Sliver is an open source cross-platform adversary emulation/red team framework, developed for penetration testing purposes but, as other similar softwares like Cobalt Strike, is also used by cybercriminals to malicious activities. It is becoming increasingly popular among cybercrime gangs due to its versatility and flexibility.

Features

  • Dynamic code generation
  • Compile-time obfuscation
  • Multiplayer-mode
  • Staged and Stageless payloads
  • Procedurally generated C2 over HTTP(S)
  • DNS canary blue team detection
  • Secure C2 over mTLS, WireGuard, HTTP(S), and DNS
  • Fully scriptable using JavaScript/TypeScript or Python
  • Windows process migration, process injection, user token manipulation, etc.
  • Let’s Encrypt integration
  • In-memory .NET assembly execution
  • COFF/BOF in-memory loader
  • TCP and named pipe pivots

There are some groups that are known to be using the Sliver framework, including Advanced Persistent Threat (APT) groups and ransomware gangs.

These groups use Sliver to launch highly sophisticated attacks, such as the Ryuk ransomware attack and the SolarWinds supply chain attack.

Sliver

According to this article by VMware, in order to detect Sliver related activities, is mandatory for organizations to implement a multi-layered approach to security, which should include the use of endpoint detection and response (EDR) tools, network traffic analysis, and file system monitoring.

The article highlights three methods to detect Sliver:

Network Traffic Analysis

This method involves monitoring network traffic to detect Sliver traffic patterns and signatures. For example, Sliver C2 traffic is encrypted using a custom encryption algorithm, which can be detected by monitoring network traffic. Additionally, organizations can monitor for specific IP addresses, domain names, and ports used by C&C traffic. Another example could be the following Yara rule, developed by Daniel Roberson:

rule sliver_client : c2 implant
{
	meta:
		description = "Bishop Fox's Sliver C2 Implant"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "github.com/bishopfox/sliver/client"

	condition:
		all of them and filesize < 50MB
}

rule sliver_server : c2
{
	meta:
		description = "Bishop Fox's Sliver C2 Server"
		author = "Daniel Roberson"
		url = "https://github.com/BishopFox/sliver"

	strings:
		$s1 = "RunSliver"

	condition:
		all of them and filesize > 50MB
}

File System Monitoring

this method involves monitoring the file system for Sliver’s executable files related Indicators of Compromise (IoCs).

Organizations can detect the presence of Sliver C2 by monitoring for these files, as well as changes to specific system files such as the Windows registry.

An update list of Indicators of Compromise (IoC), for example the following provided by Malware Bazaar, could be useful for this method:

First seen SHA256
2023-01-05 19:38:07 3221de492e436a79655b4a82b72830a28de3aa417300fdf06e0b28202053ff3e
2023-01-05 19:37:00 1846c1db07d4f9a3a86605e38c0be5da38074b91cfafa1a72bccc693b06346e4
2022-12-16 19:20:46 f63993a7e4dc3e4242509482ca4d9ee1cbd4c00d219503ecf5d139d763a42f35
2022-07-18 08:00:49 78eb647f3d2aae5c52fcdc46ac1b27fb5a388ad39abbe614c0cfc902d223ccd6
2022-07-18 08:00:44 f13deec28f6f6d3f4f555f5a2db48cd8a541be52c331ccfccba929e4dfd6bc7a
2022-07-18 08:00:39 fa647a34b88c5409a58d2f2568147fa03112eb8bfa34bccd801830446213d7c4
2022-07-18 08:00:32 5568131f894caf1217f4cbda3dd40c1f39e680ce7727ed4a767cd1986e7805f0
2022-07-18 08:00:26 5c973707940097122ec97fcb73e7b14f054c11c7e1dd958efe933ae3c6a78c4e


Endpoint Detection and Response (EDR) Tools

EDR tools are designed to detect and respond to threats on endpoints , and can detect Sliver activity by monitoring for specific behaviors, such as the execution of malicious files or the use of specific network connections.

For example, the following list of network indicators, provided by AlienVault, could be useful:

Indicator Type
43[.]128.62.42 IPv4
45[.]144.3.216 IPv4
hxxp://43.128.62.42/acl.exe URL
hxxp://45.144.3.216/powercat.ps1 URL
5[.]199.173.103 IPv4
61[.]155.8.2 IPv4
hxxp://43.128.62.42:8888 URL
hxxp://45.144.3.216/2.ps1 URL
hxxp://45.144.3.216:14356 URL
hxxp://5.199.173.103/7za.exe URL
hxxp://5.199.173.103/syse.bat URL
hxxp://5.199.173.103/t.zip URL