The offensive security tool used by penetration testers is also used by threat actors from the ransomware and cyber-espionage worlds.
The company of penetration testing and security audits are huge, and there are many different tools on the market available, or even free, to help penetration testers. Some of those offensive security frameworks became very popular, such as: Metasploit or Cobalt Strike. They are widely used by red teams but also by threat actorsincluding state sponsored.
Among those frameworks, Sliver appeared in 2019 as an open-source framework available on Github and advertised to security professionals.
What is Sliver and what is it used for?
The creators of Sliver describe it as “an open source cross-platform opponent emulation/red team framework” that “supports C2 over Mutual TLS (mTLS), WireGuard, HTTP(S) and DNS and is dynamically compiled with per-binary asymmetric encryption keys.”
The framework is available for Linux, MacOS and Microsoft Windows operating systems and possibly more as the whole framework is written in the Go programming language (also known as Golang), which can be compiled on many different systems as Golang is cross-platform compatible.
The typical use case for using such a framework is to compromise a target, deploy one or more implants within different endpoints or servers belonging to the compromised network, and then use the framework for command and control interactions. (C2).
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Network communication and implants supported by Sliver
Sliver supports several network protocols to communicate between the implant and its C2 server: DNS, HTTP/TLS, MTLS and TCP can be used.
Sliver users can generate cross-platform implants in a variety of formats, including shell code, executable, shared library/DLL or service.
Sliver also provides the ability to use stagers over the meterpreter staging protocol over TCP and HTTP(S). Stagers are smaller loads with functions designed primarily to retrieve and launch larger implants. Stagers are generally used in the early stages of an attack, when the attacker wants to minimize the size of malicious code to use as the initial payload.
Microsoft stated in a recent report that attackers don’t necessarily need to use Sliver’s standard DLL or executable payloads. Motivated attackers can use a Sliver-generated shell code that they will embed in custom loaders such as: Bumblebeewhich then runs the Sliver implant on the affected system.
Sliver implants can be obscured, making their detection more difficult. Also, even detected, obscuration can significantly increase the analysis time for defenders. Sliver uses the gobfuscate library, publicly available on Github. As pointed out by Microsoft researchers, obfuscating code obfuscated with that library is “still a fairly manual process” that can hardly be automated.
An effective way to obtain critical information from such an implant is to analyze its configuration once it has been unveiled in memory.
Sliver also offers several techniques for executing code. One of the most common used by many frameworks is to inject code into the address space of a separate live process. This allows attackers to evade detection and sometimes gain higher privileges, among other benefits.
Lateral moves can also be done with Sliver. Lateral movements consist of executing code on different computers from the same compromised network. Sliver does this by using the legitimate PsExec command, which often generates multiple warnings in endpoint security solutions.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Sliver’s use in the wild
Microsoft security experts say they have observed the Sliver framework being actively used in both cyber-espionage intrusion campaigns national threat actors such as APT29/Cozy Bear and ransomware groupsalongside other financially oriented threat actors.
Team Wales noticed a steady increase in Sliver samples detected in the first quarter of 2022 and shared some case studies.
Sliver has sometimes been seen as a replacement for Cobalt Strike, another penetration testing framework. Sometimes it has also been used in conjunction with Cobalt Strike.
The popularity and increase in the use of Cobalt Strike by threat actors in recent years has made defenses against it more efficient. That increase in detection is likely to push more threat actors to use lesser-known frameworks like Sliver.
Sliver detection and protection against it
Microsoft shares to ask which can be run in the Microsoft 365 Defender portal to detect official non-custom Sliver codebases available at the time of writing. Microsoft too shared JARM hashes, JARM an active tool for fingerprinting the Transport Layer Security (TLS) server.
The UK’s National Cyber Security Center too shared YARA rules to detect Sliver. All of these can be useful for detecting Sliver, but can fail with future versions or modified versions of the tool that attackers could develop. All those items have to be constantly chased through security solutions in corporate networks that have the ability to monitor endpoints and servers for these specific Indicators Of Compromise (IOCs).
Multi Factor Authentication (MFA) should be implemented on any internet-facing system or service, especially for RDP or VPN connections. User rights should also be restricted and administrator rights should only be granted to employees who really need it.
All systems must be kept up to date and patched to avoid being compromised by a common vulnerability that would allow the use of Sliver.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.
