Threat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

In favor of similar frameworks less familiar to threat actors, threat actors are ditching Cobalt Strike penetration testing. There has been a surge of interest recently in an open-source, cross-platform kit called Sliver that has emerged after Brute Ratel.

By analyzing the toolkit, its operation, and its components, hunting queries can be used to detect malicious activity involving Sliver. A number of nation-state threat actors have been adopting and integrating the Sliver C2 framework into their intrusion campaigns.

The Migration from Cobalt Strike

It has become increasingly popular in recent years for various threat actors to use Cobalt Strike as an attack tool against various kinds of systems.

By using this toolkit, defenses have learned to detect and stop attacks based on the information they collect. The reason for this is to avoid detection by EDR and antivirus solutions, which is why hackers are trying other options.

Threat actors have found alternatives to the Cobalt Strike as a result of the stronger defenses that have been deployed against it. They went and switched over to Brute Ratel, a tool that simulates adversarial attacks with the aim of evading security products.

Microsoft tracks the adoption of Sliver by one group as DEV-0237. FIN12, as well as several other ransomware operators, have been implicated in the gang’s activities.

Several ransomware operators have distributed malware payloads from the gang in the past, including the following:-

• BazarLoader
• TrickBot

Threat Hunting

Although the Sliver framework is regarded as a novel threat, there are ways to detect malicious activity originating from it as well as from stealthier threats that cannot be detected by no means.

In order to identify Sliver and other emerging C2 frameworks, Microsoft provides defenders with a set of TTPs which are able to be used to identify them.

Microsoft also disclosed that the non-customized C2 codebase, which contains the official and non-modified code for detecting Sliver payloads, is useful for detecting such payloads.

There are also commands that can be used for process injection that threat hunters can look for. This can be achieved by using the following commands:-

• migrate (command) – migrate into a remote process
• spawndll (command) – load and run a reflective DLL in a remote process
• sideload (command) – load and run a shared object (shared library/DLL) in a remote process
• msf-inject (command) – inject a Metasploit Framework payload into a process
• execute-assembly (command) – load and run a .NET assembly in a child process
• getsystem (command) – spawn a new Sliver session as the NT AUTHORITY\SYSTEM user

At the moment the detection rule sets and hunting guidance are publicly available. In the case of customized variants, there is a possibility that Microsoft’s searches will be impacted by the use of customized variants.