How can we help?
Traditionally used against western government networks, the increased popularity of Sliver will likely result in diverse targeting.
Severity level: High – Exploitation could result in significant data loss.
With the popularity of Cobalt Strike and Brute Ratel in both the commercial sector and malicious enterprises, security experts are becoming increasingly aware of how to defend against it. Therefore, malicious groups are increasingly turning to other methods of exploitation, and most prominently, Sliver. This report has been written to advise on how to detect and counter this emerging threat.
The increased transition to Sliver is likely due to attackers trying to evade detection techniques meticulously developed for combating Cobalt Strike, as success rates using Cobalt Strike slow. Sliver is an open source, cross-platform, control framework that is designed to penetrate networks. Once Sliver is successful, additional malware payloads can be imported to the network/system.
Both Snort and YARA rules for the detection of Sliver in network and system scans can be found here on pages 10-13.
Microsoft Defender scans for threats such as Sliver by default and should alert the system maintainer when suspicious activity is detected. Additionally, customers can run the following to hunt for Sliver activity within the selected system: Search for Sliver activity.
Sliver is written in the GO programming language (Golang), which means it can be used across all main systems, including Windows, Linux and MacOS. Therefore, the Sliver malware framework can be implemented on almost all products that use these operating systems.
Containment, Mitigations & Remediations
It is advised that customers use Security Operation Centre (SOC) capabilities such as Microsoft Sentinel and Defender that monitor for such threats. Additionally, system maintainers can hunt for Sliver compromise via the Snort and YARA rules included above.
Indicators of Compromise
The Snort and YARA rules above will aid in the detection of compromise, however Sliver is also used in the commercial sector by penetration testers, thus its detection is not always an indicator of malicious activity and will need further investigation.
Highly likely developed by Russian state-sponsored APT29 and now used by others, the delivery method represents increased difficulties for cyber security experts to effectively counter all threats as the methods of attack manoeuvre to avoid industry practices. The combative tactics seen between defender and adversary will almost certainly continue to be adapted while both sides attempt to gain the upper hand.
Traditionally used by APT29, various state-sponsored threat actors and ransomware groups are increasingly starting to use the method.
T1134 – Access Token Manipulation
T1071.001 – Application Layer Protocol: Web Protocols
T1132 – Data Encoding
T1001.002 – Data Obfuscation: Steganography
T1573 – Encrypted Channel
T1041 – Exfiltration Over C2 Channel
T1083 – File and Directory Discovery
T1105 – Ingress Tool Transfer
T1027 – Obfuscated Files or Information
T1055 – Process Injection
T1113 – Screen Capture
T1016 – System Network Configuration Discovery
T1049 – System Network Connections Discovery
Confidence Terminology Yardstick
0%-5% Remote Chance
10% 20% Highly Unlikely
40%-50% Realistic Possibility
80%-90% Highly Likely
95%-100% Almost Certain