Sliver C2 Framework Growing Its Base
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Cybereason
Obtaining remote control over a compromised system through the abuse of attack frameworks, has become a staple in an attacker's arsenal. While Cobalt Strike reigns as the most widely used framework, Cybereason researchers provide an in-depth guide to the underreported and steadily growing, Sliver C2 framework, created by cybersecurity firm Bishop Fox. Core features of Sliver include cross-platform capability with Windows and Linux, shell access, UAC bypass for privilege escalation, system reconnaissance, process injection, lateral movement with PsExec, use of SOCKs for C2, and additional modules capable of accessing system credentials. The Sliver framework comprises four components a server and client console to interface with, the C2 server, and the implant. Threat actors who leverage Sliver include APT29, TA551 (aka Shathak), and Exotic Lily using Sliver in BumbleBee infections.
Cybereason also shared a logical attack path that can be used during a Sliver infection. "Sliver is designed as a second-stage payload which, after deployment, gives the threat actor full access to the target system and the ability to conduct the next steps in the attack chain. Silver is capable of running in beacon mode to provide periodic checks or an interactive real-time session mode. Once the C2 implant is executed, the operator could run reconnaissance commands to gain context on the system and escalate privileges. User Account Control bypass is demonstrated as one method to achieve elevated privileges using cmpstp.exe a native windows binary. Using the 'migrate' command in Silver's shell the operator can inject the C2 implant into a remote process to evade detection. For credential access several options are available procdump to dump "lsass", Rubeus, pypykatz (offline), alternatively the operator can download and run Mimikatz. Once the operator decides to move laterally, they can leverage the built-in remote admin tool PsExec.
- Malicious Implant Accesses Credentials & Moves Laterally
Anvilogic Use Cases:
- Cmstp Execution
- Rare Remote Thread
- pypykatz commands