The offensive security tool used by penetration testers is also being used by threat actors from the ransomware and cyberespionage spheres.
The business of penetration testing and security auditing is huge, and a lot of different tools are available on the market, or even for free, to help penetration testers. Some of those offensive security frameworks became very popular, such as Metasploit or Cobalt Strike. They are widely used by red teams but also by threat actors, including nation-state sponsored ones.
Amongst those frameworks, Sliver appeared in 2019 as an open-source framework available on Github and advertised to security professionals.
What is Sliver and what is it used for?
Sliver’s creators describe it as “an open source cross-platform adversary emulation/red team framework” which supports “C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.”
The framework is available for Linux, MacOS and Microsoft Windows operating systems and possibly more, as the whole framework is written in Go programming language (also known as Golang), which can be compiled on many different systems since Golang is cross-platform compatible.
The typical use case for using such a framework consists of compromising a target, deploying one or several implants inside different endpoints or servers belonging to the compromised network, then using the framework for command and control (C2) interactions.
SEE: Mobile device security policy (TechRepublic Premium)
Network communications & implants supported by Sliver
Sliver supports several different network protocols to communicate between the implant and its C2 server: DNS, HTTP/TLS, MTLS, and TCP might be used.
Sliver users can generate cross-platform implants in several formats, including shellcode, executable file, shared library/DLL file or service.
Sliver also provides the capability of using stagers via the meterpreter staging protocol over TCP and HTTP(S). Stagers are smaller payloads with features primarily designed to retrieve and launch bigger implants. Stagers are generally used in the early phase of an attack, when the attacker wants to minimize the size of malicious code to use as initial payload.
Microsoft stated in a recent report that attackers do not necessarily need to use Sliver’s default DLL or executable payloads. Motivated attackers might use a Sliver-generated shellcode which they will embed in custom loaders such as Bumblebee, which will then run the Sliver implant on the compromised system.
Sliver implants can be obfuscated, rendering their detection harder. Also, even detected, obfuscation can greatly increase the analysis time for defenders. Sliver makes use of the gobfuscate library, publicly available on Github. As stated by Microsoft researchers, de-obfuscating code that has been obfuscated with that library is “still a fairly manual process” which can hardly be automated.
An effective way to obtain critical information from such an implant is to analyze its configuration once it is de-obfuscated in memory.
Sliver also provides different techniques to execute code. One of the most common one used by many frameworks consists of injecting code within the address space of a separate live process. This allows the attackers to evade detection, and sometimes gain higher privileges amongst other benefits.
Lateral movements can be done using Sliver as well. Lateral movements consist of executing code on different computers from the same compromised network. Sliver does this by using the legitimate PsExec command, which is yet often raising several alerts in endpoint security solutions.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Sliver’s use in the wild
Microsoft security experts indicate that they observed the Sliver framework being used actively in intrusion campaigns run by both cyberespionage nation-state threat actors such as APT29/Cozy Bear and ransomware groups, in addition to other financially oriented threat actors.
Team Cymru observed a steady increase in detected Sliver samples over Q1 of 2022 and shared a few case studies.
Sliver has sometimes been witnessed as a replacement for Cobalt Strike, another penetration testing framework. Sometimes it has also been used in conjunction with Cobalt Strike.
The popularity and increase of use of Cobalt Strike by threat actors in the last years has made defense against it more efficient. That increase in detection will probably push more threat actors into using lesser-known frameworks such as Sliver.
Sliver detection & protection against it
Microsoft shares queries that can be run inside the Microsoft 365 Defender portal to detect official non-customized Sliver codebases available at the time of writing. Microsoft also shared JARM hashes, JARM being an active Transport Layer Security (TLS) server fingerprinting tool.
The U.K.’s National Cyber Security Center also shared YARA rules to detect Sliver. All of these might be useful to detect Sliver but might fail with future versions or modified versions of the tool that attackers might develop. All those items must be hunted constantly via security solutions in corporate networks that have the ability to check endpoints and servers for these specific Indicators Of Compromise (IOCs).
Multi Factor Authentication (MFA) needs to be deployed on any Internet-facing system or service, especially for RDP or VPN connections. Users privileges should also be limited and administrative privileges should only be provided to employees really needing it.
All systems must be kept up to date and patched, to avoid being compromised by a common vulnerability that would make the use of Sliver possible.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.