Tuesday, February 11, 2025
HomeCyber Security NewsThreat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Threat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

In favor of similar frameworks less familiar to threat actors, threat actors are ditching Cobalt Strike penetration testing. There has been a surge of interest recently in an open-source, cross-platform kit called Sliver that has emerged after Brute Ratel.

By analyzing the toolkit, its operation, and its components, hunting queries can be used to detect malicious activity involving Sliver. A number of nation-state threat actors have been adopting and integrating the Sliver C2 framework into their intrusion campaigns.

The Migration from Cobalt Strike

It has become increasingly popular in recent years for various threat actors to use Cobalt Strike as an attack tool against various kinds of systems.

By using this toolkit, defenses have learned to detect and stop attacks based on the information they collect. The reason for this is to avoid detection by EDR and antivirus solutions, which is why hackers are trying other options.

Threat actors have found alternatives to the Cobalt Strike as a result of the stronger defenses that have been deployed against it. They went and switched over to Brute Ratel, a tool that simulates adversarial attacks with the aim of evading security products.

Microsoft tracks the adoption of Sliver by one group as DEV-0237. FIN12, as well as several other ransomware operators, have been implicated in the gang’s activities.

Several ransomware operators have distributed malware payloads from the gang in the past, including the following:-

  • BazarLoader
  • TrickBot

Threat Hunting

Although the Sliver framework is regarded as a novel threat, there are ways to detect malicious activity originating from it as well as from stealthier threats that cannot be detected by no means.

In order to identify Sliver and other emerging C2 frameworks, Microsoft provides defenders with a set of TTPs which are able to be used to identify them.

Microsoft also disclosed that the non-customized C2 codebase, which contains the official and non-modified code for detecting Sliver payloads, is useful for detecting such payloads.

There are also commands that can be used for process injection that threat hunters can look for. This can be achieved by using the following commands:-

  • migrate (command) – migrate into a remote process
  • spawndll (command) – load and run a reflective DLL in a remote process
  • sideload (command) – load and run a shared object (shared library/DLL) in a remote process
  • msf-inject (command) – inject a Metasploit Framework payload into a process
  • execute-assembly (command) – load and run a .NET assembly in a child process
  • getsystem (command) – spawn a new Sliver session as the NT AUTHORITY\SYSTEM user

At the moment the detection rule sets and hunting guidance are publicly available. In the case of customized variants, there is a possibility that Microsoft’s searches will be impacted by the use of customized variants.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Valentine’s Day Domains for Sneaky Cyber Attacks

Cybercriminals are capitalizing on the season of love to launch sneaky and deceptive cyberattacks.According...

EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical...

Enhanced IllusionCAPTCHA: Advanced Protection Against AI-Powered CAPTCHA Attacks

As AI technologies continue to evolve, traditional CAPTCHA systems face increasing vulnerabilities.Recent studies...

Akira Ransomware Dominates January 2025 as the Most Active Ransomware Threat

January 2025 marked a pivotal month in the ransomware landscape, with Akira emerging as...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit Valentine’s Day Domains for Sneaky Cyber Attacks

Cybercriminals are capitalizing on the season of love to launch sneaky and deceptive cyberattacks.According...

EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical...

Enhanced IllusionCAPTCHA: Advanced Protection Against AI-Powered CAPTCHA Attacks

As AI technologies continue to evolve, traditional CAPTCHA systems face increasing vulnerabilities.Recent studies...