot be detected by no means.

In order to identify Sliver and other emerging C2 frameworks, Microsoft provides defenders with a set of TTPs which are able to be used to identify them.

Microsoft also disclosed that the non-customized C2 codebase, which contains the official and non-modified code for detecting Sliver payloads, is useful for detecting such payloads.

There are also commands that can be used for process injection that threat hunters can look for. This can be achieved by using the following commands:-

  • migrate (command) – migrate into a remote process
  • spawndll (command) – load and run a reflective DLL in a remote process
  • sideload (command) – load and run a shared object (shared library/DLL) in a remote process
  • msf-inject (command) – inject a Metasploit Framework payload into a process
  • execute-assembly (command) – load and run a .NET assembly in a child process
  • getsystem (command) – spawn a new Sliver session as the NT AUTHORITY\SYSTEM user

At the moment the detection rule sets and hunting guidance are publicly available. In the case of customized variants, there is a possibility that Microsoft’s searches will be impacted by the use of customized variants.


Latest articles

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.The...

DDNS Service In Fortinet Or QNAP Embedded Devices Exposes Sensitive Data, Researchers Warn

Hackers employ DNS for various purposes like redirecting traffic to enable man-in-the-middle attacks, infecting...

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles