A free alternative to Cobalt Strike in the hands of hackers can be a deadly weapon for companies.
Sliver, an open source cross-platform tool for the red team, provides all the basic capabilities for enemy simulation. Some of them include:
dynamic code generation;
obfuscation at compile time;
staged and non-staged payload;
integration with the Let's Encrypt certification authority.
Sliver offers many features, among them:
secure command and control (C&C) server via mTLS, WireGuard, HTTP(S) and DNS protocols;
migration and implementation of Windows processes;
manipulation of custom tokens;
extension package manager (arsenal) that allows you to easily install various third-party tools, including Ghostpack (Rubeus, Seatbelt, SharpUp, Certify and others).
Attackers using Sliver
Research teams around the world have observed several threat groups actively using Sliver.
In June 2022, AvosLocker used several different tools during its campaign, including Cobalt Strike, Sliver, and several commercial network scanners;
In the same month, the DriftingCloud group distributed 3 families of open source malware - PupyRAT , Pantegana and Sliver;
In October 2021, TA551 (Shathak), deployed Sliver immediately after receiving initial access for greater flexibility;
In May 2021, the APT29 (SVR) group used Sliver to maintain persistence on a compromised network;
Sliver is also deployed using the Bumblebee loader, which was developed by Conti as a replacement for BazarLoader.
Identification and mitigation
The platform creates unique network and system signatures, which allows you to successfully determine the digital fingerprints of the C&C server. To protect against Sliver attacks, users are advised to be careful when handling files originating from external sources such as email and websites.a