Home / About / Threat Intelligence / Rise of Sliver payload delivery

Target Industry

Traditionally used against western government networks, the increased popularity of Sliver will likely result in diverse targeting.

Overview

Severity level: High – Exploitation could result in significant data loss.

With the popularity of Cobalt Strike and Brute Ratel in both the commercial sector and malicious enterprises, security experts are becoming increasingly aware of how to defend against it. Therefore, malicious groups are increasingly turning to other methods of exploitation, and most prominently, Sliver. This report has been written to advise on how to detect and counter this emerging threat.

Impact

The increased transition to Sliver is likely due to attackers trying to evade detection techniques meticulously developed for combating Cobalt Strike, as success rates using Cobalt Strike slow. Sliver is an open source, cross-platform, control framework that is designed to penetrate networks. Once Sliver is successful, additional malware payloads can be imported to the network/system.

Vulnerability Detection

Both Snort and YARA rules for the detection of Sliver in network and system scans can be found here on pages 10-13.

Microsoft Defender scans for threats such as Sliver by default and should alert the system maintainer when suspicious activity is detected. Additionally, customers can run the following to hunt for Sliver activity within the selected system: Search for Sliver activity.

Affected Products

Sliver is written in the GO programming language (Golang), which means it can be used across all main systems, including Windows, Linux and MacOS. Therefore, the Sliver malware framework can be implemented on almost all products that use these operating systems.

Containment, Mitigations & Remediations

It is advised that customers use Security Operation Centre (SOC) capabilities such as Microsoft Sentinel and Defender that monitor for such threats. Additionally, system maintainers can hunt for Sliver compromise via the Snort and YARA rules included above.

Indicators of Compromise

The Snort and YARA rules above will aid in the detection of compromise, however Sliver is also used in the commercial sector by penetration testers, thus its detection is not always an indicator of malicious activity and will need further investigation.

Threat Landscape

Highly likely developed by Russian state-sponsored APT29 and now used by others, the delivery method represents increased difficulties for cyber security experts to effectively counter all threats as the methods of attack manoeuvre to avoid industry practices. The combative tactics seen between defender and adversary will almost certainly continue to be adapted while both sides attempt to gain the upper hand.

Threat Group

Traditionally used by APT29, various state-sponsored threat actors and ransomware groups are increasingly starting to use the method.

Mitre Methodologies

T1134 – Access Token Manipulation
T1071.001 – Application Layer Protocol: Web Protocols
T1132 – Data Encoding
T1001.002 – Data Obfuscation: Steganography
T1573 – Encrypted Channel
T1041 – Exfiltration Over C2 Channel
T1083 – File and Directory Discovery
T1105 – Ingress Tool Transfer
T1027 – Obfuscated Files or Information
T1055 – Process Injection
T1113 – Screen Capture
T1016 – System Network Configuration Discovery
T1049 – System Network Connections Discovery

Further Information

NCSC – Sliver Advisory
Microsoft – Sliver Lining

Confidence Terminology Yardstick

0%-5% Remote Chance
10% 20% Highly Unlikely
25%-35% Unlikely
40%-50% Realistic Possibility
55%-75% Likely/Probable
80%-90% Highly Likely
95%-100% Almost Certain